What’s in the latest Firefox upgrade? Proliferating picture-in-picture, even more anti-tracking
Mozilla last week raised the Firefox version count to 86, adding multiple picture-in-picture video viewing and bolstering the browser’s anti-tracking defenses by isolating all cookies in the sites that create them.
Security engineers also patched 12 vulnerabilities, five of which were pegged as “High,” Firefox’s second-most-serious label.
Firefox 86 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can just relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is either up to date or displays the refresh process.
Mozilla upgrades Firefox every four weeks; the last refresh was on Jan. 26.
Picture-in-picture multiplies
Firefox’s picture-in-picture mode debuted early in 2020 in Firefox 72 (some got the feature at the end of 2019, in Firefox 71), letting users deposit a frame on the desktop, video inside, from most — but not all — in-tab videos. The frame could be moved and resized at will, and was independent of the tab.
Firefox 86 offers the same, but in spades: Users can crank out several frames, each showing a different video, each able to be positioned anywhere on the desktop. As long as the originating tab remains open, the video will continue playing.
Applications of this may be tougher to come up with than one might think, but multiple frames would be great for following several networks’ coverage of a major event, say with the audio off on all but one, or for watching — or just keeping track of — several play-off games simultaneously.
More crackdowns on tracking
The other addition to Firefox 86 that Mozilla trumpeted was what it called “Total Cookie Protection.”
“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” wrote Tim Huang, Johann Hofmann and Arthur Edelstein — senior software engineering, Firefox developer and senior product manager respectively — in a Feb. 23 post to a company blog.
The last upgrade before this — January’s Firefox 85 — locked up so-called “supercookies,” identifiers that actually aren’t cookies but trackers based on sometimes-obscure elements in a browser, such as HSTS flags. Firefox 86 expanded on its predecessor’s efforts by siloing all cookies.
(Note: There are exceptions, notably cross-site cookies not used for tracking purposes, like those “used by popular third-party login providers,” as Mozilla put it.)
Together, the previous supercookie isolation and the newer, more inclusive cookie quarantining, said Mozilla, block sites “from being able to ‘tag’ your browser, thereby eliminating the most pervasive cross-site tracking technique.”
The feature wasn’t enabled by default in Firefox 86. Instead, users must steer to Preferences’ “Privacy & Security” section and select the Strict option under “Enhanced Tracking Protection.”
More technical information about Total Cookie Protection can be found on Mozilla Hacks and on the MDN Web Docs site.
Elsewhere, Mozilla said that Firefox 86 cleaned up the design of the browser’s Print interface.
The next version, Firefox 87, will be released March 23.
Page 2
Firefox 85
Mozilla this week upgraded Firefox to version 85, adding to its overarching emphasis on privacy by isolating supercookies that some sites rely on to track users’ movements on the web.
Engineers also patched 13 vulnerabilities, five of which were marked “High,” Firefox’s second-most-serious label.
Firefox 85 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the refresh process.
Mozilla upgrades Firefox every four weeks; the last refresh was on Dec. 15.
Stomping on supercookies
Other than the fixes for the baker’s dozen of security flaws, the most notable change in Firefox 85 is a behind-the-scenes expansion of Mozilla’s bet on privacy.
“In Firefox 85, we’re introducing a fundamental change in the browser’s network architecture to make all of our users safer: we now partition network connections and caches by the website being visited,” said Steven Englehardt and Arthur Edelstein, senior privacy engineer and senior product manager, privacy and security, in a Jan. 26 post to a Mozilla blog. “Trackers can abuse caches to create supercookies and can use connection identifiers to track users. But by isolating caches and network connections to the website they were created on, we make them useless for cross-site tracking.”
Mozilla aims to stamp out the dodgy practice of storing user identifiers in “increasingly obscure parts of the browser,” as Englehardt and Edelstein put it, including caches and various types of connections and sessions. Tracking entities have gone to great lengths to hide their trackers as browser makers — Mozilla among them — have blocked more obvious avenues, such as traditional cookies, as they appeal to users’ increasing concerns.
Firefox’s approach, which typically goes by the term Network Partitioning, isolates multiple kinds of caches used by the browser to boost perceived performance by, for instance, drawing on an already-viewed image from a local cache — in memory or perhaps on disk — rather than call it again from its Internet-based source. The goal of caching: save time by eliminating downloads and reserve bandwidth for first-time content retrieval.
Rather than share such content among multiple sites, Firefox will instead quarantine that content to the pertinent site. “This partitioning applies to all third-party resources embedded on a website, regardless of whether Firefox considers that resource to have loaded from a tracking domain,” added Englehardt and Edelstein. “Systematic network partitioning makes it harder for trackers to circumvent Firefox’s anti-tracking features.”
Because the time- and bandwidth-saving techniques of sharing cached content have been discarded, network partitioning has an impact on page load times. Englehardt and Edelstein acknowledged a slight increase of up to 1.3%.
Apple’s Safari has had a form of network partitioning in place since 2013, and Google’s Chrome will soon have its own implementation. Chrome 89, slated to ship March 2, will include this anti-tracking technology, although it will be hidden behind a setting in the chrome://flags page.
Few odds, few ends
Along with the new defense against supercookies, Mozilla slipped some other improvements into Firefox 85.
The browser now remembers the location the user last selected for saved bookmarks; also, the bookmarks toolbar can be set to appear only on new page tabs, an option for tidying up the UI.
Firefox 85 also removed all support for Flash Player. “There is no setting to re-enable Flash support,” Mozilla bluntly said.
The next version of Mozilla’s browser, Firefox 86, will be released Feb. 23.
Page 3
Firefox 84
Mozilla on Tuesday upgraded Firefox to version 84, adding native support for Apple’s new ARM-based Macs and declaring the browser the last to support Adobe’s Flash Player.
Security engineers also patched 14 vulnerabilities, one pegged “Critical,” Firefox’s most-serious label. Six other flaws were marked “High,” the next lower threat level.
Firefox 84 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can just relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the refresh process.
Mozilla upgrades Firefox every four weeks, with the last refresh reaching users on Nov. 17.
Made for M1
Easily at the top of Firefox 84’s change log was its native support for Apple’s home-grown silicon, the M1 system-on-a-chip (SoC) that relies on the same ARM architecture which has long powered the company’s iPhone and iPad.
Firefox, like Chrome and Safari before it, now comes in a native-to-M1 version that does not need to be translated by the Rosetta 2 technology baked into macOS 11, aka Big Sur. (Big Sur uses Rosetta 2 to translate existing Intel-based code into code that runs on the M1 SoC.)
According to Mozilla, the native version of Firefox boasts superior performance on the newest MacBook Air, MacBook Pro and Mac Mini, the models Apple has released with its own SoC. “Native support … brings dramatic performance improvements over the non-native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive,” Mozilla asserted in Firefox 84’s release notes.
The comparison was to November’s Firefox 83, which as an Intel-based application, was translated by Rosetta 2 before running, a process that, at minimum, resulted in a longer launch the first time it was opened.
It was unclear whether Mozilla was packaging both the ARM and Intel versions of Firefox into a single Universal App, or if it was updating the browser with separate binaries.
Last call for Flash
Firefox 84 will also be the last of its kind to support Flash, the plug-in that launched the multimedia web even as it was excoriated by security professionals.
Adobe will disable Flash Player on Jan. 12, 2021, when the software will refuse to run content. Adobe made the announcement of the date on Dec. 8, when it issued the final update to Flash.
Mozilla will sync Firefox with that schedule, more or less. Firefox 85, slated to ship Jan. 26, 2021, will ship without support for Flash of any kind. “There will be no setting to re-enable Flash support,” Mozilla said in a support document, referring to the configuration settings it had long left in Options (Windows) and Preferences (macOS).
Flash Player, if it’s on one’s personal computer, will remain even after Adobe and Firefox halt support. However, Microsoft plans to delete the plug-in from Windows 10 and Windows 8.1 in 2021, on a multiple-step schedule outlined here. Mac users with Flash Player — and they will be in the minority, what with Apple’s anti-Flash attitude — will have to manually uninstall the plug-in. Adobe has provided uninstall instructions here.
The next version of Mozilla’s browser, Firefox 85, will be released Jan. 26.
Page 4
Firefox 83
Mozilla this week upgraded Firefox to version 83, adding an “HTTPS-Only Mode” that tries to connect to all websites through the more secure HTTPS protocol and, after failing to do so, warning users of with a can’t-miss-it, in-your-face alert.
Company engineers also patched 21 vulnerabilities, four marked “High,” Firefox’s second-most-serious label. Firefox 83 did not include fixes for any bugs marked “Critical.”
Firefox 83 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the refresh process.
Mozilla upgrades Firefox every four weeks, with the last refresh reaching users on Oct. 20.
HTTPS-Only
Easily the most promoted of Firefox 83’s new features, the HTTPS-Only Mode promises to keep the browser’s users more secure, especially when they’re relying on public connections to the Internet that themselves have not been encrypted.
“It is time to let our users choose to always use HTTPS,” wrote Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein and Thyla van der Merwe, four members of Mozilla’s security group, in a Tuesday post to the company’s security blog. “That’s why we have created HTTPS-Only Mode, which ensures that Firefox doesn’t make any insecure connections without your permission.”
When enabled — the mode is off by default — HTTPS-Only attempts to connect to every site using HTTPS rather than the unencrypted HTTP protocol. For example, Firefox will automatically switch to HTTPS when the user clicks a link that includes http:// or when the user types http:// in the address bar.
If the destination site doesn’t support HTTPS, Firefox displays a full-page warning that asks the users whether or not they want to continue and connect using HTTP.
(In some ways, HTTPS-Only Mode is similar to the HTTPS Everywhere extension — a joint effort by the Electronic Frontier Foundation (EFF) and the Tor Project — although it lacks the add-on’s ability to add user-written rules that teach it to support sites.)
15% faster, says Mozilla
Mozilla also claimed performance increases in Firefox 83, driven by improvements to the browser’s JavaScript engine, SpiderMonkey. According to the company, the browser loads pages up to 15% faster than before, even while memory usage fell up to 8%.
Other changes of note included new keyboard shortcuts for fast forwarding and rewinding video displayed in Firefox’s picture-in-a-picture sub-screen, and new options in the search panel (the box that opens after starting to type a search string into the Firefox address bar). Icons at the bottom of the panel representing several search engines — from Bing and DuckDuckGo to Wikipedia and eBay — as well as other standing in for bookmarks, open tabs and browser history can be selected so that the search takes place within that engine or category.
Also as of this version, Firefox can be run under macOS 11, aka “Big Sur,” on the new MacBook Air, MacBook Pro and Mac Mini personal computers powered by Apple’s ARM-based M1 system-on-a-chip (SoC) silicon. Firefox 83 and later, Mozilla said, support Rosetta 2, the Intel-to-ARM translator included with Big Sur. A natively-compiled version of Firefox for Apple Silicon, Mozilla added, will come “in a future release.”
The next browser, Firefox 84, will be released Dec. 15.
Page 5
Firefox 81
Mozilla last week refreshed Firefox to version 81, adding a new standard theme for the browser, improving its PDF skills and automatically filing in credit card information.
Engineers also patched six vulnerabilities, half of them labeled “High,” Firefox’s second-most-serious label. Unlike many Firefox upgrades, version 81 did not fix any bugs marked “Critical.”
Firefox 81 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla upgrades Firefox every four weeks, the fastest tempo of any of the top four browsers. Mozilla last upgraded the browser on Aug. 25.
UI? You bet
Unlike the last several Firefox updates — versions 77 through 80 — Firefox 81 actually offered users noticeable new features and functionality (some in the in-your-face UI, no less).
Mozilla added a fourth built-in theme for the browser, dubbed “Alpenglow.” The new theme transformed the area around the address bar into a colorful sweep of pinks and purples, a brazen departure from the until-now-standard “Default,” “Dark” and “Light” choices.
Users can change the theme — or download others — by selecting Add-ons from the menu at the upper right.
Also on the UI front, Firefox 81 is supposed to respond to devices’ audio and video control buttons, those built into a keyboard or headset, say, as well as the virtual keys in the Mac’s touch bar. Not surprisingly, caveats abound.
Fill it up
In other UI-related news on Firefox 81, Mozilla reworked the PDF viewer’s look and feel to match the browser’s. (Previously, the viewer’s UI resembled a bolted-on afterthought, more Frankenstein than fit to Firefox.)
Firefox’s PDF viewer now supports AcroForm, aka the Acrobat Forms technology for completing PDF-based forms at the keyboard (as opposed to printing, filling the form by hand, then scanning to send via, for instance, email) by filling out pre-set fields. Computerworld, however, was unable to test the AcroForm capability on macOS; Firefox’s PDF viewer kicked up the error message: The filing of form fields is not supported..
In the U.S. and Canada, Firefox 81 will automatically enter the user’s previous-saved credit card information in forms, such as those on shopping sites as the buyer checks out. (As with AcroForm support, Firefox 81 on macOS did not show Computerworld these credit card changes.) When the feature is enabled — Mozilla, like other software makers, often rolls out new features and functionality to the user base in stages — it can be turned off or on from the Preferences > Privacy & Security > Forms and Autofill. For additional security, users can choose to require further authentication before credit card autofill; the OS’s log-in password will unlock the feature.
On the enterprise side, where Firefox’s influence pales in comparison with Chrome’s or even Microsoft’s new Chrome-wannabe, Edge, Mozilla noted that as of last week’s launch of v.81, corporate users still running Firefox 68 ESR (Extended Support Release) would be force-fed Firefox 78 ESR as its 2020-2021 replacement.
The next upgrade, Firefox 82, will be released Oct. 20.
Page 6
Firefox 80
For a company whose future depends on attracting more users to its primary product, Mozilla has taken a lackadaisical approach to boosting Firefox’s features and functionality over the last four upgrades.
On Tuesday, Mozilla released Firefox 80, the fourth upgrade in a row to lack compelling new features visible to end users.
At the same time, Mozilla engineers patched 10 security vulnerabilities, including three rated as “high,” the organization’s second-most-serious threat ranking.
Firefox 80 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users receive the latest version when they relaunch the browser. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the in-process refresh.
Mozilla upgrades Firefox every four weeks, a faster tempo than rivals such as Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser July 28.
A scarcity of new shiny
Like June’s Firefox 77 and 78, and July’s Firefox 79, this month’s Firefox 80 adds next to nothing to the browser’s visible feature or functionality lists.
Mozilla itself called out only two new items of note: first, Firefox can now be set as the system-wide default for viewing PDF files, and second, it improves on how screen readers, tools used by vision-impaired, translate the browser’s menus.
Other changes Mozilla took the time to tout ranged from a decrease in the number of animations “such as tab loading to reduce motion for users with migraines and epilepsy,” to an enterprise-appropriate control that turns off a confirmation dialog when employees submit a form from an insecure page.
It’s been months since a Firefox upgrade has had enough visible new to outweigh changes under the hood. For example, Mozilla didn’t bother pitching any user-seen new or improved features or functionality in July’s Firefox 79. The Firefox before that, version 78, could muster only a few minor tweaks to the browser’s privacy dashboard. And Computerworld passed on describing Firefox 77 entirely because it contained so little of interest to end users. (Virtually every Firefox upgrade offers something for website and web app developers.)
That’s not really a trend that Mozilla will want to advertise.
Firefox’s troubles are not mysteries. Its browser share – as measured by California-based Net Applications – fell to 7.3% in July, a mark 1.1 percentage points lower than its share a year earlier. That represented a 12-month decline of 13%. According to Mozilla’s own data, the number of Firefox’s monthly active users (MAU) has fallen 15% since the start of this year.
Financially, Mozilla is in no better shape: Its most recently-reported balance sheet – for the 2018 calendar year – showed a 20% drop in revenue. The year was the first in which the organization spent more than it brought in.
And only two weeks ago, Mozilla laid off 250 people, about a quarter of its workforce, claiming that the coronavirus pandemic had “significantly impacted our revenue.”
With those headwinds, one might expect Mozilla to work overtime to craft engaging features and build atop core existing functionality, such as privacy.
Perhaps Firefox’s rapid release tempo – it accelerated to an every-four-weeks schedule earlier this year – diluted what appeared in each upgrade. The coronavirus pandemic and work-from-home mandates may have affected development, resulting in fewer new bits to include in the browser’s upgrades. And talk of additional layoffs after Mozilla let go 70 employees in January – Mozilla said it had continued to discuss the likelihood of more through the spring – would not have helped morale or made workers particularly productive.
It remains unclear how Mozilla plans to make Firefox more interesting to users and what the strategy will be to grow the browser’s base – or even whether Firefox remains the heart of Mozilla’s grand design. When Mozilla disclosed its latest layoff round, Mitchell Baker, Mozilla’s CEO, ticked off a list of moves the leaner organization would make. Although Firefox was certainly mentioned, Baker put more emphasis on other strategies, notably new products and services, as a way to grow Mozilla.
The next upgrade, Firefox 81, will be released Sept. 22.
Page 7
Firefox 79
Mozilla this week upgraded Firefox to version 79, patching 10 vulnerabilities without making any notable changes that users will see.
Of the 10 security bugs, Mozilla marked four as “High,” the browser’s second-most-serious label.
Firefox 79 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users will get the latest version just by relaunching the browser. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the in-process refresh.
Mozilla now upgrades Firefox every four weeks, a shorter cadence than rivals like Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on June 30.
Where’s the new shiny stuff?
With a tight release schedule of rolling out a new version every 28 days, it’s not surprising that some upgrades add little to the browser’s visible features and functionality. Firefox 79 is one such upgrade.
Although Mozilla called out some under-the-hood improvements – WebRender support for more Intel and AMD graphics processors, for one – and several changes of interest to developers, there was nothing to pitch to users.
That’s understandable, of course. But it was also a lost opportunity to offer something new to users in a time when Firefox continues to struggle maintaining its already small share. As of June 30, the most recent measurement by analytics company Net Applications, Firefox accounted for only 7.2% of all browser activity across the world, a mark 2.3 points fewer than 12 months prior. (That meant Firefox lost almost a quarter of its share in the past year.)
Mozilla also addressed a handful of bugs related to its enterprise edition – Firefox ESR (Extended Support Release) – and how IT administrators manage the browser using group policies.
The organization took advantage of the paucity of new features to remind those enterprise customers of the upcoming transition of ESR versions. The final ESR based on last year’s Firefox 68 will be issued Aug. 25, Mozilla said, and all those who hadn’t upgraded to 2020’s ESR, Firefox 78, will be forcibly migrated to the latter starting Sept. 22.
The next Mozilla upgrade, Firefox 80, will be released Aug. 25.
Page 8
Firefox 78
Editor’s note: This story does not include details about Firefox version 77, which was released June 2. That update offered few changes from version 76.
Mozilla last week upgraded Firefox to version 78, patching a baker’s dozen of security flaws and starting the annual process of retiring last year’s Extended Support Release (ESR) and offering customers the latest enterprise-designed build.
Company engineers patched 13 vulnerabilities, seven labeled “High,” Firefox’s second-most-serious label. Unlike most Firefox refreshes, version 78 did not fix any bugs marked “Critical.”
Firefox 78 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
A day after Firefox 78’s debut, Mozilla updated the browser again to fix “an issue which could cause installed search engines to not be visible when upgrading from a previous release.”
Mozilla upgrades Firefox every four weeks, a much faster tempo than Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on June 2.
More information on the privacy dashboard
Some Firefox updates are more notable than others, especially now that Mozilla is on an accelerated every-four-weeks schedule. Firefox 78 is one of the less notable upgrades.
Among the few visible-to-users changes are additions to the “Protections Dashboard,” the new name for the consolidated display of Firefox’s anti-tracking technologies’ results, known data breaches affecting the user and potential password problems. The dashboard carries on the gradual improvements Mozilla’s made to Firefox’s Enhanced Tracking Protection, which put Firefox in the lead last year in comprehensive quashing of the ad- and site-trackers which trace users’ web movements and actions.
The dashboard is a convenience, a slightly improved variation on what the browser has had for several iterations. New items on it show passwords that fell victim to known breaches as well as steps the user has already taken to mitigate said breaches (which may involve changing passwords, putting two-factor authentication into effect and the like).
Firefox’s Protections Dashboard can be called from the menu at the far right (the three horizontal lines) or by entering about:protections in the address bar.
Also with Firefox 78, Mozilla began culling OS X 10.9 (Mavericks), 10.10 (Yosemite) and 10.11 (El Capitan) from support, automatically shifting users of those outdated Mac operating systems to the Extended Support Release (ESR).
ESR starts next transition
Firefox ESR, which traces roots to 2012, is the release channel crafted for enterprises that cannot – or will not – upgrade workers’ browsers every four weeks. Instead, approximately once a year, Mozilla issues a new ESR that then is supported until its replacement appears (plus a several-week overlap).
The concept grew from concerns by large organizations over the fast release schedule Firefox adopted nearly a decade ago; IT administrators balked at testing and adopting a new release every few weeks.
ESR would address that by accepting only the separate security updates Mozilla made (and distributed on the same every-four-week schedule used by its standard browser channel). New features would not be introduced to any given ESR version during its year-long run. Instead, users would “catch up” on feature and functionality changes when the next ESR was released.
To give enterprises time to test and roll out the next ERS, Mozilla would use an eight-week overlap during which it would release both the previous ESR (designated “n”) and its replacement (“n+1”).
Enterprises have been using Firefox ESR 68 since the summer of 2019, but its end nears. The next ESR is v. 78. Mozilla will refresh both ESRs on July 28 and Aug. 25; ESRs 68.11 and 78.1 will appear on the first date, ESRs 68.12 and 78.2 on the second. The next release cycle, slated for Sept. 22, will see only ESR 78.3; ESR 68’s support will come to an end that day.
The following table illustrates the changeover from one ESR to the next.
The next Mozilla upgrade, Firefox 79, will be released July 28.
Page 9
Firefox 76
Mozilla shipped Firefox 76 with enhanced password protections that include warnings of sites reportedly victimized by criminals as well as alerts if users rely on passwords known to have been leaked in breaches of other sites or services.
Engineers also patched 11 vulnerabilities, three labeled “Critical,” Firefox’s most-serious label, and another trio marked “High,” the next level down. One of the critical flaws was reported by noted researcher James Forshaw of Google’s Project Zero, and affected only the Windows version of the browser.
“The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape,” Mozilla said in the accompanying advisory.
Firefox 76 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla now upgrades Firefox every four weeks, a significantly faster tempo than Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on April 7.
Breach, reuse warnings now flash in password manager
The notable enhancements to Firefox 76 took place within its password manager, dubbed Lockwise, an area of emphasis for Mozilla in the past.
“There’s no doubt that during the last couple of weeks you’ve been signing up for new online services like streaming movies and shows, ordering takeout or getting produce delivered to your home,” Mozilla said in a post to a May 5 company blog. “All of those new accounts need unique, strong passwords to be secure, which you can now generate, manage and protect more easily.”
One change now requires a user to enter a Firefox master password – one that locks all stored passwords – or OS log-in credential to view those saved passwords in plain text. (Previously, the only way to keep nosy neighbors from looking over a shoulder to spy out a password was with a Firefox master password – but that had disadvantages of its own, particularly the browser demanding it once a session in order to access the usernames and passwords for entry into site forms.)
Another new aspect of the integrated manager: An alert appears in the sites’ credentials list when a password has been revealed in a breach. (Mozilla relies on the Have I Been Pwned? site and service for breach information.) The idea here is to prompt users to change those disclosed passwords, both on the appropriate sites and in the browser’s manager.
(Since November 2018, Firefox has displayed in-the-browser notifications when a user steered toward a site that had been breached.)
Firefox now notifies users when they’ve reused a password already on the looks-like-that-one-leaked list, too; again, as a prompt to not do something that stupid. Mozilla doesn’t actually “see” such passwords as they’re entered or receive them in any form of plain text. Instead, Firefox builds an encrypted list of the breached passwords, then checks that against all saved passwords.
Mozilla also tweaked the video picture-in-picture feature that debuted in Firefox 71 (Windows) and 72 (macOS, Linux). Picture-in-picture lets users separate video from a web page and place it within a separate, small window, where it remains viewable whether the active tab is switched or even if Firefox stays open in the background. In Firefox 76, a double-click expands the picture-in-picture frame to full-screen, while a second double-click restores it to its original, smaller size.
The next Mozilla upgrade, Firefox 77, will be released June 2.
Page 10
Firefox 75
Mozilla on Tuesday released Firefox 75 on schedule, unlike rivals Google and Microsoft, which postponed browser releases by weeks and scratched one version entirely because of the COVID-19 pandemic.
The upgrade’s most visible changes were to Firefox’s address bar, which has been tricked out with several enhancements designed to make for more productive searches.
The company’s developers also patched a half dozen vulnerabilities, three labeled “High,” Firefox’s second-most-serious label. As has regularly been the case, Mozilla addressed multiple memory safety flaws that criminals might have been able to exploit had they known of them.
Firefox 75 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can just relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
This was the second version of Firefox to be released four weeks after its predecessor — Mozilla last upgraded the browser on March 10. In September 2019, the company announced it would accelerate the browser’s release pace by shortening the interval between upgrades from six weeks to five as an interim step, finally to four weeks.
Mozilla: We don’t do delays
It was notable that Firefox 75 appeared on time, as it had been scheduled months earlier. Three weeks ago, first Google, then Microsoft, announced that they had temporarily suspended Chrome and Edge releases, respectively.
Google put off Chrome 81’s March 17 launch, while Microsoft followed suit two days later. Although neither explicitly named the coronavirus and its resulting disruptions as the cause, their “adjusted work schedules” and “current global circumstances” descriptions blamed the pandemic.
A week later, Google said it would release Chrome 81 on April 7 (it did), scrub Chrome 82 from the launch list and debut Chrome 83 three weeks earlier than originally scheduled (on May 19). Microsoft again said its Edge — like Chrome, built on technologies provided by the open-source Chromium project — would mimic Google’s browser’s return.
Mozilla held to its calendar. “We believe we can maintain our 2020 Firefox release schedule as we navigate this global crisis together,” Joe Hildebrand, vice president for Firefox web technology, and Selena Deckelmann, vice president of Firefox desktop, wrote in a joint post to a company blog. And the two took shots at the competition, noting that their teams were familiar with working remotely.
“These strengths are what allow us to continue to make progress where some of our competitors have had to slow down or stop work.”
But Hildebrand and Deckelmann didn’t promise that Mozilla would never deviate from the every-four-week tempo. “We will continue to monitor both internal and external feedback and remain open to making future adjustments,” they said.
Augmenting the address bar
With its 50% faster release cadence – every four weeks rather than every six – users have to expect fewer new features and smaller amounts of new functionality in each upgrade. That’s the case with Firefox 75, which adds to the address bar and that’s about all.
Among the improvements to the bar, one stood out: A click in the address bar now drops down a list of the first eight sites from the new tab page. The click-and-list function works at all times, saving the need to first open a new tab before zipping to a favorite site (as long as the site is one of the first eight).
To change the contents of the list or the order of the sites within it, users must add to or subtract from the thumbnails on the new tab page, or reshuffle those already there.
Other changes to the address bar’s user interface (UI) and user experience (UX) included boldfaced keywords based on the search string being entered – “to narrow your search even further,” Mozilla asserted – and a variable-sized field and font, both which expand when typing a search string and contract to standard size when finished.
Mozilla highlighted several developer- and enterprise-specific changes as well, ranging from the loading attribute on elements to support for client certificates from the macOS certificate store. More information can be found in Firefox 75’s release notes.
The next Mozilla upgrade, Firefox 76, should appear May 5.
Page 11
Firefox 74
Mozilla on Tuesday shipped Firefox 74. Wait, didn’t we just get a new Firefox a minute or two ago?
It may feel that way. Firefox 74 arrived just four weeks after its predecessor, continuing the faster release cadence promised last year.
The refreshed browser dropped support for the now-obsolete TLS 1.0 and 1.1 cryptographic protocols, blocked all add-on “side-loading” except that allowed by enterprise-managed group policy, and enabled support for a header element designed to safeguard against attacks based on the Meltdown and Spectre hardware-based vulnerabilities first revealed two years ago.
Mozilla’s security engineers also patched a dozen vulnerabilities, half of them labeled “High,” Mozilla’s second-most-serious threat label. As usual, some of the flaws might be used by criminals.
“We presume that with enough effort some of these could have been exploited to run arbitrary code,” the firm wrote of two of the bugs. Two others were discovered and reported by members of Google Project Zero, the search company’s team of researchers who root out unpatched flaws in Google and non-Google software.
Firefox 74 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
This was the first version of Firefox to be released four weeks after its predecessor — Mozilla last upgraded the browser on Feb. 11. In September 2019, the company announced it would pick up the development and release pace by shortening the interval between upgrades from six weeks to first five, then to four.
Say farewell to TLS 1.0, 1.1
As expected, Firefox 74 pulled the plug on the outdated encryption protocols of TLS (Transport Layer Security) 1.0 and 1.1. When users try to connect to a site secured with either TLS version, Firefox now shows a “Secure Connection Failed” error page.
But as when Mozilla delivered Firefox 73, this month’s upgrade included an override button letting users temporarily enable TLS 1.0 and 1.1. That button will remain “for a couple of release cycles,” said Chris Mills, content team manager at the Mozilla Developer Network, in a March 10 post to a company blog. “You won’t be able to rely on it for too long,” Mills also warned. (A “couple of release cycles” might mean through, say, Firefox 76, which will be supplanted by the next version on June 2.)
Note: The deprecation of TLS 1.0/1.1 was the result of a 2018 joint decision by makers of the four biggest browsers (including Apple, Safari; Google, Chrome; and Microsoft, Edge and Internet Explorer).
Sideloading stymied
Firefox 74 also put a stop to sideloading, the term describing how a third-party application installs an associated add-on in Firefox. (One example from times past was the “Web Clipper” add-on that Evernote installed in browsers, including Firefox.) Sideloading has been, if not banned outright, certainly frowned upon by browser makers, who have cited security concerns regarding the practice.
In October 2019, Mozilla said that it would ban sideloading, noting malware opportunities as well as the lack of user control; sideloaded add-ons were installed without user approval and could not be deleted by the normal method of heading to Firefox’s Add-ons Manager portal. At the time, Mozilla targeted Firefox 74 as the version that would drop support for sideloading.
That’s happened.
Users must now take an explicit action to install a sideloaded add-on in Firefox — blocking the hands-off kind of installs sideloading was known for — and can delete them from the Add-Ons Manager. Add-ons that were sideloaded previously won’t be removed by Mozilla (that’s for users to do if they wish), but no new sideloaded browser add-ons will be permitted from Firefox 74 forward.
As is almost always the case with Firefox, this change-up can itself be stymied in the enterprise if IT deploys the appropriate group policies to employees’ copies of the browser.
More information on Firefox 74’s stance on sideloading can be found in this Mozilla post of March 10.
Enhances security, privacy
Mozilla enabled support for the “Cross-Origin Resource Policy” (CORP) header, which can be used by site developers to opt in to protection against cross-origin requests, or those from outside the domain of the website itself.
Using CORP can help safeguard against attacks by the likes of Spectre and Meltdown, the side-channel, hardware-based vulnerabilities that went public in early 2018 and triggered major efforts by browser makers, OS developers and chip company Intel to provide patches.
Firefox 74 also took the time to trumpet the Mozilla-made Facebook Container, an add-on that locks the social network and a user’s interactions with it inside a separate container, or sections of the browser’s memory. Anything done inside the container cannot be tracked outside the container; the result is that Facebook then cannot track one of its users when she goes elsewhere on the web.
Facebook Container is not new: Mozilla launched it almost two years ago. (The latest version now lets users add custom sites to a list so that Facebook’s credentials can be used for logging on to those websites.) Rather, once Firefox 74 has been installed — or Firefox was upgraded to version 74 — Mozilla uses the opportunity to pitch the add-on.
Firefox Container can also be installed from here.
The next version, Firefox 75, is to launch on April 7.
Page 12
Firefox 73
Mozilla this week released Firefox 73, a minor upgrade whose most notable addition was a new default setting for page zooming.
Software engineers working on the open-source browser also patched six vulnerabilities, half of them labeled “High,” Mozilla’s second-most-serious threat rating. As usual, some of the flaws might be used by criminals.
“We presume that with enough effort some of these could have been exploited to run arbitrary code,” the firm wrote of two of the bugs.
Firefox 73 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla last upgraded the browser on Jan. 7, or five weeks ago.
From this point forward, Mozilla will refresh the browser every four weeks. Firefox 74 will end a gradual reduction to the intervals between upgrades: Mozilla announced the release speed-up in September, when it said the original six-week span would be shortened to five weeks, then to four.
Zoom-zoom
Firefox’s faster release tempo comes at a price: the distinct possibility that each upgrade will boast fewer new features, fewer improvements and enhancements. Firefox 73 is proof, as Mozilla was able to highlight just two changes evident to end users.
The first was a new user-set global default for the page zoom level. Rather than monkey with zoom for each site individually – to, for instance, zoom in to make text more readable for older eyes – users can set a default level higher or lower than 100% as the new baseline.
To change the default zoom (which remains at 100% if the user declines to modify it), users must open Preferences (on macOS) or Options (Windows), then under the “General” tab locate “Language and Appearance.” Select the desired default zoom from the box under “Zoom.”
That number – 110%, for instance – becomes the new baseline for all sites. Users can still manually increase or decrease zoom with keystroke combinations or from the menu.
The other addition trumpeted by Mozilla in Firefox 73’s release notes was labeled “readability backplate” and designed to collaborate with Windows’ high contrast mode. The latter is a setting that replaces the original colors of, say, a website’s text and background, with high contrast combinations for easier reading by people with vision issues.
Previously, Firefox has simply disabled background images when the user enabled high contrast mode. In Firefox 73, the readability backplate “places a block of background color between the text and background image,” Mozilla said. “Now, websites in High Contrast Mode are more readable without disabling background images.”
Days are numbered for TSL 1.0 and TSL 1.1
Mozilla, like other browser makers, is knee-deep in putting an end to the outdated encryption protocols of TLS (Transport Layer Security) 1.0 and 1.1.
More than a year ago, in October 2018, Mozilla announced that the two standards, TLS 1.0 and TLS 1.1, would lose Firefox support in March 2020. That’s next to now.
In a Feb. 6 post, Thyla van der Merwe, the cryptography engineering manager at Mozilla, promised that the upcoming Firefox 74 would give the boot to the pair. “Expect Firefox 74 to offer TLS 1.2 as its minimum version for secure connections when it ships on 10 March 2020,” she wrote.
Although van der Merwe said that Firefox would retain an override button (which has been appearing on warnings when users try to reach a website encrypted by TSL 1.0 or TSL 1.1), she noted that with telemetry trends being what they were, “It’s unlikely that the button will stick around for long.”
The next version, Firefox 74, will release on March 10.
Page 13
Firefox 72
Mozilla on Tuesday launched Firefox 72, which expanded picture-in-picture video mode to macOS and by default blocked “fingerprinting,” an advanced tracking method practiced by some sites and advertisers.
The open-source developers also patched 11 vulnerabilities, five labeled “High,” Mozilla’s second-most-serious threat rating. As usual, some of the flaws might be used by criminals. “We presume that with enough effort … it could be exploited to run arbitrary code,” the firm wrote of the CVE-2019-17017 vulnerability.
Firefox 72 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla now refreshes Firefox every five weeks; it last upgraded the browser on Dec. 3.
(In September 2019, Mozilla said it would reduce the intervals between upgrades. The earlier six-week stretch was shortened to five weeks between Firefox 71 and 72. Starting with March’s Firefox 74, the interval will drop to four weeks.)
PiP-pin for McIntosh?
A month ago, Mozilla introduced Picture-in-Picture (PiP) with Firefox 71, touting the new feature’s ability to display video in a separate, small window while the user continues to surf elsewhere or even works outside the browser. Then, PiP was limited to Firefox running on Windows.
Firefox 72 expanded PiP to macOS – and if Mozilla’s December pledge was honored, Linux as well – and the feature works just as in Windows. Videos that will run in PiP were marked with a small, blue-backed “Picture-in-Picture” message when the mouse cursor hovers over the image. Clicking on that puts a frame on the desktop, video inside, and the frame can be moved and resized at will.
Firefox’s implementation of PiP is significantly smoother than Chrome’s – which requires a pair of right-clicks – in the videos where it’s available.
Scratch sites’ begging to blast you with notices
Another new aspect of Firefox 72 that Mozilla highlighted is its dampening down of the distraction from sites asking users to allow future notifications.
Those irritating pop-ups rarely result in users acquiescing to the request, Mozilla asserted. According to the company’s research, 48% of those prompts are “actively denied by the user” and a whopping 99% go unaccepted. In other words, they’re a vast waste of both websites’ and users’ time.
Firefox 72 blocks the notifications from reaching the screen – and obscuring part of the underlying page – and instead adds a small comic-style speech bubble, one that briefly jiggles for attention no less, to the address bar. Users can click on the bubble to pull up the usual notification pop-up – perhaps to dismiss it entirely and lose the bubble – or just ignore it. (It jiggles just once.)
Users can, of course, check the long-available box marked “Block new requests asking to allow notifications” in Options (Windows) or Preferences (macOS) to avoid all such irritants. (To reach that, from the “Privacy & Security” section, choose “Permissions,” then click the “Settings” button beside “Notifications.”)
Fingering fingerprinters
Mozilla also trumpeted another addition to Firefox’s anti-tracking skillset that it baked into version 72.
“The latest Firefox browser protects you against fingerprinting by blocking third-party requests to companies that are known to participate in fingerprinting,” Mozilla said here.
Like cookie-based tracking, fingerprinting is used by sites and advertisers to follow users as they wander around the web, most infamously to continue to offer a product that an individual looked at previously. It’s akin to a salesperson following a customer not only around the store, dunning them to buy this or that, but leaving the store with them, tracking them across town and even all the way home.
Fingerprinting relies on piecing together clues – ranging from the browser version and device platform to installed fonts and extensions – to create a profile, hopefully one unique enough to distinguish from others’. Unlike cookie-based tracking, fingerprinting can continue to follow a user even after the browser’s been cleared or its privacy mode has been used to, supposedly, surf anonymously.
Firefox 72 has the fingerprinters portion of Enhanced Tracking Protection (ETP), Mozilla’s name for its collection of anti-tracking technologies, turned on by default. Even if the user has switched off ETP by disabling the other tracker types, the “Fingerprinters” option will be engaged.
Mozilla turned to its partner, Disconnect – which already provided the tracker list that served as the foundation of ETP – as the source of the fingerprints. “Disconnect maintains a list of companies that participate in cross-site tracking, as well a list as those that fingerprint users. Firefox blocks all parties that meet both criteria,” Steven Englehardt, a Mozilla senior privacy engineer, said in a Jan. 7 post to a company blog.
“Expect to hear more updates from us as we continue to strengthen the protections provided by ETP,” Englehardt added, without going into specifics.
The next version, Firefox 73, should launch Feb. 11.
Page 14
Firefox 71
Mozilla this week released Firefox 71, touting a picture-in-picture video mode and new ways to preview a VPN (virtual private networking) service that will be offered to customers next year.
Security engineers included patches for 11 vulnerabilities, six marked “High,” the second-most-serious threat rating. None were tagged “Critical.” Some of these flaws might be exploitable by cyber criminals, Mozilla said. “This could have caused heap corruption and a potentially exploitable crash,” the firm noted of one vulnerability, labeled CVE-2019-11745.
Firefox 71 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla refreshes Firefox every six to eight weeks; it last upgraded the browser Oct. 22.
PiP PiP, and all that
Mozilla trumpeted a new Picture-in-Picture (PiP) mode within Firefox 71. “Picture-in-Picture allows a video to be contained in a separate and small window, and still be viewable whether you switch from tab-to-tab or outside the Firefox browser,” wrote Marissa Wood, vice president of product, in a Dec. 3 post to a company blog._
Although PiP was available only in Windows’ version of Firefox 71, the feature will be baked into the next upgrades for macOS and Linux, Mozilla said. Currently, Firefox 72 has been pegged with a Jan. 7 release date.
(If that January ship date for Firefox 72 seems earlier than it should, it is. In September 2019, Mozilla announced it would speed up Firefox releases by reducing the interval between upgrades. Starting with Firefox 74, set to debut March 10, the interval will drop to just four weeks. Mozilla will shorten the interval in steps; the six-week stretch between Firefox 70 and 71 will be reduced to five weeks between 71 and 72, and between 72 and 73.)
Not every video will play in PiP; those that do will display a small blue-backed “Picture-in-Picture” when the mouse cursor is hovered over the image. Clicking on that message deposits a frame on the desktop, video inside. The frame can be moved and resized at will.
And as Wood mentioned, the video is independent of the tab from which it spawned; that tab does not need to remain active and, in fact, the user can step outside the browser to another application’s window and the video will continue.
Firefox is somewhat late to the PiP party. Apple’s Safari now has PiP – as of the October upgrade, macOS Catalina – and Google’s browser has had it since Chrome 70 (an October 2018 upgrade). But Firefox’s implementation is significantly easier to use than Chrome’s, which required two right-clicks to initiate in Windows (and Computerworld was never able to successful call up PiP in Chrome on macOS).
Testing, testing of services
Other than PiP, Mozilla’s other Firefox 71 area of attention is further testing of its “Firefox Private Network” (FPN), the browser extension the company released in September. FPN accesses a VPN-like service that encrypts browser-to-site-and-back traffic and was free to Firefox Account holders in the test phase that kicked off then. Website security vendor Cloudflare provided the proxy server for FPV.
That September offer, however, has been shuttered.
Instead, a second testing phase launched alongside the debut of Firefox 71. Like the first, this “limited-time free service” relies on the FPN add-on to encrypt to-and-from-browser transmissions but comes with a major restriction: Usage tops out at 12 hours each month.
After signing up for the free deal, users are given a dozen passes, each good for an hour of encrypted traffic. “To claim a pass, simply turn Private Network on,” the beta’s explanatory page stated. “Use Firefox as usual, and your browsing will be encrypted and sent through a proxy service provided by our trusted partner Cloudflare. Passes expire after one hour, even if you turn Private Network off. You’ll receive 12 new passes at the beginning of each month.”
Mozilla suggested that users switch on FPV (and so use one of the month’s 12 passes) when relying on a public network, such as at a coffee shop or an airport.
As an alternative, Firefox users can request an invitation to a full VPN service, which for $4.99 month encrypts traffic to and from up to five devices. Mozilla called this a “paid beta.” The VPN service uses servers around the globe controlled by Mullvad, a Swedish VPN that sells its services for €5 per month. Initially, the Firefox offer only applies to users running Windows 10, although Mozilla said, “other platforms coming soon.”
Mozilla has struggled to create non-search related revenue streams – in 2018, the vast bulk of its income came from deals that put various search engines as the Firefox default – and this effort is the second time the organization has tapped a paid VPN as one solution.
Elsewhere in Firefox 71, Mozilla added a “kiosk” mode for businesses and the browser now notifies users when Enhanced Tracking Protection (ETP) blocks cryptominers.
Page 15
Firefox 70
Mozilla on Tuesday upgraded Firefox to version 70, enhancing its anti-tracking technology with new blockers that automatically stymie social media trackers and compiling reports so users can see what spying the browser has stopped.
Security engineers at Mozilla also included patches for 13 vulnerabilities, one marked “Critical” and three marked “High,” the organization’s two top threat ratings. The critical flaw was described as “memory safety bugs,” a label that’s present in virtually every Firefox upgrade’s patch list. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code,” Mozilla wrote in the accompanying security advisory.
Firefox 70 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla updates Firefox every six to eight weeks; it last upgraded the browser on Sept. 3.
Stops trackers from Twitter, Facebook, LinkedIn
Mozilla amped up its assault on trackers, the bits and pieces in websites and on pages that collectively allow advertisers — primarily but not exclusively them — to watch where users go on the web in an effort to piece together profiles, which in turn are used to deliver advertisements that, theoretically at least, should be more appealing and likely to trigger a purchase.
On the heels of Firefox 69, which switched on Enhanced Tracking Protection (ETP) for all users, Mozilla this version added trackers from several social media giants — Facebook, Twitter and the jobs-related LinkedIn (owned by Microsoft) — to the browser’s block list.
“Social networks place trackers on other websites to follow what you do, see, and watch online,” Mozilla wrote. “This allows social media companies to collect data about your browsing history and improve their ad targeting.”
Users can set social media blockers at two strength levels — Standard (the default) and Strict — just as they can blockers for other classes of trackers.
Privacy report card
Firefox 70 also introduced a basic privacy report that describes the number of times the browser blocked a tracker — broken down by cross-site, social media, fingerprinter and cryptominer categories — over the past week with totals segregated by day.
The report also displays the number of email addresses monitored for inclusion in publicly-known data breaches, the number of those breaches and how many passwords were leaked in those hacks. (The data comes from Firefox Monitor, which Mozilla introduced a year ago.)
To access the report, click the shield-like icon in the address bar — it’s at the far left of the bar — then select “Show Report” from the drop-down menu. Or type about:protections in the address bar and hit Enter to bring up the report.
Mozilla has ulterior motives in pushing the report. The more impressed users are by the report’s totals — particularly the number of blocked trackers, cookies and content both — the more likely they are to stick with Firefox and recommend it to others.
Firefox has held on for the last two months in the fight over user share, but it’s still in the sub-9% cellar. Mozilla has banked on its privacy work, notably ETP, to bring in new users (or bring back deserters), so the only surprise is that it waited until now to debut a report lauding its accomplishments.
Lock ’em up, Danno!
During the summer, Mozilla started showing off a built-in Lockwise password manager in an under-baked preliminary version of Firefox 70. In that same preview, Mozilla demonstrated how Lockwise worked alongside its already-available Firefox Monitor, a service that provides warnings to users when their saved passwords have been revealed by a data hack.
The release version of Firefox 70 puts the two — the Lockwise password manager and the Monitor password revelation tool — in the hands of all users. And almost the way Mozilla outlined it earlier.
While Lockwise will crank out a password for the user when she creates a new account on a site, it’s not possible to ask the manager to craft one of those very strong passwords for an existing, stored account. That’s a pity, because that feature comes in handy in a third-party password manager when its user is told — because of a data breach, for instance — to change a password. And make it strong while they’re at it.
Other parts of Lockwise, notably those that come courtesy of the marriage between Lockwise and Firefox Monitor, are there, said Mozilla, but not testable because Computerworld couldn’t come up with an account revealed by a breach. The collaboration as described sounds slick: Exposed accounts are to be marked on the Lockwise page with both an icon in the list on the left and with a more prominent note in the main section on the right. (A Mozilla video shows how it’s supposed to look and work.)
One bit that was planned for the merger between Lockwise and Monitor — the ability to sort accounts so that revealed-by-hack usernames and passwords would be at the top of the list — didn’t make the cut with Firefox 70, as it was absent in the version pushed to users Oct. 22.
Elsewhere in Firefox 70, Mozilla claimed that it significantly reduced the browser’s power consumption on macOS (and published a technical thicket of a piece explaining that).
The next version, Firefox 71 — and the last of the year — should launch Dec. 3.
Page 16
Firefox 69
Mozilla on Tuesday released Firefox 69 with the browser’s anti-tracking technology switched on by default for all users.
The organization’s security engineers also patched 20 vulnerabilities, one tagged “Critical” and 11 marked “High,” the organization’s two top threat ratings. The single critical flaw only affected Windows, Mozilla said in its patching commentary.
Firefox 69 can be downloaded from Mozilla’s site for Windows, macOS and Linux. Because it updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.
Mozilla updates Firefox every six to eight weeks; it last upgraded the browser on July 9.
You get ETP and you get ETP and …
Mozilla first turned on Enhanced Tracking Protection (ETP) in June, but at the time limited the setting to new-to-Firefox users. However, existing customers could flip the ETP switch themselves using the Preferences screen.
With Firefox 69, Mozilla has enabled ETP for all users. By default, “Content Blocking” — the feature’s name in Firefox’s Preferences — is set to “Strict,” the strongest protection available. Users can reset that to “Standard” or “Custom,” or even turn off everything by clearing all choices in the latter.
Mozilla said that prior to Firefox 69’s debut, more than 20% of all Firefox users had ETP engaged, signaling that a significant number of existing users had manually enabled ETP in the past three months. “With today’s release, we expect to provide protection for 100% of our users by default,” wrote Marissa Wood, vice president of product at Mozilla, in a Sept. 3 post to a company blog.
ETP has taken a crooked road to release. Tracing its linage to 2015’s “Tracking Protection,” Mozilla got serious about the concept two years ago, when it broke the technology out of the private-browsing bubble. In October 2018, it named the feature ETP and set Firefox 65, slated to release in January 2019, as the on-by-default target. Problems persisted, however — in several instances Mozilla said the technology was breaking too many sites — and delays were inserted for more testing. Finally, Mozilla used a “soft opening” for ETP in June, limiting the automatic on-by-default to new users as a final quality control check.
Wood spelled out additional information about ETP in her Tuesday post.
Block this, block that
Also in Firefox 69, Mozilla’s developers enhanced the choices for autoplay, the habit by sites to immediately start playing video on the computer screen and blasting audio from its speakers.
Firefox has automatically blocked autoplay of audio since March and version 66. Video with accompanying audio was also stopped from playing. But if a video provider muted the audio, Firefox let the former play. With Firefox 69, users can select “Block Audio and Video” to stop such video from automatically playing.
That setting is at Preferences > Privacy & Security > Permissions > Autoplay > Settings > Default for all websites.
This version of Firefox also took the next step in Mozilla’s kill-Flash process.
The browser lost the “Always Activate” option for Flash, meaning that every request to run the player software must be user approved. From this point forward, the only settings are “Ask to Activate,” the default, and “Never Activate.”
This move was previously announced by Mozilla (check out the “Plugin Roadmap for Firefox” here) and should be the last step before all Flash support is yanked from non-enterprise copies. (The Extended Support Release, or ESR, will continue to support Flash until the end of 2020.)
The next version of the browser, Firefox 70, should release Oct. 22.
Page 17
Firefox 68
Mozilla on Tuesday released Firefox 68 for Windows, macOS and Linux, packing more insights into the browser’s add-ons and adding a slew of new group policies that enterprise IT administrators can use to better manage the browser.
Mozilla’s security engineers also patched 21 vulnerabilities, two labeled “Critical” and four marked “High,” the organization’s top two threat ratings. “We presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported in one advisory.
Firefox 68 can be downloaded from Mozilla’s site. Because it updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser was May 21.
Mozilla now recommends add-ons
Among the few noticeable changes to Firefox as of version 68, Mozilla trumpeted those affecting the browser’s add-ons — “extensions” in its terminology — that historically were one of its biggest weapons.
“We curated a list of recommended extensions that have been thoroughly reviewed for security, usability and usefulness,” wrote Marissa Wood, vice president of product at Mozilla, in a post to the firm’s blog.
Earlier this year, Mozilla announced it would try to make add-ons more secure, saying it was launching an effort to “secure the extension ecosystem to better fulfill our brand promise of security and privacy for Firefox users.”
There’s no reason to doubt Mozilla’s sincerity, but the outfit must also be wondering how to restore Firefox’s reputation related to add-ons. When it shifted technologies, and demanded extension developers rewrite their work, that reputation suffered as some add-ons vanished. It didn’t help that Chrome continued to gain not only user share by leaps and bounds, but also grew the count of its browser extensions.
Banging the drum with recommendations is one way to again trumpet Firefox through add-ons.
Recommended add-ons are tagged with a special badge in the official add-on mart and are posted below the already-installed extensions in Firefox’s add-on manager. “Some of these recommendations are personalized,” claimed a note in the manager after upgrading to version 68. “They are based on other extensions you’ve installed, profile preferences, and usage statistics.”
Mozilla knows the above from the telemetry Firefox transmits from users to the company’s servers.
In documentation about the feature, Mozilla made clear that there’s no pay-for-play involved in the add-on recommendations. “Extension developers cannot pay for placement in the recommendation program, and Firefox does not receive any compensation as a result of this process,” Mozilla stated.
Also new to add-ons in Firefox 68: a way to report suspiciously malicious extensions, those that alter settings without permission or fly a false flag by claiming to be something they aren’t. In the add-on manager, users can now select “Report” from the same menu where they’ve long found “Disable” and “Remove.”
More enterprise policies
Another area of Firefox 68 that Mozilla emphasized involves group policies for IT managers. Enhancements to policies — and thus the browser’s suitability to enterprise use — were linked to the simultaneous release of Firefox ESR (Extended Support Release) 68, the version which stresses stability over sexy new features.
Unlike the standard Firefox, ESR receives only security updates during its tenure. (Prior to this week, the current ESR was based on Firefox 60, which debuted in early May 2018.) Every 14 months, Mozilla replaces the existing ESR with the then-current Firefox, then maintains both the old and new ESR versions during a multi-month overlap. Firefox ESR 60’s support overlap with ESR 68 began July 9, when the latter launched, and will end Oct. 22, when that date’s security patches will not be provided for the former.
“Today we’re adding a number of new enterprise policies for IT leads who want to customize Firefox for their employees,” said Mozilla’s Wood.
Among the new policies are ones that will allow administrators to remove the new tab page (NewTabPage) — perhaps to replace it with the business’s own intranet — and set and lock the downloads destination (DownloadDirectory) to comply with company guidelines of depositing files in the cloud, say.
A list of all policies supported by Firefox is available here, on GitHub; searches using 68 will find those new to this ESR. (The Firefox ESR 68-only policies are also listed at the top of this GitHub page.)
The next version of the browser, Firefox 69, should release Sept. 3.
Page 18
Firefox 67
Mozilla this week shipped Firefox 67 for Windows, macOS and Linux with performance improvements that — when added to improvements that over the past year — make the browser 80% faster, according to the company.
Other changes to Firefox that surfaced in version 66 ranged from customized private browsing sessions — such as letting a user enable add-ons while in so-called “porn mode” — to running multiple builds at the same time, a Firefox first.
Security engineers also patched 21 vulnerabilities, two of them labeled “Critical,” Mozilla’s most serious threat rating. “We presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported. More than half the bugs — 11 all told — were ranked as “High,” one step below Critical.
Firefox 67, which can be downloaded from Mozilla’s site, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 66, was March 19.
Faster, says Mozilla
Doubling down, really for the first time, on performance since the November 2017 launch of a revamped Firefox — one slapped with the nameplate “Quantum,” which never caught on — Mozilla touted new in-code prioritizations for the faster painting of pages.
“Firefox is better at performing tasks at the optimal time,” Marissa Wood, the recently appointed vice president of product, wrote in a post to a company blog, referring to the post-change version 67.
Wood cited several modifications that spurred Firefox’s speed, notably pushing the least-used features down the list so that they would be available only after a page has been drawn. “This includes prioritiz[ing] scripts for things you need first while delaying others to help make the main scripts for Instagram, Amazon and Google searches execute 40-80% faster,” Wood said. Elsewhere in the browser, idle tabs will now be suspended when available memory falls under 400MB; the contents of those tabs are reloaded if or when a user clicks back in.
Browser makers have long competed on speed. For a long while, however, incremental improvements have been hard to demonstrate, especially to desktop users typically riding a high-bandwidth wave, where vagaries in the connection may be more damaging to speed than any coding decision.
More recently, some browser developers have struck out all online ads — as does Brave, for instance — then trumpeted the obvious page-painting speed increases. Naturally, a page will display faster when less content is drawn; the same result could be achieved by barring all non-ad content.
It’s unclear whether Mozilla’s speed pitch will make a difference in its usage but there was little reason not to try; only last month did Firefox climb back to double digits in user share after lingering at 9% for nearly a year.
Also, more privacy
The other angle Wood touted on Firefox 67 is one of Mozilla’s cornerstones. “Privacy has always been core to Mozilla’s mission,” she acknowledged. After ticking off several past accomplishments in the arena, Wood highlighted additions that include options for blocking “digital fingerprinting” — an umbrella term for a slew of more-than-cookies tracking techniques to follow users as they browse — and unauthorized crypto-mining. The new settings will add to those already in place since the enhanced anti-tracking initiative kicked off last fall with Firefox 62. They’re tucked under the “Custom” portion of “Content Blocking” within the “Privacy & Security” pane of Preferences (macOS) or Options (Windows).
(Note: Not everyone will see the “Cryptominers” and “Fingerprinters” options immediately; Mozilla typically rolls out such improvements in stages to reduce problems if bugs surface. Computerworld found that only half its copies of Firefox offered the new options.)
Also under the Privacy label, Firefox 67 gives more control to users operating in Private Browsing, the mode that doesn’t record sites visited or save cookies for easier return visits. “Based on user feedback, we’re giving more controls for you to get the most out of [your] Private Browsing experience,” Wood said.
That amounted to options for enabling add-ons while using the mode and saving passwords while in Private Browsing. Traditionally, extensions have been barred as possible data leakers — not just in Firefox but in rivals’ own privacy modes — and as for passwords, well, saving those used in the mode makes as little sense as saving sites seen.
Those changes seem contrary to the concept of a privacy mode, but as they’re opt-in, they can be disregarded if desired. Mozilla justified their appearance with the line, “To bust a myth, private browsing doesn’t make you completely invisible on the internet.”
Elsewhere in Firefox 67, the version is the first to allow side-by-side installs of the browser. Playing to the pre-release crowd — those who would want to run, for instance, both Developer Edition and Beta for site testing purposes, or the stable release along with Beta to see what’s coming — the enhancement was broached back in January and promised for this edition.
The next version of the browser, Firefox 68, should release July 9.
Page 19
Firefox 66
Mozilla this week released Firefox 66, which by default now blocks all audio and video auto-play.
Other additions and enhancements to Firefox 66 included promised smoother scrolling, search within multiple tabs and clearer warnings of possible security problems on a website about to be rendered on the screen.
Engineers also patched 21 vulnerabilities, five of them labeled “Critical,” Mozilla’s highest threat ranking. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported.
Off with auto-play
The change to switch auto-play off by default was expected: More than a month ago, Mozilla announced that “with the release of Firefox 66 for desktop and Firefox for Android, Firefox will block audible audio and video by default.”
To view video and listen to audio, users can click on the displayed play button, Mozilla said. They can also pull up site-specific controls which will allow some destinations to begin playing as soon as the browser pulls up a page. Muted auto-play video will also continue to be allowed; sound-free video is currently supported by all the major browsers that block auto-play media.
Mozilla has been playing catch-up here to the likes of Google, which led in stymying audio auto-play. As long ago as 2013, Chrome blocked audio that blasted from opened tabs. Last year, it added stricter controls over auto-play, though it declined to block every site’s audio.
Firefox 66 does much the same. “Subsequent videos will play automatically, just as the site intended … ((on)) all streaming sites including Netflix, Hulu and YouTube,” Nick Nguyen, Mozilla’s vice president of product strategy, wrote in a March 19 post to a company blog.
Like many Firefox features, the auto-play blocking will be rolled out in stages, Mozilla said. Its plan: Offer it to 50% of users by March 21, all by March 26.
Unblocked for now: auto-play JavaScript Web Audio content, which is typically relegated to older web apps and online games. In early February, Mozilla said it was “working on blocking auto-play for Web Audio content” and was hoping to add blocking for that this year. Google added automatic blocking of auto-play Web Audio content in Chrome 66, but almost immediately backed off after users and developers complained that the change broke too many games and apps. Google restored the auto-play blockade with Chrome 71, which shipped in December 2018.
The staged roll-out was designed so that if Firefox 66 runs into the same kind of headwinds, Mozilla can quickly call a stop.
Streamline searches and security alerts
Firefox 66 added a search function to the tab overflow menu — that’s under the downward-facing arrow at the far right when there are numerous open tabs — that automatically inserts a percentage sign (%) in the address/search bar. Any searches then show pertinent open tabs in the drop-down list.
Improvements were also made to the baked-in warnings that appear when the browser believes there’s a problem with the site-to-be-seen’s digital certificate. Legitimate certificates prove the site is what it claims it is. “If something isn’t right, you’ll get a security warning,” Nguyen said. “We’ve updated these warnings to be simple and straightforward safe.” Last week, Mozilla posted “Before” and “After” examples here.
The next upgrade, Firefox 67, should reach users on May 14, according to the browser’s current release calendar.
Page 20
Firefox 65
Mozilla today released Firefox 65 for Windows, macOS and Linux and called out new user controls for setting the desired level of anti-ad tracking by the browser.
Developers also patched seven vulnerabilities, three tagged as “Critical,” Mozilla’s highest threat ranking. “This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash,” Mozilla said, referring to a “use-after-free” bug in the browser.
Firefox 65, which can be downloaded from Mozilla’s site, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 64, was Dec. 11.
Anti-ad tracking stays off by default
Mozilla’s most ambitious initiative for Firefox last year was the introduction of “Enhanced Tracking Protection,” its name for blocking cross-site tracking, the page-embedded trackers that sites or ad networks use to follow users around the web. The October debut of the feature was touted by Mozilla as a more surgical version of the broader content blocking that had broken some websites and caused confusion.
Enhanced Tracking Protection was off by default in Firefox 63, but Mozilla said that it would be switched on as of early 2019, implying that meant with Firefox 65.
Nope.
“Before we roll this feature out by default, we plan to run a few more experiments and users can expect to hear more from us about it,” Nick Nguyen, Mozilla’s vice president of product strategy, wrote in a Jan. 29 post to a company blog.
Instead, Firefox 65 sports a revamped settings section dubbed “Content Blocking.” Nguyen said the redesigned settings were prompted by additional testing.
The section is more visible and included more information about the impact of switching tracking protection on. To do that, users have to select Options (Windows) or Preferences (macOS) from the menu under the three horizontal bars at the upper right, click “Privacy & Security” in the sidebar at the left, and then under the section labeled “Content Blocking,” select the radio button marked “Strict.”
A “Custom” radio button is also available for users who want to, say, block ad trackers but not cookies, or vice versa.
More information about Content Blocking can be found on the support website dedicated to Firefox.
Redesigned Task Manager
Firefox 65’s other prominent addition is to the Task Manager page, displayed after entering about:performance in the address bar. The manager reports on memory and energy (read, battery) usage for each tab and add-on, then offers a quick way for users to close a gluttonous tab or disable a misbehaving extension.
The Windows version of Firefox 64 also now supports AV1 video compression, a royalty-free standard backed by a group — Alliance for Open Media (AOMedia) — whose members include Mozilla, Amazon, Apple, Facebook, Google, Intel, Microsoft, Netflix and others. David Bryant, a Mozilla Fellow who leads the organization’s Emerging Technologies team, spelled out AC1 and Firefox’s support in a separate post on Medium.com.
“We think someone’s ability to participate in online video shouldn’t be dependent on the size of their checkbook,” Bryant said.
The next upgrade, Firefox 66, should reach users on March 19, according to the browser’s release calendar.
Page 21
Firefox 64
Mozilla released Firefox 64 for Windows, macOS and Linux with an embedded recommendation system that spotlights features and suggests specific add-ons based on how users work the browser and where they steer it on the web.
Engineers also patched 11 vulnerabilities in Firefox. Two were marked “Critical,” Mozilla’s highest threat ranking. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla said in the advisory posted to the web.
Firefox 64, which can be downloaded here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 63, was Oct. 23, or seven weeks ago.
It’s CFR, not CPR
Firefox 64 introduces what Mozilla calls “Contextual Feature Recommender,” aka CFR, a feature currently available only to U.S. users running the browser in standard mode (not in Private Browsing mode). “CFR is a system that proactively recommends Firefox features and add-ons based on how you use the web,” said Nick Nguyen, Mozilla’s vice president of product strategy, in a Dec. 11 post to a company blog.
Essentially, CFR points out potentially-useful features and add-ons to Firefox users. At root, it’s a way for Mozilla to make the case that its browser is more personalized and more productive than rivals such as Google’s Chrome, which sports a market share seven times Firefox’s and offers significantly more add-ons.
Nguyen cited examples such as tab pinning — a feature that permanently places some sites’ tabs on the tab bar — that Mozilla might recommend a user. He also named three add-ons CFR could prescribe for those who spent substantial time on Facebook and YouTube, or who frequently called on Google Translate to interpret foreign-language websites.
Nguyen also swore that CFR sends no data to Mozilla, an important note in light of the organization’s stance on user privacy. “The entire process happens locally in your copy of Firefox,” Nguyen said.
All about tabs in the end
Firefox 64 also added some twists to tab management that let users grab, then perform an action on multiple tabs simultaneously. Users can now, for instance, select a stretch of tabs by pressing Shift as they click on the first and last tabs in the span.
A more flexible maneuver is available, too: Pressing Ctrl (Windows) or Command (macOS) while clicking allows users to select non-contiguous tabs. Once selected, the several tabs can be moved, bookmarked, pinned or deleted as a block.
Chrome already has this tab-handling capability, but others, including Apple’s Safari and Microsoft’s Edge, do not.
Firefox 64 now shows how much “energy impact” each tab represents when the user types about:performance in the address bar to bring up the browser’s task manager. The page is in the midst of a revamp, and Mozilla engineers have said that memory consumption — another important metric for browsers — will be added in the next iteration.
Elsewhere in the browser, Firefox 64 dropped support for all Symantec-issued SSL (Secure Socket Layer) certificates. The move, which was triggered by a consensus among browser makers that Symantec and its partners had improperly issued certificates, violating the rule set by the CA/Browser Forum, a standards groups whose members include browser developers and certificate authorities.
Firefox’s final step in its “distrust” process was originally supposed to take effect with version 63. But Mozilla delayed the ban, saying in October that too many sites had not switched to a different certificate supplier at the time. Instead, Mozilla gave Firefox 64 the honors.
The next upgrade, Firefox 65, should reach users on Jan. 29 according to the browser’s release calendar.
Page 22
Firefox 63
Mozilla released Firefox 63 for Windows, macOS and Linux, boosting its anti-ad tracking defense by offering an option that blocks cookies from third-party trackers.
Engineers also patched 14 vulnerabilities in Firefox. Just two of them were marked “Critical,” Mozilla’s highest threat ranking; three others were tagged “High,” the next rank down.
Firefox 63, which can be downloaded here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 62, was Sept. 5, or just shy of seven weeks ago.
Enhanced Tracking Protection
Firefox 63 upped anti-tracking, dubbing the improved defense a component of “Enhanced Tracking Protection,” a new name for a Mozilla effort pursued over several iterations of the browser.
An older label — “Tracking Protection” — was given to the feature in Firefox 57, last year’s huge overhaul named “Quantum,” which let users block tracking cookies in all sessions, not just the private browsing mode in which Tracking Protection debuted in 2015.
Tracking Protection did what its title implied: It blocked a range of content, not just advertisements but also in-page trackers that sites or ad networks implant to follow users around the Web. The problem, though, is that when Tracking Protection was switched on, it broke things. “The reality is that Firefox’s original Tracking Protection functionality can cause websites to break, which confuses users,” said Peter Dolanjski, project lead for Firefox, in an Oct. 23 post.
Enhanced Tracking Protection is much the same: It blocks tracking cookies and the access to in-browser those cookies need to operate, blocking most common cross-site tracking. But it does so in less draconian fashion. “The feature more surgically targets the problem of cross-site tracking without the breakage and wide-scale ad blocking which occurred with our initial Tracking Protection implementation,” contended Dolanjski.
According to Mozilla, the Enhanced feature should break or disrupt fewer sites. And for those it does, there’s a way for the user to back away from the blocking. “You might see some odd behavior on websites, so if something doesn’t look or work right, you can always disable the protection on a per-site basis by clicking on the Shield icon in the address bar, and then clicking ‘Disable Blocking For This Site,'” wrote Nick Nguyen, the firm’s vice president of product strategy, in a post to a company blog.
Enhanced Tracking Protection is off by default in Firefox 63. To switch it on, users must select Options (Windows) or Preferences (macOS) from the menu under the three horizontal bars at the upper right. Click “Privacy & Security” in the sidebar at the left, then check the box marked “Third-Party Cookies” under the phrase “Choose what to block.” The radio button marked “Trackers (recommended) should be pre-selected. If not, select it.
Previously, Mozilla had said that anti-tracking would be in place and on for everyone by Firefox 65, currently scheduled to ship Jan. 29, 2019. That still seems to be the plan. “We’ll continue to test this feature and hope to release it by default early 2019,” said Nguyen.
Streamlined search
Firefox 63’s other prominent addition is to search with something Mozilla named “Search shortcuts,” which appear on the browser’s new tab page.
A pair of icons, one marked “Google” the other “Amazon,” shift the cursor to Firefox’s address bar (Mozilla refers to that as the “Awesome bar” at times) with the long-available @google or @amazon search keyword already in place. Anything typed in the address bar after the keyword then becomes the search string on the designated site.
The advantage? The user need not wait for the google.com or amazon.com page to load before searching.
Not everyone with Firefox 63 will see the shortcuts immediately. (Computerworld staffers using Firefox, for example, were sans the search icons in their browsers’ new tab pages.) As it often does, Mozilla is enabling the feature in stages.
The Amazon shortcut is also a money maker for Mozilla, as purchases made by users via such searches will generate revenue to the developer through the e-seller’s affiliate program. “In the spirit of full transparency … we anticipate that some of these search queries may fall under the agreements with Google and Amazon, and bring business value to the company,” said Maria Popova, senior product manager for Firefox, in an Oct. 17 post. “Not only are users benefiting from a new utility, they are also helping Mozilla’s financial sustainability.”
The next edition, Firefox 64, should reach users Dec. 11, according to the browser’s release calendar.
Firefox 62
Last month’s upgrade to Firefox — Mozilla issued version 62 on Sept. 5 — featured relatively few changes or enhancements. Among the new: An expansion to four rows of sites available on the new tab page, and an automatic sandboxing of the AutoConfig file for enterprise use. (AutoConfig can be used by IT administrators to lock settings that cannot be accessed by group policies in Windows or the policies.json file in macOS and Linux.)
When Firefox 62 debuted, Mozilla reminded users that it intended to drop support for all Symantec-issued SSL (Secure Socket Layer) certificates with the next upgrade, this week’s Firefox 63. Instead, Mozilla balked at the move.
On Oct. 10, it declared it would delay the “distrust” of the certificates, citing a too-large number of websites that had yet to switch to different certificate supplier. “We believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users,” wrote Wayne Thayer, Mozilla’s Certificate Authority program manager, in a blog post.
The Symantec distrust will now take effect with Firefox 64 in December, Thayer added.
Page 23
Firefox 61
Mozilla on Tuesday delivered Firefox 61 for Windows, macOS and Linux, claiming that the browser’s page-painting speed has been improved and that switching tabs is faster than before.
The developer’s engineers also patched 18 vulnerabilities in Firefox, a third of them marked “Critical,” the highest threat ranking in a four-step system.
Firefox 61, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 60, was May 9, or just shy of seven weeks ago.
Perform or else
With Firefox 61, Mozilla returned to trumpeting performance, one of the primary touts used when it rolled out the revamped — and newly named — Firefox Quantum in November.
At the top of the list were, well, lists: “Retained display lists.”
Those are actual lists the browser composes of the elements needed to display a page, then sorted in a back-to-front fashion for proper painting of each component. Before Firefox 61, the browser built a new display list from scratch each time a page required updating. “This is great for simplicity: we don’t have to worry about figuring out which bits changed or went away. Unfortunately, the process can take a really long time,” Matt Woodrow, a senior staff software engineer, said in a Monday post to a Mozilla blog.
The re-creation of display lists impacts page-painting performance, particularly with video, which is best viewed with updates 60 times per second. “This has always been a performance problem, but as websites have become more complex and more users have access to higher resolution monitors, the problem has been magnified,” Woodrow contended.
Instead, Firefox now retains the parts of the display list that haven’t changed from the just-prior compilation, building a new display list “only for the parts of the page that changed since we last painted and then merge the new list with the old,” according to Woodrow. The results: Page painting times fell by an average of 33% and there was an almost 40% decrease in dropped frames blamed on list making. Almost as important, freeing the browser from rebuilding the list means the application — and the horsepower behind it in the device’s silicon — can be applied to other tasks.
Warm up those tabs
In the Windows and Linux versions of Firefox 61, Mozilla debuted a feature it called “tab warming,” that promises faster tab-to-tab switching.
As a user slides the mouse pointer toward and over a tab, Firefox detects the movement. The browser then preemptively renders the layers for the tab’s (or tabs’) display(s) and uploads those layers to the page compositor, “when we’re pretty sure you’re likely to switch to that tab,” said Mike Conley, a Firefox developer, in a post to his personal blog.
Switching tabs using key combinations — on a Mac, it’s Control-Tab — will not receive the same preemptive loading.
Conley downplayed the feature. “For many cases, I don’t actually think tab warming will be very noticeable; in my experience, we’re able to render and upload the layers2 for most sites quickly enough for the difference to be negligible,” he wrote in that same post.
Don’t forget security
Mozilla fixed 18 different security flaws in the Firefox 61 update — patches are a part of almost every upgrade — six of which were tagged “Critical,” the company’s most-serious ranking.
Also on the security front, Firefox 61 set support for the latest draft of TLS 1.3 as on-by-default. TLS 1.3 is an Internet-standard cryptographic protocol for encrypting the traffic between browser and site server; it was officially approved earlier this year.
Browser support for TLS 1.3, at least in an on-by-default setting, has been shaky. Last year, Chrome turned it on, but later back off when site and service incompatibilities popped up. Google’s browser has yet to switch TLS 1.3 support on as the default.
Page 24
Firefox 60
Mozilla this week released Firefox 60 for Windows, macOS and Linux, enabling a previously-only-tested policy engine so IT admins can manage the browser within the enterprise.
Firefox, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.
Mozilla usually updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 59, was March 13, or eight weeks ago.
Quantum Enterprise goes live
In March, Mozilla asked for corporate volunteers to help it test a new policy engine that it would add to Firefox Quantum — the secondary name the developer slapped on its browser in late 2017 after a major redesign and recoding — so IT could administer the application through Group Policy on Windows.
As planned, Mozilla enabled the policy engine in Firefox 60, making it possible for the first time to manage the browser. “Firefox now supports a long-requested feature — the ability for IT professionals to easily configure the browser using Windows Group Policy or a cross-platform JSON file,” crowed Ryan Pollock, who leads Firefox product marketing, in a post to a company blog Wednesday.
Windows Group Policy is the de facto standard for software administration in the enterprise and is well-known to IT. Shops also running macOS or Linux — or those few that rely only on those operating systems — can instead add a .json (JavaScript Object Notation) file to Firefox’s installation folder/directory. Mozilla has provided Group Policy templates and documented the construction of .json files on GitHub or its own support site. A listing of all the policies currently supported are also posted on GitHub.
Organizations can deploy either the standard Firefox, which Pollack referred to as “Rapid Release” in a nod to its every-six-week update cadence, or the long-available Extended Support Release (ESR). The latter remains feature-stable for about a year, receiving only security fixes during that time. At the end of a year, a new ESR build is produced from the then-latest Firefox.
Pollack touted Firefox’s speed, something Mozilla has hung much of its Quantum marketing around, the Mozilla Foundation’s emphasis on user privacy, and, of course, the new management skills in his pitch to corporations. Left unsaid was Mozilla’s historical neglect of the enterprise: It kicked off ESR in 2012, but then took six years to add basic management through Group Policy.
The move also signals that Mozilla is actively after customers anywhere it can find them. Although Quantum collected praise from many reviewers when it launched last year, the overhaul has not returned the browser to growth, as tracked by independent metrics companies. U.S.-based vendor Net Applications, for example, has recorded an 11% decrease in Firefox’s user share since Quantum’s November debut.
Tokens replace passwords
Firefox 60 also added support for the WebAuthn API (application programming interface), which is enabled by default.
A W3 (World Wide Web Consortium) standard — albeit not finalized — WebAuthentication (truncated to WebAuthn) provides two-factor authentication for website log-ins using hardware keys that generate FIDO U2F tokens. Those keys, typically USB devices, are sold under names such as U2F Zero, ePass and Yubikey at prices ranging from $9 to $50.
Although Firefox 60 is the first browser to support WebAuthn, Google was a major driver of FIDO U2F; its Chrome has supported the keys since version 38 in 2014.
“WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts,” Nick Nguyen, Mozilla’s vice president of product strategy, wrote in a company blog post Wednesday. “It supports various authenticators, such as physical security keys today, and in the future mobile phones, or biometric mechanisms such as face recognition or fingerprints.”
So, while Firefox 60 does not do away with log-on passwords, by supporting WebAuthn — and assuming site developers adopt the standard — Firefox in the future may do so with next-generation hardware keys.
Mozilla also patched 26 security vulnerabilities in Firefox 60, two of which were marked “Critical,” the company’s most serious threat ranking.
The next edition, Firefox 61, should reach users June 26, according to the browser’s release calendar.
Page 25
Firefox 59
Mozilla on Tuesday released Firefox 59 for Windows, macOS and Linux, continuing the trend of pushing performance improvements begun late last year.
Firefox, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.
Mozilla usually updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 58, was Jan. 23, or seven weeks ago.
Pages load faster after cache changes
Firefox 59 stayed on Mozilla’s 2017 theme train — more speed — that debuted with November’s launch of the first named edition, tagged as “Quantum,” with claims of faster load times for the content on the browser’s Home page. That content ranges from a series of frequently-visited websites and recommendations from the user-driven Pocket URL saver to examples of pages the user recently bookmarked.
Mozilla also switched on something called “Race Cache with Network” (RCWN), technology that alters the standard method of caching pages to memory that have been rendered previously. Caching, one of the most basic techniques to speed up the display of web pages in a browser, normally saves those pages to computer memory or the local disk drive.
RCWN, however, adds a network cache — in other words, off-site storage of the page — to the mix, then pits that against a local cache in a race to see which source delivers first. (Many ISPs, or Internet service providers, cache the most popular websites on multiple servers, placed throughout its area of service, to reduce the time it takes for customers to grab content.)
“When we detect that disk I/O may be slow, we send a network request in parallel, and we use the first response that comes back,” wrote Valentin Gosu, a Mozilla engineer, in a 2017 post to a developers’ discussion thread. “For users with slow-spinning disks and a low-latency network, the result would be faster [page] loads.”
Finally, the “Off-Main-Thread painting” that Mozilla added to Firefox 58 for Windows in January has made it to macOS this iteration. Off-Main-Thread shifts some of the page rendering work — executing the graphics draw commands and thus generating the pixels to be put on the display — to a processor thread all its own. By reducing the main thread’s workload, it’s more likely that Firefox will be able to compose pages in time to keep high frame rate jobs from skipping frames.
More new tab page customization options
Firefox 59 also introduced additional customization choices for the Home page, which doubles as the new tab page (what appears when creating a new tab through, say, pressing Ctrl-T in Windows or Command-T in macOS). The “Top Sites” thumbnails of the most-frequently visited URLs can now be dragged and dropped to rearrange the small images.
Other elements in the new tab page may also be personalized to show more than a single line of top sites, or to eliminate, for example, the Pocket or Highlight sections entirely.
Elsewhere, Firefox’s preferences now include opt-in settings that will block all future requests to turn on in-browser notifications, switch on the device’s camera or microphone, or enable location detection. While all of those features have been, and are, used in reasonable fashion by legitimate websites, less courteous — or simply scammy — URLs have poisoned the well by demanding those permissions without good reason.
Trusted sites can be allowed access or individual websites blocked through a combination blacklist/whitelist.
Testing starts for Quantum Enterprise
As Mozilla delivered Firefox 59, it also began taking requests from company IT administrators to participate in an invitation-only beta of Firefox Quantum for Enterprise.
While the enterprise browser will be identical to that issued to everyone else, Mozilla intends to provide a policy engine, one compatible with Windows Group Policy — the de facto standard for software administration — with the browser. That will be a first for the open-source developer.
“Firefox 60 will include a policy engine that increases customization possibilities and integration into existing management systems,” Mozilla said in January when it announced the plan.
Although the initial release will support a “limited number” of policies, Mozilla said it would expand that list based on enterprise user feedback. That feedback is what the company is after now, in fact: The beta is intended to gather impressions and make changes before May, when Firefox 60 and the policy engine, are slated to ship.
Administrators can sign up for the beta here.
For more information on the policy engine, admins should steer for the introductory instructions on this page.
Mozilla also patched 18 security vulnerabilities in the just-released version, two of which were marked “Critical,” the company’s most serious threat ranking.
The next edition, Firefox 60, should reach users May 9, according to the browser’s release calendar.
Page 26
Firefox 58
Mozilla last week released Firefox 58 for Windows, macOS and Linux, building on the break-from-the-past Quantum edition of November by boosting page load speeds with changes to how the browser handles JavaScript.
Firefox, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, click the help icon — the question mark within a circle — after pulling up the menu under the three horizontal bars at the upper right. Choose “About Firefox.” The ensuing page shows that the browser is either up to date or details the updating process.
Mozilla usually updates Firefox every six to eight weeks, although the interval tends to lengthen around the end of each year; the last time it upgraded the browser, to version 57, aka “Quantum,” was Nov. 14, or 10 weeks ago.
New JavaScript cache
Firefox 58 continued Quantum’s theme of 2017 — a need for speed — with changes to the browser’s storage and retrieval of JavaScript code. Dubbed “JavaScript Startup Bytecode Cache” (JSBC), the enhancements trade memory for faster page load times.
“The JSBC aims at improving the startup of web pages by saving the bytecode of used [JavaScript] functions in the network cache,” Nicolas Pierron, a compiler engineer at Mozilla, wrote in a December post to a company blog. To reach a reasonable balance — one that increases speed with the best return from the additional memory used by the cache — JSBC only kicks into gear at the fourth visit to a website. On sites that frequently load JavaScript, JSBC cut load times by as much as 12% (on Facebook), although most test results, said Pierron, were in single digits (Amazon: 5%; Wikipedia: (8%).
The downside: More memory is consumed by dedicating it to storing the JavaScript. Pierron did not spell out the memory cost of implementing JSBC, however.
More multi-threading
Firefox 58 also introduced another speed-centric change, this one consistent with Mozilla’s work to separate into different CPU processes the steps used to compose a web page. Characterizing the change as one that “more efficiently paints your screen, using a dedicated CPU thread,” particularly to improve JavaScript frame rate, Mozilla labeled it as “Off-Main-Thread painting.” The effort is for Windows only, Mozilla noted.
Previously, the bulk of the page composition was done on a single processor thread, but Off-Main-Thread shifts some of the work — executing the graphics draw commands and thus generating the pixels to be put on the display — to a thread all its own. By reducing the main thread’s workload, it’s more likely that Firefox will be able to compose pages in time to keep high frame rate chores from skipping frames.
Like JSBC, Off-Main-Thread takes aim at JavaScript, because it’s often JavaScript code that is producing the content with high frame rates. On Windows, Mozilla claimed a 30% boost to frame rate on a benchmark that stressed the processor with JavaScript.
Better Tracking Protection
Mozilla also spent time in its standard on-release blog post to hype an older feature, Tracking Protection. With Firefox 57 (Quantum), Mozilla opened the opt-in to all sessions, not just the private browsing mode in which Tracking Protection debuted two years ago.
Tracking Protection does just what the label implies: When enabled, it blocks a wide range of content, not just advertisements but also in-page trackers that sites or ad networks implant to follow users from one site to another.
Historically, Mozilla has touted Tracking Protection as a win for individuals’ online privacy, a message in line with the company’s broader theme that its products, Firefox in particular, are designed as privacy-first. Now, however, Mozilla has bent that pitch to align with its overall need-for-speed mantra.
“In addition to protecting their privacy, users actually have a better, faster experience with the web when pages load without trackers,” argued Nick Nguyen, Mozilla’s top Firefox executive, in a post to a company blog last week. On average, page load times were cut in half compared to Firefox with Tracking Protection disabled, Nguyen said.
Many content blockers — ranging from those that specialize in stymying ads to those that remove everything but a page’s text — make the same claim, of course. By stripping a page of some of its content, it will load faster.
Mozilla patched 32 security vulnerabilities in the just-released version, only one of them marked “Critical,” the firm’s highest ranking.
The next edition, Firefox 59, should reach users March 12, according to the browser’s release calendar.