Forcing HTTPS Is Being Discussed

Subject: General Tech | April 14, 2015 - 08:08 PM |
Tagged: mozilla, http, https, firefox

On the Mozilla Dev-Platform Newsgroup, hosted at Google Groups, a proposal to deprecate insecure HTTP is being discussed. The idea is that HTTPS needs to be adopted and organizations will not do it without being pushed. The plan is to get browser vendors to refuse activating new features, and eventually disable old features, unless the site is loaded as a “privileged context”.

22-mozilla-2.jpg

This has sparked a debate, which was the whole point of course, about how secure do we want the Web to be. What features should we retroactively disable unless it is done through HTTPS? Things that access your webcam and microphone? Things that write to your hard drive? Then there is the question of how to handle self-signed certificates to get encryption without verification, and so forth.

Note: Websites cannot access or create files on your hard drive, but standards like localStorage and IndexedDB allow websites to have their own spaces for persistence. This is to allow, for instance, a 3D game to cache textures (and so forth) so you don't need to download them every time.

Personally, this concerns me greatly. I started helping Mozilla a couple of years ago, a few weeks after I saw Microsoft's Windows 8 developer certification program. I do not like the thought of someone being able to stifle creation and expression, and the web was looking like it might be the last bastion of unrestricted development for the general public.

In the original Windows Store requirements, no browser could exist unless it was a skin of Trident. This meant that, if a site didn't work in Internet Explorer, it didn't exist. If you didn't want to play by their rules? Your app didn't get signed and your developer certificate could even be revoked by Microsoft, or someone with authority over them. You could imagine the problems a LGBT-focused developer might have in certain countries, even if Microsoft likes their creations.

This is obviously not as bad as that. In the Windows Store case, there was one authority whereas HTTPS can be authenticated by numerous providers. Also, if self-signed certificates are deemed “secure enough”, it would likely avoid the problem. You would not need to ask one of a list of authorities permission to exist; you could secure the connection yourself. Of course, that is a barrier of skill for many, and that is its own concern.

So we'll see, but I hope that Mozilla will take these concerns as a top priority in their decisions.

Source: Mozilla

Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Mozilla Partners with Yahoo! for Five Year Search Deal

Subject: General Tech | November 20, 2014 - 10:10 PM |
Tagged: yahoo, mozilla, google, firefox

Mozilla, developer of the Firefox web browser, has been mostly funded by Google for the last decade. Between 2005 and 2011, the search giant slowly ramped up its contributions from around $50 million USD for a single year to just over $100 million for the last year. All of this money was to keep the default search engine set to Google for the location and search bar. At that time, journalists were voicing their concerns that Mozilla would be cut off after the success Google saw with their Chrome browser.

Mozilla_Firefox_logo_2013.png

In December 2011, Google and Mozilla surprised the world with a different announcement, $300 million dollars per year until November 2014, or almost three times their previous annual contributions. I could not help but feel it was like a light bulb that flares before it extinguishes, although later rumors claimed that Microsoft and Yahoo drove up Google's bid with high counter-offers. Of course, that deal ends this month and Google is no longer the winning bid, if they even proposed a deal at all.

This time, Yahoo won for the next five years (in the US) with a currently undisclosed sum. Yandex will be the default for Russia, and Baidu has been renewed as the default in China.

Yahoo also committed to supporting the Do Not Track (DNT) header for Firefox browsers. If your settings have DNT enabled, the search engine will adjust its behavior to acknowledge your request for privacy. One thing that has not been mentioned is how they will react to your request. This could be anything from treating you as completely anonymous, to personalizing your search results but not your ads, to personalizing your ads but not your search results, to only looking at the geographic location of your IP address, and so forth.

The search experience is not what you will get by going to the Yahoo homepage today; the new site was developed in collaboration with Mozilla and will launch for Firefox users in December. It will go live for every other Yahoo user in 2015.

Source: Mozilla

Mozilla Approves Plans for 64-Bit Firefox on Windows

Subject: General Tech | October 6, 2014 - 03:45 AM |
Tagged: windows, mozilla, firefox, 64-bit

If you had a reason, Mozilla has been compiling Firefox Nightly as a 64-bit application for Windows over the last several months. It is not a build that is designed for the general public; in fact, I believe it is basically only available to make sure that they did not horribly break anything during some arbitrary commit. That might change relatively soon, though.

Mozilla_Firefox_logo_2013.png

According to Mozilla's "internal", albeit completely public wiki, the non-profit organization is currently planning to release an official, 64-bit version of Firefox 37. Of course, all targets in Firefox are flexible and, ultimately, it is only done when it is done. If everything goes to schedule, that should be March 31st.

The main advantage is for high-performance applications (although there are some arguments for security, too). One example is if you open numerous tabs, to get Firefox's memory usage up, then attempt to load a Web applications like BananaBread. Last I tried, it will simply not load (unless you clean up memory usage somehow, like restarting the browser). It will run out of memory and just give up. You can see how this would be difficult for higher-end games, video editing utilities, and so forth. This will not be the case when 64-bit comes around.

If you are looking to develop a web app, be sure to check out the 64-bit Firefox Nightly builds. Unless plans change, it looks like you will have even more customers soon. This is unless, of course, you are targeting Mac OSX and Linux, which already have 64-bit binaries available. Also, why are you targeting specific operating systems with a website?

Source: Mozilla

Intex Cloud Fx Is a $35 Firefox OS Phone (not for USA)

Subject: General Tech, Mobile | September 13, 2014 - 10:12 PM |
Tagged: mozilla, intex, Firefox OS, firefox, cloud fx

If you were on a mission to make the cheapest possible mobile phone, you would probably not do much better than Intex Cloud Fx. Running Firefox OS, it will cost users about $35 to purchase it outright. Its goal is to bring the internet to places which would otherwise have nothing.

Intex-Cloud-FX-2.jpg

I believe the largest concession made by this phone is its RAM -- 128 MB. Yes, I had a computer with 32 MB of RAM and it browsed the internet just fine (on Netscape Navigator 2 through 4). I also had a computer before that (which was too slow to run Windows 3.1 but hey it had a turbo button). This is also the amount of RAM on the first and second generation iPod Touches. Nowadays, it is very little. Ars Technica allegedly made it crash by scrolling too fast and attempting to run benchmarks on it. This leads into its other, major compromise: its wireless connectivity. It does not support 3G. Edge is the best that you will get.

Other than those two points: it has a 1 GHz Spreadtrum SoC, 46MB of storage, a 2MP camera, and a 1250mAh battery. You do get WiFi, Bluetooth, and a microSD card slot. It also supports two SIM cards if necessary.

Again, at $35, this is not designed for America or Western Europe. This is for the areas of the world that will probably not experience the internet at all unless it is through a mobile phone. For people in India and Asia, it is about the lowest barrier to entry of the internet that is possible. You can also check out phones from other partners of Mozilla.

Source: Ars Technica

Firefox Developer Tools Can Debug Non-Mozilla Browsers

Subject: General Tech | September 11, 2014 - 04:22 PM |
Tagged: firefox, mozilla, web browser, web development

Well this is an interesting feature. Mozilla, like all browser vendors, has been constantly enhancing their web development tools. They are quite impressive, allowing anyone to debug any page, including WebGL shader replacement, audio network manipulation, and injecting Javascript, HTML, and CSS at run time. Firefox OS and Firefox for Android developers were even able to remotely connect to a desktop Firefox browser as if it were an IDE (which it really is these days). Today, Mozilla announced (via their Hacks blog) early support for remote debugging Safari on iOS and Google Chrome on Android.

The currently supported tools are: "Inspector", which allows searching, modifying, and injecting HTML and CSS; "Debugger", which debugs and injects Javascript; and "Console", which displays console output from the open tab and executes individual Javascript statements (which can be multi-line with shift + enter). You cannot, for instance, modify individual draw calls on a running 3D game, like you can with the same tools when manipulating a Firefox tab, but this is still pretty impressive for cross-vendor.

Remote Debugging for Safari on iOS and Chrome on Android is available in early development on Firefox Nightly with an optional extension.

Source: Mozilla

Firefox 29 Launches with Australis Interface and Gamepad

Subject: General Tech | April 30, 2014 - 03:52 AM |
Tagged: mozilla, gamepad, firefox

After three years' reign, the orange Firefox button has been retired by Mozilla. Firefox 29 introduces the new Australis interface, with its curved tabs and a simple menu button comprised of three horizontal lines (the "Hamburger Icon"). The interface missed its targets a few times but is finally here.

ilovetheweb.png

Obviously, Australis makes the browser look more like Google Chrome (and less like Opera). Users of Mozilla's Thunderbird will also find it more familiar as that program skipped Firefox 4's direction and immediately adopted parts of Australis as they developed. Thunderbird still lacks a few bits and pieces, its development having slowed since its transition to Extended Support. But this is not about Thunderbird -- it is about Firefox.

In terms of actual features, Australis brings a new Bookmarks button, which is basically two buttons, and is pretty slick to both add and access links to favorite web addresses. The little star-dropping animation is a subtle hint to the user that a bookmark has been added to the list, accessed by the right-most button. Many users will be upset by the removal of the Add-on Bar, a place where extensions can leave a button or two without clogging the rest of the interface. Mozilla seems to expect that extensions, if they absolutely must leave a button, will cram it next to the gigantic location bar (or less-gigantic search bar); that, or affected users will just install an Add-on Bar extension.

Also in Firefox 29 is the finalized, and enabled by default, Gamepad API. With it, web games can be controlled with devices such as the Xbox 360 controller. If you want to see a geeky example, one is available at html5gamepad.com. This website lists every compatible game input device and their current state. In my testing, Firefox 29 was able to detect both my Xbox 360 controller and my Thrustmaster T-16000M joystick -- and register their inputs independently.

There's not really anything, from the technical side of things at least, to prevent split-screen gaming in the browser. Detecting the input devices did not even require restarting the browser, although that is a good troubleshooting step, as Firefox detected it immediately after I plugged it in and pressed a button. The flight stick, probably because it has never been attached to this instance of Windows before, required the good old unplug and replug of its USB cord after Windows "Add New Hardware" finished in order to register input. It is not perfect, but still pretty good.

Firefox 29 launched in the middle of the night on Tuesday, April 29th. It is free and, if Firefox is set to automatically update, you probably already have it. If not? Get it.

Source: Mozilla

Need another reason to upgrade from WinXP? You might be stuck with IE

Subject: General Tech | October 29, 2013 - 12:27 PM |
Tagged: winxp, firefox, chrome, browser

With 160 days remaining until the current official support expiration for WinXP unless you are willing to pay for the privilege of getting critical updates there is only a little time left in which third party providers need to continue support for the aging OS.  Two of the most noticeable of these will be Firefox and Chrome, both of which will be discontinuing development for their browsers on WinXP.  Their older versions will still work but will slowly succumb to more and more security vulnerabilities as they are discovered but not patched for WinXP.  This may not be the straw that breaks XP's back but recall that YouTube abandoning IE6 support was one of the driving forces behind the decline of that browser.  Slashdot comments for your entertainment here.

An update to this information does show that you have a while to go before this is a major concern as Firefox does not have a specific date in mind and Chrome is extending development for a few years yet.  You should still really consider upgrading to Win7 in the near future.

winxp.jpg

"While Windows XP is still going strong the sun is rapidly setting on this old platform fast. Firefox plans to end support for XP which means no security fixes or improvements. Chrome is being discontinued a little later as well for Windows XP. Windows XP has its die-hard users refusing to upgrade as they prefer the operating system or feel there is no need to change."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Firefox 23 Shipped. Nice Icon. Nice Icon. Nice Icon. Nice Icon.

Subject: General Tech | August 7, 2013 - 03:47 AM |
Tagged: firefox, mozilla

The hottest version of Firefox, for the next 6 weeks, was just released to the world and much discussion came with it. This version, most controversially, removed the <blink> element. What a terrible destruction of HTML history. How can web developers ever make fun of old VCRs? Resort to... CSS?

Pardon me, I think I am going to be sick. Oh wait, that's just not-epilepsy.

Firefox-23-logo.png

Also removed was the preference to disable JavaScript. Fear not, users will still be able to modify the setting by diving into about:config. Interested users will actually need to, because this change will revert the setting to the default on position if users had previously disabled it. I assume this was a user experience decision for users who temporarily disabled Javascript right before updating Firefox; users tech savvy enough to want Javascript off will know to dive in to the settings registry.

Or just, you know, install NoScript or something.

Firefox-23-memory.png

While we are talking about... about:... about:memory (hmm, this sentence reminds me of <blink>) has been given a slight graphical overhaul. The controls are now on the top of the report which allows users to know they exist without scrolling all the way down. These buttons have some legitimate use for many users: they can now manually force Firefox to clean up its memory footprint.

Firefox-23-dev.jpg

Web Developers also have a few new tools to play with including, but not limited to, tracing network traffic too and from their site. This was already possible with various console configurations but not nearly as aesthetically pleasing or even usable. If your element has very big horizontal bars, it takes a long time to load and is a good candidate to optimize first.

In all, Mozilla seems to be very productive with the number of improvements in just six weeks of development time. The next release is expected to leave Beta Channel on, or near, September 17.

Source: Mozilla

Unreal Engine 3 compiled to asm.js

Subject: Editorial, Mobile | May 7, 2013 - 12:07 AM |
Tagged: unreal engine, firefox, asm.js

Over the weekend we published a post which detailed Javascript advancements to position the web browser as a respectable replacement for native code. Asm.js allows for C-like languages to be compiled into easily optimized script executed at near native performance on asm.js-aware browsers, but are still functional as plain Javascript otherwise. If you wish to see a presentation about asm.js and compiling native code into web code, check out an online slideshow from Alon Zakai of Mozilla.

If, on the other hand, you wish to see an example of a large application compiled for the browser: would Unreal Engine 3 suffice?

UnrealHTML5.jpg

Clearly a computer hardware website would take the effort required to run a few benchmarks, and we do not disappoint. Epic Citadel was run in its benchmark mode in Firefox 20.0.1, Firefox 22.0a2, and Google Chrome; true, it was not run for long on Chrome before the tab crashed, but you cannot blame me for trying.

Each benchmark was run at full-screen 1080p "High Performance" settings on a PC with a Core i7 3770, a GeForce GTX 670, and more available RAM than the browser could possibly even allocate. The usual Firefox framerate limit was removed; they were the only tab open on the same fresh profile; the setting layout.frame_rate.precise was tested in both positions because I cannot keep up what the state of requestAnimationFrame callback delay is; and each scenario was performed twice and averaged.

Firefox 20.0.1

  • layout.frame_rate.precise true: 54.7 FPS
  • layout.frame_rate.precise false: 53.2 FPS

Firefox 22.0a2 (asm.js)

  • layout.frame_rate.precise true: 147.05 FPS
  • layout.frame_rate.precise false: 144.8 FPS

Google Chrome 26.0.1410.64

  • Crashy-crashy

For Unreal Engine 3 compiled into Javascript we notice an almost 3-fold improvement in average framerate with asm.js and the few other tweaks to rendering, Javascript, and WebGL performance between Firefox 20 and 22. I would say that is pretty enticing for developers who are considering compiling into web standards.

It is also very enticing for Epic as well. A little over a month ago, Mark Rein and Tim Sweeney of Epic were interviewed by Gamasutra about HTML5 support for Unreal Engine. Due in part to the removal of UnrealScript in favor of game code being scripted in C++, Unreal Engine 4 will support HTML5. They are working with Mozilla to make the browser a reasonable competitor to consoles; write once, run on Mac, Windows, Linux, or anywhere compatible browsers can be found. Those familiar with my past editorials know this excites me greatly.

So what do our readers think? Comment away!