Firefox 34 Arrives With Video Chat, Yahoo Search As Default

An anonymous reader writes: Mozilla today launched Firefox 34 for Windows, Mac, Linux, and Android. Major additions to the browser include a built-in video chat feature, a revamped search bar, and tab mirroring from Android to Chromecast. This release also makes Yahoo Search the default in North America, in place of Google. Full changelogs: desktop and Android."

Just what I wanted for xmas time, more bloat.

Just what I wanted for xmas time, more bloat.
 

Re:Just what I wanted for xmas time, more bloat.

[UPi]

This is the way the world is going right now. HTML5 and JavaScript have become the new, universal runtime that everyone is trying to use to build their applications. It is extremely compelling too: you don't need to worry about deployment, supporting older versions, operating systems, etc. This, however, requires browsers to do a lot more than they did before. Sound and video input is just the tip of it. There's also the canvas, WebGL, WebSocket, tons of new CSS features.

Firefox can either choose to keep up with new features or lose 90% of its share to Chrome. I'm actually happy they going forward because part of HTML5's appeal is that it is multi-vendor and is not solely controlled by a corporation like Google or Apple. Yes, it is "bloat", as in, lots of new features that you personally might not be using today. But someday you, or your friend will come across a site that uses one of these new features and if the site says "Sorry, you are using a backwards browser, please try Chrome instead", we both know what will happen. (You of course will scoff and close the site, but 10 other people will switch for every lean browser snob out there.)

Point is, browsers are evolving. Deal with it.

Re:Recommendation for a good browser?

[wisnoskij]

Firefox lost me at least 10 versions ago, or whatever.

So sometime last week then?

Re:Video chat??

[reub2000]

Firefox was supposed to be just a browser. Has Mozilla forgotten why Firefox was created in the first place?

Kiss my hairy Pale Moon, Mozilla!

[Tablizer]

"Pale Moon" is one possible alternative fork. Anybody want to recommend others?

Re:Kiss my hairy Pale Moon, Mozilla!

[hairyfeet]

Comodo IceDragon, Kmeleon, Waterfox, Seamonkey, and that is if you want to stick with the gecko engine. If you don't care which engine you use there is Chromium, SWIron, Comodo Secure Chromium and Dragon, Opera, Safari,OffByOne, Chrome, I'm sure there are others I'm missing.

That is why i just don't understand those that rage because a browser goes to poo...we have options folks! Its not like the old days where you had Internet Exploiter and Nutscrape and if you didn't fit into one of those 2 molds? Fuck off, no soup for you! Today we are just swimming in choices, we can all have a browser that works OUR way so if you don't like the trainwreck that FF is becoming? Tell them so then move to and support one of the alternatives!

Re:Yahoo Search?

[rudy_wayne]

I was really hoping that when Mozilla's contract with Google ran out the whole bloated business would collapse and they would go back to just making a browser that people actually want to use. But a new money truck just arrived in town and they can continue to add more and more useless 'features' while destroying all the things that made Firefox popular in the first place.

Re:Recommendation for a good browser?

[plover]

The last version I want is V28. After that, their password sync system was changed in ways I no longer trust. NoScript, AdBlockPlus, Ghostery help keep me safe, and browsing fast; and there's no Google spyware. So it's still the best option.

512-bit self-signed certs (e.g. DD-WRT)

Firefox 32 happily connects to DD-WRT's self-signed 512-bit cert.
Firefox 33 blocks DD-WRT's SSL cert, claiming "Secure Connection Failed" (Error code: sec_error_invalid_key), with no option to override.
Firefox 34 just lies and claims "The connection was interrupted". Like the fuck it was. It works *right now* in the other browser in my virtual machine, from the same PC. Even after restarting firefox, and even after restarting the machine.

Assholes got feedback that users need to access our HTTPS-encrypted DD-WRT, so they changed the message and claimed it was reset. This sounds like a case of "Let's just play the 'What problem? I don't have that problem on my machine. Oh, your connection was reset? That must be a problem with the device.' game"

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS.
So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.
You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Pope+Hagbard]

DD-WRT needs to fix their shit and generate a better SSL certificate, or you should quit pretending that a 512-bit cert is going to stop anything besides a nosy neighbor and use a wired connection with unencrypted HTTP to manage your router. I'm running Tomato Firmware with a self-signed 1024-bit cert (which is itself weak) over TLS 1.0 and Firefox 34 works just fine.

Mozilla's doing the Right Thing by blocking such a pathetically weak certificate.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Jahta]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS. So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules. You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

IMO Firefox are doing this right. Having known good copies of the major root certs bundled with the browser is a strong defense against MITM attacks. I've worked in more than one organisation that was doing MITM on their staff's SSL sessions (unknown to the staff) by silently pushing "trusted" DIY certs to the workstations by policy. Chrome and IE swallowed this without complaint. Only Firefox complained that I didn't in fact have a secure session with, for example, google.com.

Re:Video chat??

Right, Firefox (previously Firebird (previously Phoenix)) was a spin-off from the Mozilla suite which contained, among other things, a chat platform and other sundry cruft. The Phoenix (then Firebird (then Firefox)) people got fed up with the bloat and decided to make a fast and lean browser.

Come full circle, Firefox has. Now it's about time to fork a decent, lean browser off of Firefox...

capcha: mosaics -- maybe that's a sign of where the future lies

Re:video chat

[NotInHere]

I agree. As much as I'm a fan of WebRTC and despise the walled gardens of facebook, whatsapp, google hangouts and friends, I don't think firefox should add this to their browser. Rather they should publish their own chat program, either as separate addon or as separate program. As a browser, firefox should be a platform that enables higher-level programs to bring services to its users.

Re:video chat

[pavon]

This is based on WebRTC which is a W3C draft that both Safari and Internet Explorer have committed to implement. There has to be a first browser to implement any proposed standard.

Re: Recommendation for a good browser?

Not the OP but what convinced me is that when you delete something out of your history Chrome still presents it on the startup screen and the url bar as if it was never deleted...so either each of those has some redundant history database that they aren't telling you about or deleting your browsing history is like deleting email in gmail, you can't see it anymore but google can...

Re:Video chat??

[AuMatar]

That's never what Firefox was about. It was a big rewrite because a bunch of Mozilla devs decided they wanted everything written their way and if it wasn't they'd rather restart from scratch. Even initial versions were actually more heavyweight and leaked more memory than mozilla suite. It should never have existed in the first place, they should have just moved the browser in Suite to a standalone download for those who wanted just that functionality.

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey. Its still more performant than firefox and doesn't suffer from the feature creep or the "what features of chrome UI do we want to rip off this build" issues that FF does. Its a better product by a longshot.

Re:V34.0.5?

[ArcadeMan]

Don't worry about it, next week you'll be running Firefox 35 anyway.

Re:video chat

[mod+prime]

It's both.

You can call anybody on the compatible browsers, but they can't call you unless they have Firefox 34.

Re:Yahoo Search?

[lister+king+of+smeg]

Speaking of what everyone wants, hoo-ray for the built-in video chat! They finally relented, after years of users clamoring for this necessary feature, to bundle it into their flagship product *even though* it meant they would have to postpone fixing some of the regressions that have come up recently.

Thanks Firefox. Thirefox.

A lot.

This (web video chat) is something that really should have been put in Thunderbird not Firefox, but unfortunately the powers that be at Mozilla seems to have decided that it should join SeaMonkey in being their neglected redhead step child, while they continue to throw shit into Firefox (which was meant to be the striped down powerful simple browser), or try to compete outside of their core competency focusing on projects like FirefoxOS, or Mozilla Marketplace, all the while trying to ape chromes interface.

Re:Yahoo Search?

The Firefox welcome page says
"We've partnered with Yahoo to bring you better search results".

It means that:
- internal testing showed that Yahoo results were better,
- the Firefox team cares more about the quality of search results than the bid money.

Re:Video chat??

[TheRaven64]

Even initial versions were actually more heavyweight and leaked more memory than mozilla suite

That's not quite what I remember. Phoenix (then Firebird, then Firefox) and Thunderbird (or whatever it was called back then) between them used more memory than the Mozilla suite, but Firefox was lighter than using the Mozilla suite and just the browser. The big appeal of separating the two was that the browser was a buggy piece of crap and every time it crashed it took out everything else sharing the XUL runtime, including the mail client (which then had to spend time recovering corrupted databases on next launch). With Firefox, only the browser crashed and restarted quite quickly. Given that the browser crashed at least once an hour back then, it was a bit advantage. No one cared about memory leaks, because the browser didn't stay up long enough for them to become apparent. It was only after they fixed the stability issues that people started noticing.

Re:Comodo's certificate extortion

[TheRaven64]

a self signed cert does *not* protect your connection from anything, unless the client already knows what to look for to ensure the cert they have is the cert you intended them to use

Yes it does, it protects you against passive adversaries. Compromising an SSL connection with a self-signed certificate requires an active adversary (i.e. one who will modify traffic, not just sniff it). This is still possible with a signed cert if you're sufficiently large as the trust model for SSL (in the absence of certificate transparency, which isn't yet widely deployed) means that if any registrar is compromised (e.g. the one owned by the Turkish intelligence agency that all major browsers trust) then they can sign certificates for any domain.

A self-signed cert that is silently accept it is much much worse than no SSL at all, because it allows the user to make assumptions about their use of the website which are absolutely not true

No, displaying a user interface element indicating the site is secure when it only has a self-signed certificate is worse than no SSL. Rendering self-signed SSL certs in exactly the same way as unencrypted connections (as I suggested) is better, because it allows people to roll out SSL cheaply and makes the world no worse, just raises the costs for interception.

Re:Comodo's certificate extortion

[cbhacking]

Sigh... I can't tell if you're arguing this because you don't understand the English language, of if you're just trolling.

If somebody has to "be presenting their own" certificate, then they are NOT PASSIVE!! A passive network attacker is, for example, somebody sitting at a coffee shop with the WiFi card in promiscuous mode, watching all the traffic that gets sent over that (open) network. In that position, the attacker cannot do a damn thing about a self-signed cert. Now, if they are able to use ARP spoofing or DNS hijacking or can configure the router's upstream host or something like that, then they can intercept traffic and present their own certificate, sure. That requires an *active* attack, though.

The reason that passive attacks are so concerning right now is that it's pretty trivial for ISPs and governments to record all network traffic that they want to. It just costs money for storage and storage bandwidth. However, they aren't actively intercepting that traffic, just passively recording it for later data mining. TLS, even using anonymous Diffie-Hellman or a self-signed certificate, is sufficient to completely defeat that kind of monitoring.

You're basically arguing that since an armored car can't tae a hit from the cannon of a main battle tank, there's no point in armoring them at all and it would be better for them to go unarmored so as not to lure people into a false sense of security. Turns out that's bullshit: the typical threat to people moving valuables is from small arms (which an armored car can shrug off just fine), and the typical threat to browser privacy is from pervasive passive monitoring, which self-signed certs defeat. Not that I would ever argue that it's better to have a self-signed cert than a CA-signed one, but it's not as *much* worse as you seem to think.

Besides, there's things you can do to make a self-signed cert even more secure. For example, you (the user) can add *just that cert* to your trust store. Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning).