Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 44 Arrives With Push Notifications (mozilla.org)

Posted by Soulskill on from the onward-and-upward dept.

An anonymous reader writes: Mozilla today launched Firefox 44 for Windows, Mac, Linux, and Android. Notable additions to the browser include push notifications, the removal of RC4 encryption, and new powerful developer tools. Mozilla made three promises for push notifications: "1. To prevent cross-site correlations, every website receives a different, anonymous Web Push identifier for your browser. 2. To thwart eavesdropping, payloads are encrypted to a public / private keypair held only by your browser. 3. Firefox only connects to the Push Service if you have an active Web Push subscription. This could be to a website, or to a browser feature like Firefox Hello or Firefox Sync." Here are the full changelogs: Desktop and Android.

9 of 182 comments (clear)

  1. Great! by Motherfucking+Shit · · Score: 4, Insightful

    Who has a list of which configuration options I need to go into about:config and disable this time?

    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:Great! by Somebody+Is+Using+My · · Score: 4, Insightful

      Just don't subscribe to anything -- every page requires you to grant it permission.

      No, it requires more than that. According to Mozilla themselves, "Firefox maintains an active connection to a push service in order to receive push messages as long as it is open." Supposedly the connection is encrypted and anonymized, but you'll have to take their word on it and anyway, it's another potentially-vulnerable service running in the background. So it's not just a matter of "don't subscribe and you'll be safe"; there needs to be a way to disable this service entirely.

      Oh wait... there is.

    2. Re:Great! by Anonymous Coward · · Score: 5, Insightful

      Find me evidence of unwanted behavior in Chrome.

      GoogleUpdate.exe

      Also the on by default "OK Google" eavesdropping, desktop notifications and search prediction crap.

    3. Re:Great! by jopsen · · Score: 5, Insightful

      but you'll have to take their word on it

      No, you can view the source... All of it... Both client and server side.

      https://github.com/mozilla-ser...
      If I'm not mistaken... There a lot of mozilla projects, but this one seems recent.

      there needs to be a way to disable this service entirely.

      At least look up about.config before complaining, it's right in there under "dom.push.enabled".

      But really, I don't see the point...

    4. Re:Great! by wonkey_monkey · · Score: 3, Insightful

      No, it requires more than that.

      More? Or do you mean less? It does require permission to establish a push connection, as far as I can tell.

      According to Mozilla themselves [mozilla.org], "Firefox maintains an active connection to a push service in order to receive push messages as long as it is open."

      "Firefox maintains..." - that particular quote says nothing about whether permission is required to establish such a connection in the first place.

      There's something a bit non-sequitur-ish about your first two sentences.

      --
      systemd is Roko's Basilisk.
  2. And stupidly enforced mandatory extension signing by Anonymous Coward · · Score: 3, Insightful

    This version is also the first to require signed extensions with no way to:
    1) Disable the signature check at all
    2) Use any signature other than Mozilla's
    3) Install a extension built and packaged by your distribution repository (unless Mozilla signs each build)
    4) Forcefully install a extension that you built yourself

    I don't understand why Mozilla gets away with this type of hidden DRM. At least in Secure Boot you could enroll your own signatures.

    Here, the only option you have is to switch to an unbranded fork of Firefox.

  3. The Description of this is Scary by cruff · · Score: 5, Insightful
    From the push notification link describing it:

    A website registers a Service Worker with the browser. Service Workers are small JavaScript programs with super powers like intercepting network requests or running even when their parent website is closed.

    What could possibly go wrong?

    1. Re:The Description of this is Scary by Anonymous Coward · · Score: 4, Insightful

      "or running even when their parent website is closed."

      This is all for ads and tracking you.

      Firefox is dead.

  4. Re:The next RSS by mbkennel · · Score: 4, Insightful


    And will be used for "One Weird Trick to a Titanic Penis" and "Firefox has detected a CRITICAL security problem. Click on _this link_ to eliminate the malware from your system"