Mozilla, Gecko Archive

Technical details on the recent Firefox add-on outage

Recently, Firefox had an incident in which most add-ons stopped working. This was due to an error on our end: we let one of the certificates used to sign add-ons expire which had the effect of disabling the vast majority of add-ons. Now that we’ve fixed the problem for most users and most people’s add-ons are restored, I wanted to walk through the details of what happened, why, and how we repaired it. An in-depth look at the cause and fixes for the devastating extensions bug that hit Firefox users over the weekend, written by Firefox CTO Eric Rescorla.

Due to expired certificate, all Firefox extensions disabled

Update: a partial fix has been shipped by Mozilla A few hours ago a security certificate that Mozilla used to sign Firefox add-ons expired. What this means is that every add-on signed by that certificate, which seems to be nearly all of them, will now be automatically disabled by Firefox as security measure. In simpler terms, Firefox doesn’t trust any add-ons right now. Basically, all your Firefox extensions will be disabled and won’t work until Mozilla fixes this embarrassing issue. Until they do, you can go to about:config and set xpinstall.signature.required to false. This is obviously a major security issue, so only change this flag if you know what you’re doing, and don’t forget to set it back to true once Mozilla fixes the issue.

The future of Firefox for Android

A recently published support document highlights Mozilla’s plans for the current Firefox for Android and also Fenix. Mozilla’s main idea is to maintain the legacy version of Firefox for Android until Fenix reaches migration readiness status. Firefox users on Android should be able to use the legacy version until Fenix is ready while Mozilla wants to minimize support costs. Fenix currently does not support extensions just yet, so I’ll be staying on the regular Firefox for Android until that has been addressed.

Google comes under fire for sabotaging other browsers once again

It’s no secret that Google Chrome is the world’s most popular browser, and while a lot of that might be owed to its quality, some believe that Google intentionally sabotaged competing browsers in order to grow in popularity. A former Mozilla executive has lashed out at the Mountain View company for repeatedly and continuously finding less-than-desirable ways to promote its own browser. Jonathan Nightingale posted a series of tweets over the weekend, detailing some of the events that took place between Google and Mozilla over the years. Nightingale starts by pointing out that Google typically played nice with Mozilla before Chrome was a thing, but things turned sour once Google’s browser launched. While the company kept trying to convince Mozilla that both organizations were on the same side, things would often break in Firefox for no real reason. This is really not that surprising. The only reason Google plays nice with Mozilla is the same reason Microsoft invested in Apple in the late ’90s and kept its products available on Mac OS despite the fact the Mac was basically dead: they need an antitrust lightning rod.

Introducing Firefox Send: free encrypted file transfers

At Mozilla, we are always committed to people’s security and privacy. It’s part of our long-standing Mozilla Manifesto. We are continually looking for new ways to fulfill that promise, whether it’s through the browser, apps or services. So, it felt natural to graduate one of our popular Test Pilot experiments, Firefox Send. Send is a free encrypted file transfer service that allows users to safely and simply share files from any browser. Additionally, Send will also be available as a an Android app in beta later this week. Now that it’s a keeper, we’ve made it even better, offering higher upload limits and greater control over the files you share. Neat feature, because sending files is still a messy and unpleasant experience. I trust Mozilla to do this right.

Firefox 66 to block automatically playing audible video and audio

We know that unsolicited volume can be a great source of distraction and frustration for users of the web. So we are making changes to how Firefox handles playing media with sound. We want to make sure web developers are aware of this new autoplay blocking feature in Firefox. Starting with the release of Firefox 66 for desktop and Firefox for Android, Firefox will block audible audio and video by default. We only allow a site to play audio or video aloud via the HTMLMediaElement API once a web page has had user interaction to initiate the audio, such as the user clicking on a “play” button. Good move, and long overdue. Autplaying video isn’t just a mere annoyance – it’s incredibly rude, obnoxious and desrespectful.

Microsoft guy: Mozilla should give up on Firefox and go with Chromium too

A Microsoft program manager has caused a stir on Twitter over the weekend by suggesting that Firefox-maker Mozilla should give up on its own rendering engine and move on with Chromium. “Thought: It’s time for @mozilla to get down from their philosophical ivory tower. The web is dominated by Chromium, if they really ‘cared’ about the web, they would be contributing instead of building a parallel universe that’s used by less than five percent?” wrote Kenneth Auchenberg, who builds web developer tools for Microsoft’s Visual Studio Code. This is such a rude and discourteous thing to say to a competitor – a competitor that has played a crucial role in bringing back competition to the browser market back when Internet Explorer 6 kept the web down like an anker. We need competition on the web.

Firefox 69 will have Flash disabled by default

According to Mozilla’s plugin roadmap, the firm planned to disable Flash by default in Firefox sometime this year. Now, a new bug filing has revealed that the plugin will be disabled as of Firefox 69 which is due for release on September 3, 2019. Mozilla will disable Flash beginning with the Nightly builds before it works its way down to the Stable channel. The disabling of Flash comes in anticipation of Adobe ending support for its Flash plugin at the end of 2020. Mozilla has said that it will completely remove Flash support for consumer versions of Firefox in early 2020, while the Extended Support Release (ESR) version will have support until the end of the year. In 2021, Mozilla has said that Firefox will refuse entirely to load the plugin due to a lack of security updates from Adobe. Aside from the occasional Flash-based online game, is Flash even a thing these days? Do any of you still use it on a regular basis?

Goodbye, EdgeHTML

Mozilla's response to Microsoft adopting Chromium.

Microsoft is officially giving up on an independent shared platform for the internet. By adopting Chromium, Microsoft hands over control of even more of online life to Google.

This may sound melodramatic, but it's not. The "browser engines" - Chromium from Google and Gecko Quantum from Mozilla - are "inside baseball" pieces of software that actually determine a great deal of what each of us can do online. They determine core capabilities such as which content we as consumers can see, how secure we are when we watch content, and how much control we have over what websites and services can do to us. Microsoft's decision gives Google more ability to single-handedly decide what possibilities are available to each one of us.

The question is now how long Firefox will be able to survive. The cold and harsh truth is that Firefox usage hasn't exactly been trending upwards, and with even Microsoft throwing its full weight behind Chromium, even more web developers won't even bother to test against anything other than Chromium and Apple's WebKit. How long can Mozilla and Firefox survive this reality?

Firefox Nightly now with experimental Wayland support

As of last nightly (20181115100051), Firefox now supports Wayland on Linux, thanks to the work from Martin Stransky and Jan Horak, mostly.

Before that, it was possible to build your own Firefox with Wayland support (and Fedora does it), but now the downloads from mozilla.org come with Wayland support out of the box for the first time.

The transition to Wayland seems to be taking its time, but with how big of an undertaking this is, that only makes sense.

Firefox removes core product support for RSS/Atom feeds

After considering the maintenance, performance and security costs of the feed preview and subscription features in Firefox, we've concluded that it is no longer sustainable to keep feed support in the core of the product. While we still believe in RSS and support the goals of open, interoperable formats on the Web, we strongly believe that the best way to meet the needs of RSS and its users is via WebExtensions.

With that in mind, we have decided to remove the built-in feed preview feature, subscription UI, and the "live bookmarks" support from the core of Firefox, now that improved replacements for those features are available via add-ons.

I would assume most RSS users already use more capable RSS readers and/or browser extensions, so it makes perfect sense for Firefox developers to remove this functionality from the browser so they no longer have to maintain it.

The effect of ad blocking on user engagement with the web

Web users are increasingly turning to ad blockers to avoid ads, which are often perceived as annoying or an invasion of privacy. While there has been significant research into the factors driving ad blocker adoption and the detrimental effect to ad publishers on the Web, the resulting effects of ad blocker usage on Web users’ browsing experience is not well understood. To approach this problem, we conduct a retrospective natural field experiment using Firefox browser usage data, with the goal of estimating the effect of adblocking on user engagement with the Web. We focus on new users who installed an ad blocker after a baseline observation period, to avoid comparing different populations. Their subsequent browser activity is compared against that of a control group, whose members do not use ad blockers, over a corresponding observation period, controlling for prior baseline usage. In order to estimate causal effects, we employ propensity score matching on a number of other features recorded during the baseline period. In the group that installed an ad blocker, we find significant increases in both active time spent in the browser (+28% over control) and the number of pages viewed (+15% over control), while seeing no change in the number of searches. Additionally, by reapplying the same methodology to other popular Firefox browser extensions, we show that these effects are specific to ad blockers. We conclude that ad blocking has a positive impact on user engagement with the Web, suggesting that any costs of using ad blockers to users' browsing experience are largely drowned out by the utility that they offer.

I, too, use ad blockers on all my browsers and devices - and I can safely say that if ad blockers didn't exist, I'd be spending a lot less time reading websites online. Note that this study was performed by Mozilla employees.

Firefox 62.0 released

Earlier today, Mozilla pushed Firefox 62 for desktop and Android. With the release, Mozilla has introduced an UI refresh for the new tabs page as well as several dialogs like for adding or editing a bookmark, several performance enhancements to speed up browsing, and some security enhancements.

The first change that users will notice is the refreshed new tab page; with Firefox 62 users can now display up to four rows of top sites, Pocket stories and highlights. Currently, you get one row of top sites, and depending on your location you may not even get shown Pocket stories. Another UI changes that you’ll notice is in the menu where you can toggle tracking protection on and off easily.

On the performance side of things, Windows users will now get improved graphics rendering without accelerated hardware using Parallel-Off-Main-Thread Painting. Additionally, support for CSS Shapes allows for richer web page layouts, and CSS Variable Fonts support allows the browser to render "beautiful typography" with a single font file.

I don't feel it makes any sense to highlight every browser release, but randomly picking a release to talk about here on OSNews only makes sense - especially for a loyal mainstay like Firefox.

Firefox: changing our approach to anti-tracking

Anyone who isn't an expert on the internet would be hard-pressed to explain how tracking on the internet actually works. Some of the negative effects of unchecked tracking are easy to notice, namely eerily-specific targeted advertising and a loss of performance on the web. However, many of the harms of unchecked data collection are completely opaque to users and experts alike, only to be revealed piecemeal by major data breaches. In the near future, Firefox will - by default - protect users by blocking tracking while also offering a clear set of controls to give our users more choice over what information they share with sites.

Firefox continues to do great work in this department.

Firefox experiments with recommended content

With the latest Firefox experiment, Advance, you can explore more of the web efficiently, with real-time recommendations based on your current page and your most recent web history.

With Advance we're taking you back to our Firefox roots and the experience that started everyone surfing the web. That time when the World Wide Web was uncharted territory and we could freely discover new topics and ideas online. The Internet was a different place.

I get what Mozilla is trying to do here, and they obviously have rightfully earned the trust of many over the years, but is this kind of functionality really something people who choose to use Firefox are looking for, or even tolerate? This seems like something that doesn't align with the average Firefox user at all.

Firefox is back – it’s time to give it a try.

Mozilla recently hit the reset button on Firefox. About two years ago, six Mozilla employees were huddled around a bonfire one night in Santa Cruz, Calif., when they began discussing the state of web browsers. Eventually, they concluded there was a "crisis of confidence" in the web.

"If they don't trust the web, they won't use the web," Mark Mayo, Mozilla's chief product officer, said in an interview. "That just felt to us like that actually might be the direction we're going. And so we started to think about tools and architectures and different approaches."

Now Firefox is back. Mozilla released a new version late last year, code-named Quantum. It is sleekly designed and fast; Mozilla said the revamped Firefox consumes less memory than the competition, meaning you can fire up lots of tabs and browsing will still feel buttery smooth.

Firefox is in a good place right now, and has gained a lot of momentum since the release of Quantum. With Chrome's dominance, I'm really glad people are looking at alternatives such as Firefox and even Edge (the latter being my browser of choice for some inexplicable reason).

Linux sandboxing improvements in Firefox 60

Continuing our past work, Firefox 60 brings further important improvements to security sandboxing on Linux, making it harder for attackers that find security bugs in the browser to escalate those into attacks against the rest of the system.

The most important change is that content processes - which render Web pages and execute JavaScript - are no longer allowed to directly connect to the Internet, or connect to most local services accessed with Unix-domain sockets (for example, PulseAudio).

This means that content processes have to follow any network access restrictions Firefox imposes - for example, if the browser has been set up to use a proxy server, connecting directly to the internet is no longer possible. But more important are the restrictions on connections to local services: they often assume that anything connecting to them has the full authority of the user running it, and either allow it to ask for arbitrary code to run, or aren't careful about preventing that. Normally that's not a security problem because the client could just run that code itself, but if it's a sandboxed Firefox process, that could have meant a sandbox escape.

Mozilla adds sponsored content to Firefox

Mozilla's Nate Weiner:

Content on the web is powerful. It enables us to learn new things, discover different perspectives, stay in touch with what's happening in the world, or just make us laugh. Making sure that stories like these - stories that are worth your time and attention - are discoverable and supported is central to what we care about at Pocket.

It's important for quality content like this to thrive - and a critical way it's funded is through advertising. But unfortunately, today, this advertising model is broken. It doesn't respect user privacy, it's not transparent, and it lacks control, all the while starting to move us toward low quality, clickbait content.

We believe the Internet can do better. So earlier this year, we started to explore a new model and showed an occasional sponsored story in Pocket's recommendation section on Firefox New Tab. Starting today, we're expanding this work further - now Firefox Nightly and Beta users may also see these sponsored stories. We're preparing for this feature to go fully live in May to Firefox users in the US with the Firefox 60 release.

Luckily, you can turn this off.

Firefox is on a slippery slope

For a long time, it was just setting the default search provider to Google in exchange for a beefy stipend. Later, paid links in your new tab page were added. Then, a proprietary service, Pocket, was bundled into the browser - not as an addon, but a hardcoded feature. In the past few days, we’ve discovered an advertisement in the form of browser extension was sideloaded into user browsers. Whoever is leading these decisions at Mozilla needs to be stopped.

Mozilla garnered a lot of fully deserved goodwill with the most recent Firefox release, and here they are, jeopardising all that hard work. People expect this kind of nonsense from Google, Apple, or Microsoft - not Mozilla. Is it unfair to judge Mozilla much more harshly than those others? Perhaps, but that's a consequence of appealing to more demanding users when it comes to privacy and open source.