Firefox 34 Arrives With Video Chat, Yahoo Search As Default

An anonymous reader writes: Mozilla today launched Firefox 34 for Windows, Mac, Linux, and Android. Major additions to the browser include a built-in video chat feature, a revamped search bar, and tab mirroring from Android to Chromecast. This release also makes Yahoo Search the default in North America, in place of Google. Full changelogs: desktop and Android."

Just what I wanted for xmas time, more bloat.

Just what I wanted for xmas time, more bloat.
 

Re:Just what I wanted for xmas time, more bloat.

[UPi]

This is the way the world is going right now. HTML5 and JavaScript have become the new, universal runtime that everyone is trying to use to build their applications. It is extremely compelling too: you don't need to worry about deployment, supporting older versions, operating systems, etc. This, however, requires browsers to do a lot more than they did before. Sound and video input is just the tip of it. There's also the canvas, WebGL, WebSocket, tons of new CSS features.

Firefox can either choose to keep up with new features or lose 90% of its share to Chrome. I'm actually happy they going forward because part of HTML5's appeal is that it is multi-vendor and is not solely controlled by a corporation like Google or Apple. Yes, it is "bloat", as in, lots of new features that you personally might not be using today. But someday you, or your friend will come across a site that uses one of these new features and if the site says "Sorry, you are using a backwards browser, please try Chrome instead", we both know what will happen. (You of course will scoff and close the site, but 10 other people will switch for every lean browser snob out there.)

Point is, browsers are evolving. Deal with it.

video chat

[vux984]

video chat ? Where I send someone a web link? That's goofy.

And it doesn't work with Safari or Internet Explorer ... so most people won't even be able to click on the link, and it doensn't work with iOS devices... because no firefox and doesn't work with safari... so... useless? Why is this a core feature?

This should be an addon... that almost nobody uses instead of a feature that almost nobody uses.

At least as an addon, any security issues inherent to a feature that lets the browser turn on your camera and microphone aren't part of the browser.

I love firefox.. I really do, and the alternatives are all far more awful, so I don't see myself switching, but I just don't see the point of this at all.

Re:video chat

[NotInHere]

I agree. As much as I'm a fan of WebRTC and despise the walled gardens of facebook, whatsapp, google hangouts and friends, I don't think firefox should add this to their browser. Rather they should publish their own chat program, either as separate addon or as separate program. As a browser, firefox should be a platform that enables higher-level programs to bring services to its users.

Re:video chat

[pavon]

This is based on WebRTC which is a W3C draft that both Safari and Internet Explorer have committed to implement. There has to be a first browser to implement any proposed standard.

Re:video chat

[sexconker]

This is based on WebRTC which is a W3C draft that both Safari and Internet Explorer have committed to implement. There has to be a first browser to implement any proposed standard.

Not all proposed standards should be implemented.
This one shouldn't, nor should the DRM one, etc.

Re:video chat

[unrtst]

What I don't get are these two comments directly from the first article linked:

1. "Not only do you not have to sign up for a service, but you also don’t need the same software or hardware as the person you want to call, since WebRTC is compatible with Chrome and Opera browsers as well."

2. "... by sharing the generated callback link. To call you, they’ll naturally need Firefox 34."

So which is it? Something's wrong there.

As others have said, this should be an add-on. That said, I doubt it introduces much of any bloat when you're not using it (at least I really really hope it doesn't do anything at all unless you use it).

Re:video chat

[mod+prime]

It's both.

You can call anybody on the compatible browsers, but they can't call you unless they have Firefox 34.

Re:video chat

It is indeed WebRTC via TokBox [tokbox.com]. TokBox provides a nice wrapper over the core technology and some signaling services (the signaling portion of the connection is intentionally left out of the WebRTC spec).

Firefox is NOT the first browser to support WebRTC. Chrome has supported it for some time first in Beta now in release, same with Firefox. This is just a slick way to generate a link that can be sent to another Firefox or Chrome user to instantly start a video chat.

http://www.webrtc.org

Re:Yahoo Search?

Speaking of what everyone wants, hoo-ray for the built-in video chat! They finally relented, after years of users clamoring for this necessary feature, to bundle it into their flagship product *even though* it meant they would have to postpone fixing some of the regressions that have come up recently.

Thanks Firefox. Thirefox.

A lot.

Re:Recommendation for a good browser?

[wisnoskij]

Firefox lost me at least 10 versions ago, or whatever.

So sometime last week then?

Re:Video chat??

[reub2000]

Firefox was supposed to be just a browser. Has Mozilla forgotten why Firefox was created in the first place?

Kiss my hairy Pale Moon, Mozilla!

[Tablizer]

"Pale Moon" is one possible alternative fork. Anybody want to recommend others?

Re:Kiss my hairy Pale Moon, Mozilla!

[hairyfeet]

Comodo IceDragon, Kmeleon, Waterfox, Seamonkey, and that is if you want to stick with the gecko engine. If you don't care which engine you use there is Chromium, SWIron, Comodo Secure Chromium and Dragon, Opera, Safari,OffByOne, Chrome, I'm sure there are others I'm missing.

That is why i just don't understand those that rage because a browser goes to poo...we have options folks! Its not like the old days where you had Internet Exploiter and Nutscrape and if you didn't fit into one of those 2 molds? Fuck off, no soup for you! Today we are just swimming in choices, we can all have a browser that works OUR way so if you don't like the trainwreck that FF is becoming? Tell them so then move to and support one of the alternatives!

Re:Kiss my hairy Pale Moon, Mozilla!

[Richard_at_work]

I have to ask, why did you find solely using IE amusing? I have a Surface 2 RT, so I use IE a lot, and to be honest its no different to using Safari on IOS or whatever the default browser under the hood is on my Kindle. It works, it really just does. I don't give any thought to the fact that I'm using IE, and it doesn't cause any issues when browsing, so why so amusing?

Re:Yahoo Search?

[rudy_wayne]

I was really hoping that when Mozilla's contract with Google ran out the whole bloated business would collapse and they would go back to just making a browser that people actually want to use. But a new money truck just arrived in town and they can continue to add more and more useless 'features' while destroying all the things that made Firefox popular in the first place.

Re:Recommendation for a good browser?

[plover]

The last version I want is V28. After that, their password sync system was changed in ways I no longer trust. NoScript, AdBlockPlus, Ghostery help keep me safe, and browsing fast; and there's no Google spyware. So it's still the best option.

512-bit self-signed certs (e.g. DD-WRT)

Firefox 32 happily connects to DD-WRT's self-signed 512-bit cert.
Firefox 33 blocks DD-WRT's SSL cert, claiming "Secure Connection Failed" (Error code: sec_error_invalid_key), with no option to override.
Firefox 34 just lies and claims "The connection was interrupted". Like the fuck it was. It works *right now* in the other browser in my virtual machine, from the same PC. Even after restarting firefox, and even after restarting the machine.

Assholes got feedback that users need to access our HTTPS-encrypted DD-WRT, so they changed the message and claimed it was reset. This sounds like a case of "Let's just play the 'What problem? I don't have that problem on my machine. Oh, your connection was reset? That must be a problem with the device.' game"

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS.
So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.
You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Pope+Hagbard]

DD-WRT needs to fix their shit and generate a better SSL certificate, or you should quit pretending that a 512-bit cert is going to stop anything besides a nosy neighbor and use a wired connection with unencrypted HTTP to manage your router. I'm running Tomato Firmware with a self-signed 1024-bit cert (which is itself weak) over TLS 1.0 and Firefox 34 works just fine.

Mozilla's doing the Right Thing by blocking such a pathetically weak certificate.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Jahta]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS. So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules. You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

IMO Firefox are doing this right. Having known good copies of the major root certs bundled with the browser is a strong defense against MITM attacks. I've worked in more than one organisation that was doing MITM on their staff's SSL sessions (unknown to the staff) by silently pushing "trusted" DIY certs to the workstations by policy. Chrome and IE swallowed this without complaint. Only Firefox complained that I didn't in fact have a secure session with, for example, google.com.

Re:512-bit self-signed certs (e.g. DD-WRT)

[MobyDisk]

I gotta say while this is a double-edged sword, I like it. I use FF at work and when the IT department started a MITM attack and added their phony certs to everyone's machines, I was the only one to notice. Both because Firefox didn't pick-up the new certs, and because SSL observatory caught it. SSL observatory should be mandatory on every browser for this reason!

Re:Video chat??

Right, Firefox (previously Firebird (previously Phoenix)) was a spin-off from the Mozilla suite which contained, among other things, a chat platform and other sundry cruft. The Phoenix (then Firebird (then Firefox)) people got fed up with the bloat and decided to make a fast and lean browser.

Come full circle, Firefox has. Now it's about time to fork a decent, lean browser off of Firefox...

capcha: mosaics -- maybe that's a sign of where the future lies

Re:Recommendation for a good browser?

[Osgeld]

http://www.seamonkey-project.o...

Re: Recommendation for a good browser?

Not the OP but what convinced me is that when you delete something out of your history Chrome still presents it on the startup screen and the url bar as if it was never deleted...so either each of those has some redundant history database that they aren't telling you about or deleting your browsing history is like deleting email in gmail, you can't see it anymore but google can...

Unwanted video on top of Australis mess? I'm out.

[xeno]

Make that STILL out.

When the naval-gazing derpfest at FF rolled out that hideous chrome-knockoff "Australis" interface revamp in v29, I used the debian equivalent of the middle finger: sudo apt-mark hold firefox
to stem the tide of f**ck-the-user UI design, common features hidden behind weird hamburger buttons, and unreadably huge defaults.
WOW. MUCH HUGE. SO WHITESPACE IS THE NEW CAPSLOCK.

That gave a me a little time to explore options. With a little work, I can make Seamonkey usable, but I do lament the loss of an easy choice that IU can recommend to less geeky friends. IE is a lost cause even on my work machines and msft doesn't remotely give a shit about user feedback. Chrome's entire skeletal structure is made from IE spyware toolbars working together as a virtualized/rootkit OS. And Firefox's UI team has gone full "Grinch paradigm" [To quote the original: "Here's our new, wonderful product. Isn't it wonderful? Don't you just love it? What do you mean it doesn't do something essential that you've been able to do for years and you don't like it? You ingrate! You're GOING to like our new product! We're not going to fix it just because you and 100,000 whiny little dweebs claim to need those missing functions!" ]

Screw this. I'm gonna donate a little more money to the upstarts, because Firefox is lost.

Re:Video chat??

[AuMatar]

That's never what Firefox was about. It was a big rewrite because a bunch of Mozilla devs decided they wanted everything written their way and if it wasn't they'd rather restart from scratch. Even initial versions were actually more heavyweight and leaked more memory than mozilla suite. It should never have existed in the first place, they should have just moved the browser in Suite to a standalone download for those who wanted just that functionality.

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey. Its still more performant than firefox and doesn't suffer from the feature creep or the "what features of chrome UI do we want to rip off this build" issues that FF does. Its a better product by a longshot.

Re:Recommendation for a good browser?

Chromium. It is Chrome, but missing all the Google spyware. Add on the extensions: Adblock Plus (most viruses come in through ads, also they're annoying), Disconnect (not ghostery - they help advertisers), HTTPS Everywhere (can't be too careful), ScriptSafe (NoScript in spirit on Chrome). Grab the 32-bit (the 64-bit seems unstable) version from woolyss, just keep in mind these are dev builds so expect bugs from time to time, and expect to have to go back to an older version sometimes so keep around your older installers: http://chromium.woolyss.com/

Re:Unwanted video on top of Australis mess? I'm ou

[norite]

I think he's referring to that ice cream sandwich (That's what I call it) icon that is the settings...the three horizontal lines thing that the UX retards have replaced the wrench or gear icon with.

Re:V34.0.5?

[ArcadeMan]

Don't worry about it, next week you'll be running Firefox 35 anyway.

Re:Video chat??

[CanadianMacFan]

Well, the Phoenix name could be used again and be symbolic as well.

Re:V34.0.5?

[CanadianMacFan]

And there will be something for virtual reality tossed in.

Re:Yahoo Search?

[lister+king+of+smeg]

Speaking of what everyone wants, hoo-ray for the built-in video chat! They finally relented, after years of users clamoring for this necessary feature, to bundle it into their flagship product *even though* it meant they would have to postpone fixing some of the regressions that have come up recently.

Thanks Firefox. Thirefox.

A lot.

This (web video chat) is something that really should have been put in Thunderbird not Firefox, but unfortunately the powers that be at Mozilla seems to have decided that it should join SeaMonkey in being their neglected redhead step child, while they continue to throw shit into Firefox (which was meant to be the striped down powerful simple browser), or try to compete outside of their core competency focusing on projects like FirefoxOS, or Mozilla Marketplace, all the while trying to ape chromes interface.

Re:Video chat??

[savuporo]

And "web" should have stopped at HTML 4.01 ? What an odd number to pick.

People don't realize that this battle will not ever end. What exactly is "just a browser" supposed to do these days ? Javascript, flash, webgl, java applets ? WebSockets ? Maybe rewind the clock and go back to nonstandard video as well .. RealVideo .

So now firefox went and officially made WebRTC an actual visible thing, it is immediately bloat. How are the other half assed standard(ish) web tech crammed in over the years not bloat ?

This is a continuous evolution of web as a platform. You either try and stay at the forefront and be part of shaping the platform, or stay in the stone age - i bet IE can still run VBScript with some defaults. Maybe they still have Gopher client built in too.

Is it too much to ask

[rossdee]

Is it too much to ask that when updating an existing installation, it leaves all the current settings alone ?

OK now I set the default search back to Google, what else do I have to do.

BTW I don't have (or want) a webcam connected to my PC

Re:Yahoo Search?

The Firefox welcome page says
"We've partnered with Yahoo to bring you better search results".

It means that:
- internal testing showed that Yahoo results were better,
- the Firefox team cares more about the quality of search results than the bid money.

Re:Comodo's certificate extortion

[TheRaven64]

No. A self-signed SSL certificate is no worse than no SSL. The correct thing for browsers to do when encountering a self-signed SSL certificate is accept it silently, but not display any of the UI elements indicating that the site is secure (and to have a prominent red {insecure} label for every site that doesn't have the padlock). A self-signed cert protects your connection from passive adversaries and, as we have learned recently, that's a very important threat model to care about. Making it appear to users that a self-signed SSL cert is less secure than an unencrypted connection is not helpful.

Re:Video chat??

[TheRaven64]

Even initial versions were actually more heavyweight and leaked more memory than mozilla suite

That's not quite what I remember. Phoenix (then Firebird, then Firefox) and Thunderbird (or whatever it was called back then) between them used more memory than the Mozilla suite, but Firefox was lighter than using the Mozilla suite and just the browser. The big appeal of separating the two was that the browser was a buggy piece of crap and every time it crashed it took out everything else sharing the XUL runtime, including the mail client (which then had to spend time recovering corrupted databases on next launch). With Firefox, only the browser crashed and restarted quite quickly. Given that the browser crashed at least once an hour back then, it was a bit advantage. No one cared about memory leaks, because the browser didn't stay up long enough for them to become apparent. It was only after they fixed the stability issues that people started noticing.

Re:Comodo's certificate extortion

[TheRaven64]

a self signed cert does *not* protect your connection from anything, unless the client already knows what to look for to ensure the cert they have is the cert you intended them to use

Yes it does, it protects you against passive adversaries. Compromising an SSL connection with a self-signed certificate requires an active adversary (i.e. one who will modify traffic, not just sniff it). This is still possible with a signed cert if you're sufficiently large as the trust model for SSL (in the absence of certificate transparency, which isn't yet widely deployed) means that if any registrar is compromised (e.g. the one owned by the Turkish intelligence agency that all major browsers trust) then they can sign certificates for any domain.

A self-signed cert that is silently accept it is much much worse than no SSL at all, because it allows the user to make assumptions about their use of the website which are absolutely not true

No, displaying a user interface element indicating the site is secure when it only has a self-signed certificate is worse than no SSL. Rendering self-signed SSL certs in exactly the same way as unencrypted connections (as I suggested) is better, because it allows people to roll out SSL cheaply and makes the world no worse, just raises the costs for interception.

Re:Comodo's certificate extortion

[cbhacking]

Sigh... I can't tell if you're arguing this because you don't understand the English language, of if you're just trolling.

If somebody has to "be presenting their own" certificate, then they are NOT PASSIVE!! A passive network attacker is, for example, somebody sitting at a coffee shop with the WiFi card in promiscuous mode, watching all the traffic that gets sent over that (open) network. In that position, the attacker cannot do a damn thing about a self-signed cert. Now, if they are able to use ARP spoofing or DNS hijacking or can configure the router's upstream host or something like that, then they can intercept traffic and present their own certificate, sure. That requires an *active* attack, though.

The reason that passive attacks are so concerning right now is that it's pretty trivial for ISPs and governments to record all network traffic that they want to. It just costs money for storage and storage bandwidth. However, they aren't actively intercepting that traffic, just passively recording it for later data mining. TLS, even using anonymous Diffie-Hellman or a self-signed certificate, is sufficient to completely defeat that kind of monitoring.

You're basically arguing that since an armored car can't tae a hit from the cannon of a main battle tank, there's no point in armoring them at all and it would be better for them to go unarmored so as not to lure people into a false sense of security. Turns out that's bullshit: the typical threat to people moving valuables is from small arms (which an armored car can shrug off just fine), and the typical threat to browser privacy is from pervasive passive monitoring, which self-signed certs defeat. Not that I would ever argue that it's better to have a self-signed cert than a CA-signed one, but it's not as *much* worse as you seem to think.

Besides, there's things you can do to make a self-signed cert even more secure. For example, you (the user) can add *just that cert* to your trust store. Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning).

Not on by default

[eneville]

Mozilla are throttling the chat feature.

To enable, go to about:config, and set loop.throttled to false. Otherwise there is a one in ten chance of having the feature. Currently I think the servers are struggling. It's a new feature and as such needs to bed in whilst capacity is judged.

HTH.

Re:Yahoo Search?

[master_kaos]

Yes if Yahoo results were so much better, everyone would be using them/bing.
They forgot the most import bullet point though
- Yahoo paid us the most

Re:Yahoo Search?

[Zontar+The+Mindless]

My big peeve (other than unannounced un-revertable UI changes) is... uh, wait.

My big peeve (other than unannounced un-revertable UI changes and breaking extensions with every release)... oops, let me start again

My big peeve (other than unannounced un-revertable UI changes, breaking extensions with every release, and mothballing Sunbird) is...

Aw, crap. Now I forget. :)

Re:Yahoo Search?

[Zontar+The+Mindless]

The Firefox welcome page says
"We've partnered with Yahoo to bring you better search results".

It means that:
- internal testing showed that Yahoo results were better,
- the Firefox team cares more about the quality of search results than the bid money.

Please mod parent Funny.

Self-signed != domain-validated

[tepples]

There are five tiers:

1. Clear HTTP
   This works with no interstitial in all browsers.
2. HTTPS with a self-signed certificate
   This shows the "unknown issuer" interstitial in most major browsers and the "struck-out https" in Chrome.
3. HTTPS with a certificate from a trusted CA, naming a domain
   This shows "This website does not supply ownership information" and "Organization: <Not part of certificate>" in Firefox's Page Info > Security and shows the "legitimate business" interstitial in Comodo Dragon.
4. HTTPS with a certificate from a trusted CA, naming an organization as the owner
   This shows the business's trading name in in Firefox's Page Info > Security and skips the interstitial in Comodo Dragon.
5. HTTPS with an extended validation certificate from a trusted extended validation CA
   This shows the business's trading name and address and triggers the green address bar.

You appear to have confused tier 2 (self-signed) with tier 3 (CA-signed, domain-validated). A certificate that triggers the "legitimate business" warning is not a self-signed certificate. It is a certificate issued by a certificate authority trusted by the browser. For example, Starfield is a CA known to several browsers. A certificate for "slashdot.org" with no organization issued by Starfield would trigger "legitimate business" interstitial, but a certificate for "slashdot.org" with organization "Dice Holdings" issued by the same CA would skip it. Self-signed certificates are a completely separate issue.