Firefox 34 Arrives With Video Chat, Yahoo Search As Default

An anonymous reader writes: Mozilla today launched Firefox 34 for Windows, Mac, Linux, and Android. Major additions to the browser include a built-in video chat feature, a revamped search bar, and tab mirroring from Android to Chromecast. This release also makes Yahoo Search the default in North America, in place of Google. Full changelogs: desktop and Android."

Just what I wanted for xmas time, more bloat.

Just what I wanted for xmas time, more bloat.
 

Re:Just what I wanted for xmas time, more bloat.

[UPi]

This is the way the world is going right now. HTML5 and JavaScript have become the new, universal runtime that everyone is trying to use to build their applications. It is extremely compelling too: you don't need to worry about deployment, supporting older versions, operating systems, etc. This, however, requires browsers to do a lot more than they did before. Sound and video input is just the tip of it. There's also the canvas, WebGL, WebSocket, tons of new CSS features.

Firefox can either choose to keep up with new features or lose 90% of its share to Chrome. I'm actually happy they going forward because part of HTML5's appeal is that it is multi-vendor and is not solely controlled by a corporation like Google or Apple. Yes, it is "bloat", as in, lots of new features that you personally might not be using today. But someday you, or your friend will come across a site that uses one of these new features and if the site says "Sorry, you are using a backwards browser, please try Chrome instead", we both know what will happen. (You of course will scoff and close the site, but 10 other people will switch for every lean browser snob out there.)

Point is, browsers are evolving. Deal with it.

Re:Recommendation for a good browser?

[wisnoskij]

Firefox lost me at least 10 versions ago, or whatever.

So sometime last week then?

Re:Yahoo Search?

[rudy_wayne]

I was really hoping that when Mozilla's contract with Google ran out the whole bloated business would collapse and they would go back to just making a browser that people actually want to use. But a new money truck just arrived in town and they can continue to add more and more useless 'features' while destroying all the things that made Firefox popular in the first place.

512-bit self-signed certs (e.g. DD-WRT)

Firefox 32 happily connects to DD-WRT's self-signed 512-bit cert.
Firefox 33 blocks DD-WRT's SSL cert, claiming "Secure Connection Failed" (Error code: sec_error_invalid_key), with no option to override.
Firefox 34 just lies and claims "The connection was interrupted". Like the fuck it was. It works *right now* in the other browser in my virtual machine, from the same PC. Even after restarting firefox, and even after restarting the machine.

Assholes got feedback that users need to access our HTTPS-encrypted DD-WRT, so they changed the message and claimed it was reset. This sounds like a case of "Let's just play the 'What problem? I don't have that problem on my machine. Oh, your connection was reset? That must be a problem with the device.' game"

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS.
So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.
You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Jahta]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS. So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules. You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

IMO Firefox are doing this right. Having known good copies of the major root certs bundled with the browser is a strong defense against MITM attacks. I've worked in more than one organisation that was doing MITM on their staff's SSL sessions (unknown to the staff) by silently pushing "trusted" DIY certs to the workstations by policy. Chrome and IE swallowed this without complaint. Only Firefox complained that I didn't in fact have a secure session with, for example, google.com.

Re:video chat

[NotInHere]

I agree. As much as I'm a fan of WebRTC and despise the walled gardens of facebook, whatsapp, google hangouts and friends, I don't think firefox should add this to their browser. Rather they should publish their own chat program, either as separate addon or as separate program. As a browser, firefox should be a platform that enables higher-level programs to bring services to its users.

Re:video chat

[pavon]

This is based on WebRTC which is a W3C draft that both Safari and Internet Explorer have committed to implement. There has to be a first browser to implement any proposed standard.

Re: Recommendation for a good browser?

Not the OP but what convinced me is that when you delete something out of your history Chrome still presents it on the startup screen and the url bar as if it was never deleted...so either each of those has some redundant history database that they aren't telling you about or deleting your browsing history is like deleting email in gmail, you can't see it anymore but google can...

Re:Video chat??

[AuMatar]

That's never what Firefox was about. It was a big rewrite because a bunch of Mozilla devs decided they wanted everything written their way and if it wasn't they'd rather restart from scratch. Even initial versions were actually more heavyweight and leaked more memory than mozilla suite. It should never have existed in the first place, they should have just moved the browser in Suite to a standalone download for those who wanted just that functionality.

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey. Its still more performant than firefox and doesn't suffer from the feature creep or the "what features of chrome UI do we want to rip off this build" issues that FF does. Its a better product by a longshot.

Re:V34.0.5?

[ArcadeMan]

Don't worry about it, next week you'll be running Firefox 35 anyway.

Re:Kiss my hairy Pale Moon, Mozilla!

[hairyfeet]

Comodo IceDragon, Kmeleon, Waterfox, Seamonkey, and that is if you want to stick with the gecko engine. If you don't care which engine you use there is Chromium, SWIron, Comodo Secure Chromium and Dragon, Opera, Safari,OffByOne, Chrome, I'm sure there are others I'm missing.

That is why i just don't understand those that rage because a browser goes to poo...we have options folks! Its not like the old days where you had Internet Exploiter and Nutscrape and if you didn't fit into one of those 2 molds? Fuck off, no soup for you! Today we are just swimming in choices, we can all have a browser that works OUR way so if you don't like the trainwreck that FF is becoming? Tell them so then move to and support one of the alternatives!

Re:Comodo's certificate extortion

[cbhacking]

Sigh... I can't tell if you're arguing this because you don't understand the English language, of if you're just trolling.

If somebody has to "be presenting their own" certificate, then they are NOT PASSIVE!! A passive network attacker is, for example, somebody sitting at a coffee shop with the WiFi card in promiscuous mode, watching all the traffic that gets sent over that (open) network. In that position, the attacker cannot do a damn thing about a self-signed cert. Now, if they are able to use ARP spoofing or DNS hijacking or can configure the router's upstream host or something like that, then they can intercept traffic and present their own certificate, sure. That requires an *active* attack, though.

The reason that passive attacks are so concerning right now is that it's pretty trivial for ISPs and governments to record all network traffic that they want to. It just costs money for storage and storage bandwidth. However, they aren't actively intercepting that traffic, just passively recording it for later data mining. TLS, even using anonymous Diffie-Hellman or a self-signed certificate, is sufficient to completely defeat that kind of monitoring.

You're basically arguing that since an armored car can't tae a hit from the cannon of a main battle tank, there's no point in armoring them at all and it would be better for them to go unarmored so as not to lure people into a false sense of security. Turns out that's bullshit: the typical threat to people moving valuables is from small arms (which an armored car can shrug off just fine), and the typical threat to browser privacy is from pervasive passive monitoring, which self-signed certs defeat. Not that I would ever argue that it's better to have a self-signed cert than a CA-signed one, but it's not as *much* worse as you seem to think.

Besides, there's things you can do to make a self-signed cert even more secure. For example, you (the user) can add *just that cert* to your trust store. Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning).