Firefox 34 Arrives With Video Chat, Yahoo Search As Default

An anonymous reader writes: Mozilla today launched Firefox 34 for Windows, Mac, Linux, and Android. Major additions to the browser include a built-in video chat feature, a revamped search bar, and tab mirroring from Android to Chromecast. This release also makes Yahoo Search the default in North America, in place of Google. Full changelogs: desktop and Android."

Re:Yahoo Search?

[rudy_wayne]

I was really hoping that when Mozilla's contract with Google ran out the whole bloated business would collapse and they would go back to just making a browser that people actually want to use. But a new money truck just arrived in town and they can continue to add more and more useless 'features' while destroying all the things that made Firefox popular in the first place.

Re: Recommendation for a good browser?

Not the OP but what convinced me is that when you delete something out of your history Chrome still presents it on the startup screen and the url bar as if it was never deleted...so either each of those has some redundant history database that they aren't telling you about or deleting your browsing history is like deleting email in gmail, you can't see it anymore but google can...

Re:Video chat??

[AuMatar]

That's never what Firefox was about. It was a big rewrite because a bunch of Mozilla devs decided they wanted everything written their way and if it wasn't they'd rather restart from scratch. Even initial versions were actually more heavyweight and leaked more memory than mozilla suite. It should never have existed in the first place, they should have just moved the browser in Suite to a standalone download for those who wanted just that functionality.

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey. Its still more performant than firefox and doesn't suffer from the feature creep or the "what features of chrome UI do we want to rip off this build" issues that FF does. Its a better product by a longshot.

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS.
So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.
You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

Re:Comodo's certificate extortion

[cbhacking]

Sigh... I can't tell if you're arguing this because you don't understand the English language, of if you're just trolling.

If somebody has to "be presenting their own" certificate, then they are NOT PASSIVE!! A passive network attacker is, for example, somebody sitting at a coffee shop with the WiFi card in promiscuous mode, watching all the traffic that gets sent over that (open) network. In that position, the attacker cannot do a damn thing about a self-signed cert. Now, if they are able to use ARP spoofing or DNS hijacking or can configure the router's upstream host or something like that, then they can intercept traffic and present their own certificate, sure. That requires an *active* attack, though.

The reason that passive attacks are so concerning right now is that it's pretty trivial for ISPs and governments to record all network traffic that they want to. It just costs money for storage and storage bandwidth. However, they aren't actively intercepting that traffic, just passively recording it for later data mining. TLS, even using anonymous Diffie-Hellman or a self-signed certificate, is sufficient to completely defeat that kind of monitoring.

You're basically arguing that since an armored car can't tae a hit from the cannon of a main battle tank, there's no point in armoring them at all and it would be better for them to go unarmored so as not to lure people into a false sense of security. Turns out that's bullshit: the typical threat to people moving valuables is from small arms (which an armored car can shrug off just fine), and the typical threat to browser privacy is from pervasive passive monitoring, which self-signed certs defeat. Not that I would ever argue that it's better to have a self-signed cert than a CA-signed one, but it's not as *much* worse as you seem to think.

Besides, there's things you can do to make a self-signed cert even more secure. For example, you (the user) can add *just that cert* to your trust store. Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning).