There Is No .bro In Brotli: Google/Mozilla Engineers Nix File Type As Offensive 748

theodp writes: Several weeks ago, Google launched Brotli, a new open source compression algorithm for the web. Since then, controversy broke out over the choice of 'bro' as the content encoding type. "We are hoping to establish a file ending .bro for brotli compressed files, a command line tool 'bro' for compressing and uncompressing brotli files, and a accept/content encoding type 'bro'," explained Google software engineer Jyrki Alakuijala. "Can I talk you out of it?," replied Mozilla SW engineer Patrick McManus. "'bro' has a gender problem, even though the dual meaning is unintentional. It comes of[f] misogynistic and unprofessional due to the world it lives in." Despite some pushback from commenters, a GitHub commit made by Google's Zoltan Szabadka shows that there will be no '.bro' in Brotli. "I have asked a feminist friend from the North American culture-sphere, and she advised against bro," explained Alakuijala. "We have found a compromise that satisfies us, so we don't need to discuss this further. Even if we don't understand why people are upset from our cultural standpoint, they would be (unnecessarily) upset and this is enough reason not to use it."

Firefox Support For NPAPI Plugins Ends Next Year ( 146

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

Mozilla Sets Out Its Proposed Principles For Content Blocking ( 317

Mark Wilson writes: With Apple embracing ad blocking and the likes of AdBlock Plus proving more popular than ever, content blocking is making the headlines at the moment. There are many sides to the debate about blocking ads — revenue for sites, privacy concerns for visitors, speeding up page loads times (Google even allows for the display of ads with its AMP Project), and so on — but there are no signs that it is going to go away. Getting in on the action, Mozilla has set out what it believes are some reasonable principles for content blocking that will benefit everyone involved. Three cornerstones have been devised with a view to ensuring that content providers and content consumers get a fair deal, and you can help to shape how they develop.

Mozilla Fixed a 14-Year-Old Bug In Firefox, Now Adblock Plus Uses Less Memory 410

An anonymous reader writes: Mozilla launched Firefox 41 yesterday. Today, Adblock Plus confirmed the update "massively improves" the memory usage of its Firefox add-on. This particular memory issue was brought up in May 2014 by Mozilla and by Adblock Plus. But one of the bugs that contributed to the problem was actually first reported on Bugzilla in April 2001 (bug 77999).

Benchmark Battle, September 2015: Chrome Vs. Firefox Vs. Edge 137

An anonymous reader writes: The next browser battle is upon us. Edge has been out for more than a month, and its two biggest competitors have received significant updates: Chrome 45 and Firefox 40. This article puts all three through their paces, and each manages to win a few tests. Edge convincingly won the JetSteam and SunSpider JavaScript benchmarks, while also eking out a victory in Google's Octane test. Chrome was victorious in Mozilla's Kraken benchmark for JavaScript performance, while also edging out Firefox in HTML5Test and the Oort Online WebGL test. Firefox won the WebXPRT test that combines HTML5 and JavaScript performance, and also the Peacekeeper test for general browser performance. There's no clear dominant browser for performance, and none of the three are obvious laggards, either. Browser competition seems to be in a good place right now.

Bugzilla Breached, Private Vulnerability Data Stolen 97

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."

Browser Makers To End RC4 Support In Early 2016 40

msm1267 writes: Google, Microsoft and Mozilla today announced they've settled on an early 2016 timeframe to permanently deprecate the shaky RC4 encryption algorithm in their respective browsers. Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26. Google and Microsoft said that Chrome and Internet Explorer 11 (and Microsoft Edge) respectively will also do so in the January-February timeframe. Attacks against RC4 are growing increasingly practical, rendering the algorithm more untrustworthy by the day.

Video Mozilla Project Working on Immersive Displays (Video) 47

Yes, it's 3-D, and works with the Firefox browser. But that's not all. The MozVR virtual reality system is not just for Firefox, and it can incorporate infrared and other sensors to give a more complete picture than can be derived from visible light alone. In theory, the user's (client) computer needs no special hardware beyond a decent GPU and an Oculus Rift headset. Everything else lives on a server.

Is this the future of consumer displays? Even if not, the development is fun to watch, which you can start doing at -- and if you're serious about learning about this project you may want to read our interview transcript in addition to watching the video, because the transcript contains additional information.

Mozilla, Microsoft, Amazon, Google, and Others Form 'Alliance For Open Media' 99

BrianFagioli tips news that Mozilla, Microsoft, Google, Cisco, Intel, Amazon, and Netflix are teaming up to create the Alliance for Open Media, "an open-source project that will develop next-generation media formats, codecs and technologies in the public interest." Several of these companies have been working on this problem alone: Mozilla started Daala, Google has VP9 and VP10, and Cisco just recently announced Thor. Amazon and Netflix, of course, are major suppliers of online video streaming, so they have a vested interested in royalty-free codecs. They're inviting others to join them — the more technology and patents they get on their side, the less likely they'll run into the issues that Microsoft's VC-1 and Google's VP8 struggled with. "The Alliance will operate under W3C patent rules and release code under an Apache 2.0 license. This means all Alliance participants are waiving royalties both for the codec implementation and for any patents on the codec itself."

Big Changes From Mozilla Mean Firefox Will Get Chrome Extensions 192

Mozilla announced yesterday a few high-level changes to the way Firefox and Firefox extensions will be developed; among them, the introduction of "a new extension API, called WebExtensions—largely compatible with the model used by Chrome and Opera—to make it easier to develop extensions across multiple browsers." (Liliputing has a nice breakdown of the changes.) ZDNet reports that at the same time, "Mozilla will be deprecating XPCOM and XUL, the foundations of its extension system, and many Firefox developers are ticked off at these moves."

Firefox Will Run Chrome Extensions 152

An anonymous reader writes: Today Mozilla announced some big changes to its extension support. Their new addon API, WebExtensions, is mostly compatible with the extension model used by Chrome and Opera. In short, this means we'll soon see cross-platform browser extensions. They say, "For some time we've heard from add-on developers that our APIs could be better documented and easier to use. In addition, we've noticed that many Firefox add-on developers also maintain a Chrome, Safari, or Opera extension with similar functionality. We would like add-on development to be more like Web development: the same code should run in multiple browsers according to behavior set by standards, with comprehensive documentation available from multiple vendors."

Multiple Vulnerabilities Exposed In Pocket 88

vivaoporto writes: Clint Ruoho reports on blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

Mozilla Tests Improved Privacy Mode For Firefox 125

An anonymous reader writes: Firefox's privacy mode stops your computer from keeping track of where you've browsed, but it doesn't do anything about external tracking. A new feature just rolled out to the Developer Edition and the Aurora channel now actively tries to block online services from tracking you. "Our hypothesis is that when you open a Private Browsing window in Firefox you're sending a signal that you want more control over your privacy than current private browsing experiences actually provide." The feature uses a blocklist maintained by to stop you from navigating to sites known to log your personal data.

How to Quash Firefox's Silent Requests 294

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.

Firefox 40 Arrives With Windows 10 Support, Expanded Malware Protection 113

An anonymous reader writes: Mozilla today launched Firefox 40 for Windows, Mac, Linux, and Android. Notable additions to the browser include official Windows 10 support, added protection against unwanted software downloads, and new navigational gestures on Android. Firefox 40 for the desktop is available for download now on, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Changelogs are here: desktop and Android.

Mozilla Issues Fix For Firefox Zero-Day Bug 115

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

FirefoxOS-Based Matchstick Project Ends; All Money To Be Refunded 128

Kohenkatz writes: Matchstick, a project built on FirefoxOS that aimed to compete with Google's Chromecast, which was initially funded on Kickstarter, is shutting down and will be refunding all pledges. In a post to Kickstarter backers today, they announced that this decision was due to the difficulty of implementing the DRM components that are necessary for access to a lot of paid content. Rather than drag out the project on an unknown schedule, they have decided to end the project.

Mozilla CEO: Windows 10 Strips User Choice For Browsers and Other Software 371

puddingebola writes: Mozilla CEO Chris Beard has sent an open letter to Microsoft CEO Satya Nadella complaining about the default settings in Windows 10. Users who upgrade to 10 will have their default browser automatically changed to the new Edge browser. Beard said, "We appreciate that it’s still technically possible to preserve people’s previous settings and defaults, but the design of the whole upgrade experience and the default settings APIs have been changed to make this less obvious and more difficult. It now takes more than twice the number of mouse clicks, scrolling through content and some technical sophistication for people to reassert the choices they had previously made in earlier versions of Windows. It’s confusing, hard to navigate and easy to get lost. ... We strongly urge you to reconsider your business tactic here and again respect people’s right to choice and control of their online experience by making it easier, more obvious and intuitive for people to maintain the choices they have already made through the upgrade experience.

Firefox Will Soon Show You Which Tabs Are Making Noise, and Let You Mute Them 151

An anonymous reader writes: Mozilla is working on identifying Firefox tabs that are currently playing audio. The feature will show an icon if a tab is making sounds and let the user mute the playback. It's worth noting that while Chrome has had audio indicators for more than a year now, it still doesn't let you easily mute tabs. The option is available in Google's browser, but it's not enabled by default (you have to turn on the #enable-tab-audio-muting flag in chrome://flags/).

New Default: Mozilla Temporarily Disables Flash In Firefox 199

Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article: One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well. Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."