A post on Mozilla's security blog calls FTP "by now one of the oldest protocols still in use" — and it's suffering from "a number of serious security issues." The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and even modify the data transmitted. To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user's device using the FTP protocol.

Aligning with our intent to deprecate non-secure HTTP and increase the percentage of secure connections, we, as well as other major web browsers, decided to discontinue support of the FTP protocol. Removing FTP brings us closer to a fully-secure web which is on a path to becoming HTTPS only and any modern automated upgrading mechanisms such as HSTS or also Firefox's HTTPS-Only Mode, which automatically upgrade any connection to become secure and encrypted do not apply to FTP.

The FTP protocol itself has been disabled by default since version 88 and now the time has come to end an era and discontinue the support for this outdated and insecure protocol — Firefox 90 will no longer support the FTP protocol.

Inside the World Wide Web Consortium, where the world's top engineers battle over the future of your data. From a report: One of the web's geekiest corners, the W3C is a mostly-online community where the people who operate the internet -- website publishers, browser companies, ad tech firms, privacy advocates, academics and others -- come together to hash out how the plumbing of the web works. It's where top developers from companies like Google pitch proposals for new technical standards, the rest of the community fine-tunes them and, if all goes well, the consortium ends up writing the rules that ensure websites are secure and that they work no matter which browser you're using or where you're using it. The W3C's members do it all by consensus in public GitHub forums and open Zoom meetings with meticulously documented meeting minutes, creating a rare archive on the internet of conversations between some of the world's most secretive companies as they collaborate on new rules for the web in plain sight.

But lately, that spirit of collaboration has been under intense strain as the W3C has become a key battleground in the war over web privacy. Over the last year, far from the notice of the average consumer or lawmaker, the people who actually make the web run have converged on this niche community of engineers to wrangle over what privacy really means, how the web can be more private in practice and how much power tech giants should have to unilaterally enact this change. On one side are engineers who build browsers at Apple, Google, Mozilla, Brave and Microsoft. These companies are frequent competitors that have come to embrace web privacy on drastically different timelines. But they've all heard the call of both global regulators and their own users, and are turning to the W3C to develop new privacy-protective standards to replace the tracking techniques businesses have long relied on. On the other side are companies that use cross-site tracking for things like website optimization and advertising, and are fighting for their industry's very survival. That includes small firms like Rosewell's, but also giants of the industry, like Facebook.

Firefox 90 introduces the next version of SmartBlock, the browser's tracker blocking mechanism built into its private browsing and strict modes, which now has improvements designed to prevent buttons that let you log into websites using your Facebook account from breaking, Mozilla announced on Tuesday. From a report: SmartBlock was first introduced with Firefox 87 in March, and if you aren't familiar, here's Mozilla's description of how it works, from the company's blog: "SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy. SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact." Sometimes, though, the feature would break Facebook login buttons. In a new blog post, Mozilla's Tom Wisniewski and Arthur Edelstein explain why this would happen, using an example of trying to log in to Etsy.

In a few weeks, Firefox will start the by-default rollout of DNS over HTTPS (or DoH for short) to its Canadian users in partnership with local DoH provider CIRA, the Canadian Internet Registration Authority. From a report: DoH will first become a default for 1% of Canadian Firefox users on July 20 and will gradually reach 100% of Canadian Firefox users in late September 2021 -- thereby further increasing their security and privacy online. This follows the by-default rollout of DoH to US users in February 2020. As part of the rollout, CIRA joins Mozilla's Trusted Recursive Resolver (TRR) Program and becomes the first internet registration authority and the first Canadian organization to provide Canadian Firefox users with private and secure encrypted Domain Name System (DNS) services.

An anonymous reader shares a report: For years YouTube's video-recommending algorithm has stood accused of fuelling a grab bag of societal ills by feeding users an AI-amplified diet of hate speech, political extremism and/or conspiracy junk/disinformation for the profiteering motive of trying to keep billions of eyeballs stuck to its ad inventory. And while YouTube's tech giant parent Google has, sporadically, responded to negative publicity flaring up around the algorithm's antisocial recommendations -- announcing a few policy tweaks or limiting/purging the odd hateful account -- it's not clear how far the platform's penchant for promoting horribly unhealthy clickbait has actually been rebooted. The suspicion remains nowhere near far enough.

New research published today by Mozilla backs that notion up, suggesting YouTube's AI continues to puff up piles of "bottom-feeding"/low-grade/divisive/disinforming content -- stuff that tries to grab eyeballs by triggering people's sense of outrage, sewing division/polarization or spreading baseless/harmful disinformation -- which in turn implies that YouTube's problem with recommending terrible stuff is indeed systemic; a side effect of the platform's rapacious appetite to harvest views to serve ads. That YouTube's AI is still -- per Mozilla's study -- behaving so badly also suggests Google has been pretty successful at fuzzing criticism with superficial claims of reform. The mainstay of its deflective success here is likely the primary protection mechanism of keeping the recommender engine's algorithmic workings (and associated data) hidden from public view and external oversight -- via the convenient shield of "commercial secrecy." But regulation that could help crack open proprietary AI blackboxes is now on the cards -- at least in Europe.

An anonymous reader writes: Following in the footsteps of browsers like Mozilla Firefox and Microsoft Edge, Google Chrome is also in line to receive an HTTPS-Only Mode that will upgrade all unencrypted HTTP connections to encrypted HTTPS alternatives, where possible.

Currently, the new Chrome HTTPS-Only Mode is still under development in Chrome Canary distributions. Work is being done to add specific settings in the browser's interface, and no actual HTTP-to-HTTPS functionality is currently present. The feature is expected to be ready for Chrome 93, set to be released later this fall.

An anonymous reader shares a report: By this point in the internet's history, most of us have come to terms with the fact that accessing the web involves giving up information about ourselves every time we visit a website. Mozilla thinks we can do better, and so it's launching Rally, a data-sharing platform and plugin the company claims is the first-of-its-kind in the browser space. With Rally, Mozilla says it hopes to make a case for an equitable market for data, "one where every party is treated fairly" and "where people understand the value of their data." In practice, Rally will allow you to share your browsing data with computer scientists and sociologists studying the web. Out of the gate, they'll be a single study from Princeton University that seeks to understand how people find, consume and share news about politics and COVID-19. At some point later, Beyond the Paywall from Stanford University will examine the economics needed for a more sustainable news landscape.

Earlier this year a new support page appeared at support.Mozilla.org describing sponsored shortcuts (or sponsored tiles), "an experimental feature currently being tested by a small percentage of Firefox users in a limited number of markets." Mozilla works with advertising partners to place sponsored tiles on the Firefox default home page (or New Tab page) that would be useful to Firefox users. Mozilla is paid when users click on sponsored tiles.... [W]e only work with advertising partners that meet our privacy standards for Firefox.

When you click on a sponsored tile, Firefox sends anonymized technical data to our partner through a Mozilla-owned proxy service. The code for this proxy service is available on GitHub for interested technical audiences. This data does not include any personally identifying information and is only shared when you click on a Sponsored shortcut....

You can disable a specific Sponsored tile... You can also disable Sponsored shortcuts altogether.
Describing the as-yet-experimental feature, Engadget wrote a story headlined "Don't freak out: Firefox is testing advertisements in new tabs." These are just the tests, still mainly aimed at fresh installs of the Firefox web browser and always to beta users, before the rollout of sponsored tiles.

It does sound like adverts are in the pipe, but it depends on the reaction to Mozilla's initial tests. Mozilla's Jonathan Nightingale says that, last time around, the reaction wasn't as positive as his company hoped. "It didn't go over well," he states. Further, he insists that Firefox won't become "a mess of logos sold to the highest bidder; without user control, without user benefit."
Long-time Slashdot reader angryargus says they spotted the feature when they noticed an Ebay advertisement, but appreciated the ability to opt out, and suggested the feature is "an annoying tradeoff off using a browser that's not as directly funded by a search engine."

AmiMoJo writes: Mozilla Ideas is a new platform by Firefox-maker Mozilla to improve communication with the Firefox userbase. At its core, Ideas works similarly to Uservoice and other services of its kind. Firefox users and developers may post new content on the platform, and everyone else may comment and vote on the idea. Users may access the latest, top voted, most discussed or even random topics on the Ideas platform. Current ideas include re-adding the compact interface option, improving the master password protection, or providing a higher contrast default theme.

An anonymous reader quotes a report from AppleInsider: The new WebExtensions Community Group will try to forge a common architecture for future web extensions, and is inviting developers to join the effort. The new group, shortened WECG, consists of members from each of the major browser developers. Member chairs are held by Timothy Hatcher of Apple and Simeon Vincent of Google. Current participants include employees from Apple, Mozilla, and Microsoft.

The WebExtensions Community Group has two goals: Make extension creation easier for developers by specifying a consistent model and common core of functionality, APIs, and permissions; and Outline an architecture that enhances performance and is even more secure and resistant to abuse. The group doesn't want to specify every aspect of the web extensions platform or stifle innovation. Each browser vendor will continue to operate independently with their own policies. Developers and browser vendors interested in contributing to the group can join via the W3C website. The WECG has a dedicated GitHub repository with the community charter and work.

Mozilla's Firefox 89 releases to the general public today complete with the new Proton interface which simplifies the browser's menus and alters the tabs bar beyond anything we've seen from previous Firefox releases or other web browsers. From a report: This update also improves macOS integration and includes further privacy enhancements. The first thing that people will notice in this update is the Proton interface, the browser chrome and toolbar have been simplified so that redundant and less frequently used features have been removed, menus have been altered so that the most used features are prominent and visual noise has been reduced.

Proton also updates prompts so they have a cleaner appearance and unnecessary alerts and messages have been removed. The attached tabs have also been supplanted by floating tabs; Mozilla says the rounded design of the active tab "signals the ability to easily move the tab as needed." While almost everyone will support cleaner menus, the new tabs are drawing the ire of some who are not pleased with the radical departure from the traditional look and feel of tabs.

"The web browser is a crucial part of modern life, and yet it hasn't really been revised since the '90s," writes Protocol. "That may be about to change." The browser tab is an underrated thing. Most people think of them only when there are too many, when their computer once again buckles under Chrome's weight. Even the developers who build the tabs — the engineers and designers working on Chrome, Firefox, Brave and the rest — haven't done much to them. The internet has evolved in massive, earth-shaking ways over the last two decades, but tabs haven't really changed since they became a browser feature in the mid '90s.

Josh Miller, however, has big plans for browser tabs. Miller is the CEO of a new startup called The Browser Company, and he wants to change the way people think about browsers altogether. He sees browsers as operating systems, and likes to wonder aloud what "iOS for the web" might look like. What if your browser could build you a personalized news feed because it knows the sites you go to? What if every web app felt like a native app, and the browser itself was just the app launcher? What if you could drag a file from one tab to another, and it just worked? What if the web browser was a shareable, synced, multiplayer experience? It would be nothing like the simple, passive windows to the web that browsers are now. Which is exactly the goal.

The Browser Company (which everyone on the team just calls Browser) is one of a number of startups that are rethinking every part of the browser stack. Mighty has built a version of Chrome that runs on powerful server hardware and streams the browser itself over the web. Brave is building support for decentralized protocols like IPFS, and experimenting with using cryptocurrencies as a new business model for publishers. Synth is building a new bookmarks system that acts more like a web-wide inbox. Sidekick offers a vertical app launcher and makes tabs easier to organize. "A change is coming," said Mozilla CEO Mitchell Baker. "The question is just the time frame, and what's actually required to make it happen."

They have lots of different ideas, but they share a belief that the browser can, and should, be more than it is. "We don't need a new web browser," Miller said. "We need a new successor to the web browser."

While he was at the White House, Chief Digital Officer (and Miller's boss) Jason Goldman said something Miller couldn't forget. "Platforms have all the leverage," is how Miller remembers it. "And if you care about the future of the internet, or the way we use our computers, or want to improve any of the things that are broken about technology ... you can't really just build an application. Platforms, whether it's iOS or Windows or Android or Mac OS, that's where all the control is."

New stricter European Union guidelines will push Facebook, Google and other big tech companies to commit not to make money from advertising linked to disinformation. From a report: The European Commission said on Wednesday that its strengthened non-binding guidelines, which confirmed a May 19 Reuters report, set out a robust monitoring framework and clear performance indicators for firms to comply with. read more Concerns about the impact of disinformation have intensified during the COVID-19 pandemic and after claims about election fraud in the United States, with some critics pointing to the role of social media and tech giants in spreading it.

"Disinformation cannot remain a source of revenue. We need to see stronger commitments by online platforms, the entire advertising ecosystem and networks of fact-checkers," EU industry chief Thierry Breton said in a statement. "We need online platforms and other players to address the systemic risks of their services and algorithmic amplification, stop policing themselves alone and stop allowing to make money on disinformation, while fully preserving the freedom of speech," she said. Signatories to the code, which was introduced in 2018, include Google, Facebook, Twitter, Microsoft, Mozilla, TikTok and some advertising and tech lobbying groups.

sandbagger shares a report from The Register: FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. Konstantin Darutkin, senior software engineer at FingerprintJS, said in a blog post that the company has dubbed the privacy vulnerability "scheme flooding." The name refers to abusing custom URL schemes, which make web links like "skype://" or "slack://" prompt the browser to open the associated application. "The scheme flooding vulnerability allows an attacker to determine which applications you have installed," explains Darutkin. "In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not."

Visiting the schemeflood.com site using a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using a pre-populated list of likely apps. A browser user would typically see a pop-up permission modal window that says something like, "Open Slack.app? A website wants to open this application. [canel] [Open Slack.app]." But in this case, the demo script just cancels if the app is present or reads the error as confirmation of the app's absence. It then displays the icon of the requested app if found, and moves on to its next query. The script uses each app result as a bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, which violates privacy expectations.

There was a big announcement this week from Mozilla. They've joined Fastly, Intel, and Microsoft "in announcing the incorporation and expansion of the Bytecode Alliance, a cross-industry partnership to advance a vision for fast, secure, and simplified software development based on WebAssembly." Building software today means grappling with a set of vexing trade-offs. If you want to build something big, it's not realistic to build each component from scratch. But relying on a complex supply chain of components from other parties allows a defect anywhere in that chain to compromise the security and stability of the entire program.

Tools like containers can provide some degree of isolation, but they add substantial overhead and are impractical to use at per-supplier granularity. And all of these dynamics entrench the advantages of big companies with the resources to carefully manage and audit their supply chains.

Mozilla helped create WebAssembly to allow the Web to grow beyond JavaScript and run more kinds of software at faster speeds. But as it matured, it became clear that WebAssembly's technical properties — particularly memory isolation — also had the potential to transform software development beyond the browser by resolving the tension described above. Several other organizations shared this view, and we came together to launch the Bytecode Alliance as an informal industry partnership in late 2019. As part of this launch, we articulated our shared vision and called for others to join us in bringing it to life... [W]e asked prospective members to be patient and, in parallel with ongoing technical efforts, worked to incorporate the Alliance as a formal 501(c)(6) organization. That process is now complete, and we're thrilled to welcome Arm, DFINITY Foundation, Embark Studios, Google, Shopify, and University of California at San Diego as official members of the Bytecode Alliance.

We have a real opportunity to change how software is built, and in doing so, enable small teams to build big things that are both secure and fast.

Achieving the elusive trifecta — easy composition, defect isolation, and high performance — requires both the right technology and a coordinated effort across the ecosystem to deploy it in the right way. Mozilla believes that WebAssembly has the right technical ingredients to build a better, more secure Internet, and that the Bytecode Alliance has the vision and momentum to make it happen.

Facebook has joined the Rust Foundation, the organization driving the Rust programming language, alongside Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. From a report: Facebook is the latest tech giant to ramp up its adoption of Rust, a language initially developed by Mozilla that's become popular for systems programming because of its memory safety guarantees compared to fast languages C and C++. Rust is appealing for writing components like drivers and compilers.

The Rust Foundation was established in February with initial backing from Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. Microsoft is exploring Rust for some components of Windows and Azure while Google is using Rust to build new parts of the Android operating system and supporting an effort to bring Rust to the Linux kernel. Facebook's engineering team has now detailed its use of Rust beginning in 2016, a year after Rust reached its 1.0 milestone. "For developers, Rust offers the performance of older languages like C++ with a heavier focus on code safety. Today, there are hundreds of developers at Facebook writing millions of lines of Rust code," Facebook's software engineering team said.

Artem S. Tashkinov writes: Over the past ten years, Firefox market share has decreased substantially and the web browser has lost its appeal and coolness. Seeing that, someone at Mozilla probably decided that the best way to entice people back is by changing its UI, thus Firefox has already seen quite a huge number of changes despite other major web browsers staying relatively the same in terms of their visuals; i.e. Google Chrome and Apple Safari look almost the same as they did a decade ago. The most substantial redesign, which is being prepared for the next release, called Proton, promises to drive most power users away because it's broken on a number of levels and makes using the browser a very unpleasant experience.

So, what has changed:
- The compact density option for the address bar is now gone, and not only that, the title bar is now a lot taller than before. Overall, vertically, the title bar and address bar now take almost a dozen pixels more than previous Firefox releases, which steals very precious vertical space.
- The floating tabs. The active tab is now totally disconnected from the active web page and it looks out of place.
- The inactive tabs now completely lack a delimiter between them; and in the case of websites lacking a favicon, all inactive tabs look like one, which makes understanding what's open and what to click very difficult and time consuming.
- Mozilla has removed icons from menus, which makes navigating them slower and more difficult. Human beings can easily recognize and memorize icons, and now instead you have to read 20 menu items and try to understand what you actually need to click. Just to illustrate it, check how Firefox 88 looks and what is up and coming.

It surely looks like whatever UX studies Mozilla has done were either not run properly, or the data being collected was not properly understood. Mozilla has disabled feedback for Firefox, they've made it abundantly clear that you cannot leave comments in their Bugzilla, and considering they want to deprecate userChrome.css, it makes it impossible to restore the semblance of a good web browser experience. The Slashdot crowd loves free and open-source web browsers, so the question is, how can we make the company stop maiming and destroying their most important product?

ewhac writes: Firefox has long had a built-in PDF viewer, allowing users to view PDF files in the browser without having to install a third-party application. In addition to the other weird things PDF files can contain, one of them is JavaScript. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now. The newly released Firefox version 88 has flipped that switch, and will now blithely execute JavaScript embedded in PDFs. Firefox's main preferences dialog offers no control for turning this "feature" off.

To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.

Slashdot reader LeeLynx shares news from The Register about a Slackware 15 beta release (following the debut of February's alpha), "nearly five years after the distribution last saw a major update." (And nearly 28 years after its initial release back in 1993...) Created by Patrick Volkerding (who still lays claim to the title Benevolent Dictator For Life), the current release version arrived in the form of 2016's 14.2... The Linux kernel has been updated to 5.10.30 (at time of writing) with 5.11.14 available for testing. Desktop fans may be pleased to see, among the many updates, KDE Plasma hitting 5.21.4 as well as updates for old faithfuls, such as Mozilla Firefox and Thunderbird.

The beta itself dropped on 12 April (with the 5.10.29 kernel) and Volkerding noted: "I'm going to go ahead and call this a beta even though there's still no fix for the illegal instruction issue with 32-bit mariadb. But there should be soon."

Tinkering has continued since, judging by the change log, although the beta tag brings hope there will be a release before long.

Google is all alone with its proposed advertising technology -- FLoC-- to replace third-party cookies. Every major browser that uses the open source Chromium project has declined to use it, and it's unclear what that will mean for the future of advertising on the web. Firefox, Safari, Microsoft Edge, Vivaldi, and Brave have said they are not implementing Google's FLoC into their browsers.