Slashdot Mirror
Firefox 48 Released With Multi-Process Support, Mandatory Add-On Signing (softpedia.com)
Mozilla on Tuesday released Firefox v48, touted as one of the most important updates the browser has ever received. With the new version, Firefox starts migrating users to using mullti-process threads (e10s, Electrolysis), and it is also the first version to ship with Rust component. In addition, Firefox is now also making add-on signing mandatory. From a Softpedia article: Announced last year, Electrolysis, e10s, or multi-process support is Firefox's ability to process core browser operations separately from the content viewed on a Web page. Multi-process support allows a page to crash without bringing the entire browser down with it and improves the browser's overall performance. e10s rollout will take place in two phases, first in Firefox 48, and it will finish in Firefox 49, set for release on September 13, 2016. Mandatory add-on signing refers to Firefox preventing users from installing any add-ons that have not been approved by Mozilla's testers. This is something similar to what Chrome employs, but Firefox users have been spoiled all these years, always having the capability of installing any add-on they've desired. Rust is a programming language that's a revamped and improved version of C++ but that protects developers from accidentally including dangerous memory bugs in their code. It achieves this by how the language was constructed and by how developers write the code.
accidentally including dangerous memory bugs in their code
Good, now I can be assured that all of my dangerous memory bugs in my code are intentional.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I've been on Nightly for awhile now and the performance with e10s is now almost as good as Chrome's. Firefox Hello is thankfully going to get axed in a future release, and if Mozilla continues to fine-tune the performance a bit more and rips out Pocket, I think Firefox will be back on top.
I was about to rush and grab it until...
"Firefox is now also making add-on signing mandatory"
Firefox has about 10% market share (several studies collected here), which is hundreds of millions of people.
Can we please stop posting about minor, useless OSS software releases? It's not like anyone uses this piece of shit anymore.
Really? Wow and here I thought I was using Firefox to type this. Thanks for letting me know that I'm not really using the browser I think I am.
Because the UI twits pushing Firefox won't be satisfied until Firefox is more like Chrome than Chrome itself.
Nothing says "Innovation!" like "Do everything Google does!"
I was kind of excited by this so updated immediately instead of my usual process of waiting a couple days.
While it was updating I did another unsual thing - clicked through to the article - where I read the following:
That's probably going to drop a bit it they break all the add-ons.
(Again...)
No sig today...
Firefox users have been spoiled all these years, always having the capability of installing any add-on they've desired.
Yes how pampered a life I've led in my fantasy-land where the computer performs in accordance with my instruction. oh i was a fool to think personal computing would remain my own personal fucking shangri-la. Thank god Mozilla has come to the rescue and spirited me away from this dubotcherous land of sodom called personal computing. But hey, you know, whatever it takes for your corporate masters to reign in ad blocking, cookie whitelisting, and script blocking. I just cant wait to watch another taylor swift autoplay video.
Good people go to bed earlier.
"mandatory add-on signing refers to Firefox preventing users from installing any add-ons that have not been approved by mozilla's testers. ... firefox users have been spoiled all these years, always having the capability of installing any add-on they've desired."
of course doing what we "desire" should not be allowed.
stay within the plantation and obey the rules, that way nothing gets broken or get crashed (hopefully). and nobody gets "spoiled", god forbid!
we, the user children, should not be 'spoiled" by allowing us to make mistakes, by too much freedom to do what we 'desire'.
be calm, be correct, be at peace, ... as in "rest in peace"? in mozilla's politically correct heaven.
That's probably going to drop a bit it they break all the add-ons.
(Again...)
My interpretation of Mozilla's plans is that they plan to gradually deprecate XUL in order to give time for developers to keep their extensions working with every version of Firefox. So it's not as if they're all going to break overnight. Some will break and won't get fixed if they're not maintained, but that happens on every platform.
Firefox has been extremely unstable for us for at least the last year. Finally putting a process behind each tab is an important step, certainly, but its one they should have implemented 2+ years ago. I also really wish Mozilla would stop with all the useless bells and whistles that nobody uses and instead focus on stabilizing the code they have.
My recommendation... switch to chrome. It's a much better browser.
-Matt
The largest problem with mandatory signing is that you must send your source-code to mozilla to be signed and they do not (and really, can not) guarantee that it won't leak out to someone else. So if you have an in-house developed extension that contains proprietary business information, you must choose between getting it signed or running versions of firefox that do not receive regular security updates and do not have signature checking for any extensions at all, so are basically the worst of both worlds. They could avoid this problem with one level of abstraction, you sign your own extension then they sign that signature. They could even automate it so the extra layer of indirection is invisible to anyone who is OK with sending their source to mozilla for signing.
But even that's brittle in the face of unexpected circumstances. Which is the fundamental problem with the "everything not explicitly allowed is forbidden" security models. They have their place, but they do take the "general" out of "general computing." Unforeseen consequences and all that.
The correct solution would be to have a signature checking config setting stored somewhere that is writeable only by an administrator account. All the major OSes have that kind of ability.
The firefox executable is also admin writeable, so if someone were inclined they could run a binary patcher to hack out the signature checking in the binary itself. Might as well just put it in a config setting with the equivalent permissions. Save us all the trouble of having different builds.
I'd even go one step further and make it a list of extensions that don't need a valid signature so you don't give up the benefits of signature checking for all the other extensions just because you want to run one unsigned extension.
Splitting Firefox's tab data over into the "plugin container for Firefox" hasn't done much to improve Firefox's GUI performance. Once FF hits certain ram limits, it will start ignoring mouse clicks and keyboard shortcuts. So while FF may claim its NOT unresponsive, I think the fact that now it's acceptable for FF to IGNORE hardware input from the user, instead of delaying it until it can process is far worse.
I can't wait to get off this sinking ship. Maybe Piro could crowdfund Tree Style Tab for Chrome.
Not satisfied with alienating the general public, Mozilla, who are hell-bent on losing all market share, have now successfully alienated their remaining userbase: enterprise users, with this:
"Mandatory add-on signing refers to Firefox preventing users from installing any add-ons that have not been approved by Mozilla's testers."
They will no longer have to listen to the userbase complaining about the many memory leaks and race conditions in Firefox because they have finally gotten rid of the annoying users.
Seriously folks.. do you really expect proprietary extensions used by various companies to be signed and submitted to the Mozilla repository? No, I don't think so. Many of us use Firefox not for its performance (it sucks), its compliance to standards (again, it sucks), but for its extensibility. Now that you have made it inflexible as well as slow, bloated, and crappy, what userbase are you now targeting?
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
For those of us who keep a *lot* of tabs open in multiple windows, this is a serious problem CPU--wise. I have three monitors, a 30" and two 27s, and I have about twenty Firefox windows open at once, each typically with a half dozen tabs. This has worked beautifully in terms of Firefox being generally constrained to one core, which is perfect. Chrome, in the same scenario, thanks to horrible JavaScript abuse, generally because a system-wide problem as soon as the number of tabs approaches the number of CPU cores. Chrome's approach is unscalable crap, with one browser soon hogging 99% of the CPU time on the computer as a whole.
Firefox's legacy approach works *so* well that I can open several - one for normal browsing, one entirely separate one (separate profile) for security-sensitive sites, a third with special addons just for videos, and one for work. This leaves 4 cores at between 25% and 90% usage, and 4 more for everything else. With Chrome, my computer would be an unusable boat anchor at this point.
If Electrolsys works even remotely like Chrome's approach, I, and users like me, are screwed unless we can turn it off.
or maybe a dinosaur using a Fleshlight?
"This is something similar to what Chrome employs, but Firefox users have been spoiled all these years, always having the capability of installing any add-on they've desired"
That is my PC, the software I downloaded I pretty damn add any add on I want. Feel free to suppress bug report when an unauthorized add on is added. But barring me to add any addon I want ? Fuck you , you are as bad as microsoft.
Chrome 1.0 and IE 8 are happy you can have security in lowrights mode in appdata and can use more than 1 core wahoo
http://saveie6.com/
You want to hand all the browser control to corporate conglomerates?
That being said, I'll wait for a few months for the kinks to be worked out. I'll let others be guinea pigs. Hopefully no security holes are found in version 47.
What if add-ons don't sign? Can we still "force" them in?
Table-ized A.I.
What if add-ons don't sign? Can we still "force" them in?
See here: https://wiki.mozilla.org/Add-o...
They could avoid this problem with one level of abstraction, you sign your own extension then they sign that signature.
Mozilla won't blindly countersign extensions because it wants to avoid a situation where you sign an extension and then distribute it to the public without Mozilla having a chance to check it for the most obvious malicious patterns.
The correct solution would be to have a signature checking config setting stored somewhere that is writeable only by an administrator account.
Firefox ESR releases have such a setting. Firefox current lacks this setting because Mozilla wants to avoid a situation where it becomes common to social-engineer users into elevating to change this setting. Home users are more likely to use Firefox current, but they're also less likely to need an in-house private extension. Home users who make their own extensions can use Firefox Developer Edition.
Look, the grammer chekker addon already broken
Table-ized A.I.
Three showstoppers:
1) I have a bunch of old extensions that are not signed. Things like FLST, OpenNewWindowFromHere, and others. I'm not much interested in losing that functionality.
2) I sometimes like to edit extensions with, you know, emacs or something. Things like FLST, where I like the tab flip behavior but not the focus last selected tab itself, which the developer didn't provide a way to turn off while keeping tab flipping.
3) Some extensions have code that can't be given to Mozilla for verification because the code is proprietary.
I'm fine with signing to be enabled by default. I'm not fine with not having a workaround for that. I want to decide for myself what gates I want closed.
That's no big thing. When will we get an OS where a page crash doesn't bring the whole system down?
“He’s not deformed, he’s just drunk!”
Checking for the most common patterns just means people will find less common patterns. It isn't hard to avoid with trivial obfuscation.
Obfuscation kicks an extension into the manual review queue.
Mozilla is not capable of hand-inspecting add-ons to that level of certainty, they either automate signatures or they take way too long.
Mozilla automates signatures for easy cases and admits to "tak[ing] way too long" for hard cases.
Someone that naive can be social-engineered into running a binary patcher too.
There exist both branded builds and unbranded builds. Unbranded builds allow use of unsigned extensions but lack the Firefox name and logo. This gives Mozilla a hook to sue the distributor of such a binary patcher for trademark infringement.
Make it warn at every startup before the add-on is initialized that they are using a questionable add-on.
Or provide a separate way to install unsigned extensions in such a way that they're automatically uninstalled when Firefox is restarted. This appears to be the current policy, implemented through about:debugging.
Firefox takes forever to start loading and check plugin compatibility before I even get a homepage display before I can surf the internet. It's at least 20 seconds now.
So fix the startup speed on 2GHz processor with 2 GIG memory on windows XP SP3.
FF has not been listening to the user for a long time. You can just use a fork. There are a few out there.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Is this shit still there?
Another q. - will I have trouble with getting noscript there? Or java - I still use java for some corporation tools.Come to think of it I recall ff flat refused to cooperate with my old router web page based on ciphers - has this been fixed?
What if add-ons don't sign? Can we still "force" them in?
For the regular builds, no.
The developer build and the "unbranded" builds will let you, for now. This too will go away at some point.
Note that the "unbranded" builds are auto updating to the regular Firefox builds, so if you use one of those you need to disable automatic updates. It's a "bug".
So what do you use? Edge?
Are you sure you aren't thinking about: https://en.wikipedia.org/wiki/Underhanded_C_Contest
Alternately, you can grab the add-on and push it to the add-ons server for signing yourself -- it's all automated. The point of signing is that it allows Mozilla to shut off malicious add-ons when they arise. As mentioned elsewhere, all add-ons hosted on Mozilla's servers have already been signed, so you'd only have to do this if you found some unmaintained add-on lying around elsewhere on the web. To be honest, that sounds kind of fishy, so I'd proceed with caution.
You want to hand all the browser control to corporate conglomerates?
Social justice zealots aren't any better, IMO.
It's still scrolls choppy regardless of my configuration and even after it finished loading. for the first time opening up web pages it takes ages. I have no add-on's installed which includes no flash player. Sorry, but chrome is still very fast and responsive compared to ie and firefox.
So what do you use? Edge?
Lol, "Edge", also known as The Little Browser That Couldn't.
Couldn't load slashdot or yahoo or any moderately complex page without choking and then helpfully informing you that "Edge has stopped and is restarting". Only to crash AGAIN, and again, and again. But who needs a browser that understands CSS, Javascript, or those new-fangled "image" thingys, right?
Just cruising through this digital world at 33 1/3 rpm...
The ioccc is merely unreadable, it makes code really stand out. Instead, you want Underhanded C where code must be clear, appear good and pass code review.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Look, the grammer chekker addon already broken
Well, at least the spell checker seems ok, unlike in whatever browser you are using. Actually, you seem to have misplaced an is in your post as well, so apparently your grammar checker is broken as well. Sucks to be you, I guess.
It would be nice if Firefox allowed extensions signed by trusted certs, rather than just their own. The infrastructure is already there for certs uses for TLS.
Since they didn't do that:
> So if you have an in-house developed extension that contains proprietary business information, you must choose between getting it signed or running versions of firefox that do not receive regular security updates
A third option is to separate your proprietary logic algorithms from the user interface. Firefox is one UI. Your magic logic is ALREADY a seperate component if your development standards are at all secure, so it should be straightforward to run that proprietary logic in a separate process. The extension can communicate with the logic via SOAP or anybof several other methods.
Mozilla's spent so long trying to get memory use under control then decide to go multi-process. Multi-process works so well for Chrome, e.g. the #Slack desktop application is basically a glorified chat client running on Chrome and it uses a measly 1.3GB of RAM.
Heads up, FF 48 has removed the browser.urlbar.unifiedcomplete setting. This setting was introduced in Firefox 43 to disable the annoying Unified Complete system introduced in that build. Unified Complete is what causes the first drop-down result to be "Visit/Search With [domain]" rather than the most relevant result, as was the default before Firefox 43.
Since the preference has been removed entirely, there is no current way to get this behavior back. It would need to be fixed by an extension.
"How to Use Quotation Marks" by Mignon Fogarty states: "in British English periods and commas can go inside or outside (kind of like the American rules for question marks and exclamation points)." I write in American English with two exceptions that I can think of: periods and commas interact with quotation marks in the British manner, and dates are in international form (yyyy-mm-dd). I've chosen to mix select aspects of one national style into another where I find it justifiable, and if that's inherently wrong, Oxford University Press must also be wrong for using -ize in otherwise British English publications.
While what you say is true on some level - a compromised process can dick with your system, including other processes, just fine - you're missing the point of having a multi-process browser for security. The vast majority of what a browser does requires almost no access to the rest of the computer. You can have one container process that runs with user privileges and implements the few things the browser needs to be able to do to the system at large (save downloaded files, etc.) in a very secure manner, and is also responsible for launching sandboxed, low-privilege sub-processes that do the dangerous work of a browser (parsing web server responses, running plugins, executing javascript, etc.). If these sandboxed processes are compromised, the attacker can still fuck with your browser... but they can't get out into the rest of your system.
This is how Chrome and IE have worked for years (though Chrome's sandbox is a lot tighter than IE's). It's not just about stability/reliability, there's also a very real element of security here. Chrome's sandboxed render processes are so underprivileged that there's practically nothing a compromised one can do (to the rest of the computer) except try to attack its full-user-privilege container / broker process (through the IPC channels that let it do things like say "Please ask the user where they want to save this downloaded file"), but that is a very small attack surface compared to most of what a browser does, and the trusted process can have that attack surface very well-hardened.
There's no place I could be, since I've found Serenity...
The plan is actually to drop extensions completely. They're also adding support for what are roughly Greasemonkey scripts, but those aren't going to be anywhere near as capable as extensions are.
If your extension can be ported to a content script easily, then great, but otherwise you're screwed and won't even be allowed to keep your extension working.
I used to get a news live bookmark, Latest Headlines.
Once I got the update my BBC news feed no longer works.
I tried opening youtube videos, got 4 running simultaneously before things bogged down. It had trouble with two before the update. I also don't have the multiprocess windows working, even with switching browser.tabs.remote to true. Add on conflict
So it seems to be faster on my mac, but live bookmarks don't work I guess. It would be nice if it could better use multicore CPU like render programs.
Nobody cares if it is any faster it is fine. People want secure network surfing with un-trackable features.
Put the time spoofing back into it, it's been gone since 45.
The post is a bit misleading, if you use extensions, multi-process support will be disabled. Here is a quote from a Mozilla developer:
There's a difference?
If you really want in a browser provide a PLUGIN to.
Mobile browsers don't support plug-ins. Desktop browsers require a separate plug-in for each (browser, operating system) pair. Chrome uses PPAPI, Firefox uses NPAPI, and IE uses (used?) ActiveX. If you use a different browser or a different operating system from that used by the plug-in developer, you will miss out on the use of this plug-in. Besides, this sort of thinking led to the security hole we call Flash Player.
So what do you use? Edge?
They probably use Netscape Navigator 4.7.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
If you are still using Windows (any version) I suggest you never install a Firefox newer than 44.0.2.
I also suggest you don't actually use an installed version, just use a portable version.
BOOKMARK THESE:
https://sourceforge.net/projects/portableapps/files/
https://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./
https://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./Mozilla%20Firefox%2C%20Portable%20Edition%2044.0.2/
They are the repository for older versions from portableapps.com
Your best bet is to use an older version of Vidalia and configure your portable firefox to run through Vidalia (TOR). There are guides to change the proxy settings in Firefox, it is very easy. You run it through socks 5, using remote DNS.
The reason being that versions after 44.0.2, Firefox broke the ability to spoof time. Time logging is the default tracking mechanism for the US government when all else fails.
Better than that is just to not use Windows. You can easily use a live DVD of BlackArch Linux from distrowatch.com to surf on TOR for example.
Below is for using a Live DVD of Blackarch:
You just burn it to DVD or USB and boot it raw or in a Virtualbox VM. For BlackArch in VirtualBox just check the box for Live CD. It is very fast. When you boot up, log in as root, password blackarch. Open Firefox, configure the proxy settings to use 9050 and socks 5 with remote DNS. Then do an ifconfig all, see the interface, ifconfig up enxxx .. then dhcpcd ... and your Firefox will run through TOR. I forget not looking at it the Vidalia port is 9051 or 9050 in the current version. It is one of them. If you can't connect just change that.
Continue to harden with noscript addon, and adblock plus addon. Remove all checkboxes in noscript under ABE and under XSS remove all default permissions. Tinker with it, it's fast and it is merely a live CD in a VM. Your IP will be that of whatever TOR exit it finds. You can simply close the VM and everything is gone, no changes to your machine. Next time you boot the VM it will be everything default again. (No persistence by default)
You should also like to exclude some nodes like all of USA for example. In your .vidalia/torrc add these two lines
StrictNodes 1
ExcludeNodes {us}
There is much more you can harden, like removing all of the pre-fetch and hovering in Firefox.
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
All of this bullshit about turning new Firefox into an application that does-all and whatnot... Firefox is like because it does browsing well. Don't lose the basics that people want for the sake of bullshit and tracking that the US government wants.
Just this past weekend I tried using Firefox again. Three days later, the update broke everything. Google may spy on me, but at least I can actually use my browser as a browser...
The plan is actually to drop extensions completely.
This is blatantly false. Either back up your statements with citations (which you can't) or stop spreading FUD.
I'm going to the casino. Don't gamble.
The Sarcasm Detector is also broken.
Table-ized A.I.