Mozilla files arguments against the FCC – latest step in fight to save net neutrality

Today, Mozilla is filing our brief in Mozilla v. FCC – alongside other companies, trade groups, states, and organizations – to defend net neutrality rules against the FCC’s rollback that went into effect early this year. For the first time in the history of the public internet, the FCC has disavowed interest and authority to protect users from ISPs, who have both the incentives and means to interfere with how we access online content.

We are proud to be a leader in the fight for net neutrality both through our legal challenge in Mozilla v. FCC and through our deep work in education and advocacy for an open, equal, accessible internet. Users need to know that their access to the internet is not being blocked, throttled, or discriminated against. That means that the FCC needs to accept statutory responsibility in protecting those user rights — a responsibility that every previous FCC has supported until now. That’s why we’re suing to stop them from abdicating their regulatory role in protecting the qualities that have made the internet the most important communications platform in history.

This case is about your rights to access content and services online without your ISP blocking, throttling, or discriminating against your favorite services. Unfortunately, the FCC made this a political issue and followed party-lines rather than protecting your right to an open internet in the US. Our brief highlights how this decision is just completely flawed...

Using Brotli compression to reduce CDN costs

The Snippets Service allows Mozilla to communicate with Firefox users directly by placing a snippet of text and an image on their new tab page. Snippets share exciting news from the Mozilla World, useful tips and tricks based on user activity and sometimes jokes.

To achieve personalized, activity based messaging in a privacy respecting and efficient manner, the service creates a Bundle of Snippets per locale. Bundles are HTML documents that contain all Snippets targeted to a group of users, including their Style-Sheets, images, metadata and the JS decision engine.

The Bundle is transferred to the client where the locally executed decision engine selects a snippet to display. A carefully designed system with multiple levels of caching takes care of the delivery. One layer of caching is a CloudFront CDN.

Working around the extension popout-tab refusing to close on Firefox for Android

How do you close an web extension popout-winndow (the small window that appears when you click on on extension’s toolbar button)? On the desktop, all you need is a simple window.close(). Because of the limited available screen space Firefox on Android have popout-tabs instead of popout-windows. Users can dismiss these tabs by pressing the back button, closing them manually, or switching to another tab. However, they’re deceptively difficult to close pragmatically.

This article was last verified for Firefox 61, and applies to Firefox for Android versions 57 and newer.

It’s common for web extension popout-windows to close themselves after the user has completed an action in them. While many web extensions work on Firefox for Android, users often have to manually close the popout-tabs on their own.

These Weeks in Firefox: Issue 42

Dweb: Building a Resilient Web with WebTorrent

WebTorrent is the first torrent client that works in the browser. It’s written completely in JavaScript – the language of the web – and uses WebRTC for true peer-to-peer transport. No browser plugin, extension, or installation is required.

Using open web standards, WebTorrent connects website users together to form a distributed, decentralized browser-to-browser network for efficient file transfer. The more people use a WebTorrent-powered website, the faster and more resilient it becomes.

Bitslicing, An Introduction

Bitslicing (in software) is an implementation strategy enabling fast, constant-time implementations of cryptographic algorithms immune to cache and timing-related side channel attacks.

This post intends to give a brief overview of the general technique, not requiring much of a cryptographic background. It will demonstrate bitslicing a small S-box, talk about multiplexers, LUTs, Boolean functions, and minimal forms.

Firefox Security Add-on on 222k Devices Found Sending Browsing Data to Remote German Server

There is a popular browser add-on which is installed by 222,746 Firefox users according to Mozilla’s own statistics of add-on downloads. According to a German security blogger, Mike Kuketz, and the author of uBlock Origin, Raymond Hill, this particular add-on has been spying on users’ activity by tapping into their browser histories and keeping track of the web pages that they visit. This add-on is the Web Security extension for the Mozilla Firefox browser.

Web Security is designed to protect users from online phishing and malware attacks that could potentially steal personal information. This comes across as ironic as the extension is found to be unethically keeping tabs (pun intended) on your own information, evading your privacy without your consent. The reason that this news is hitting the stands so massively is that the add-on was publicized by Mozilla itself in a blog post just last week. The add-on boasts fantastic reviews and that’s why it is used so widely by so many people too.

Time Dilation

I riffed on this a bit over at twitter some time ago; this has been sitting in the drafts folder for too long, and it’s incomplete, but I might as well get it out the door. Feel free to suggest additions or corrections if you’re so inclined.

You may have seen this list of latency numbers every programmer should know, and I trust we’ve all seen Grace Hopper’s classic description of a nanosecond at the top of this page, but I thought it might be a bit more accessible to talk about CPU-scale events in human-scale transactional terms. So: if a single CPU cycle on a modern computer was stretched out as long as one of our absurdly tedious human seconds, how long do other computing transactions take?

Licensing Edgecases

While I’m not a lawyer – and I’m definitely not your lawyer – licensing questions are on my plate these days. As I’ve been digging into one, I’ve come across what looks like a strange edge case in GPL licensing compliance that I’ve been trying to understand. Unfortunately it looks like it’s one of those Affero-style, unforeseen edge cases that (as far as I can find…) nobody’s tested legally yet.

I spent some time trying to understand how the definition of “linking” applies in projects where, say, different parts of the codebase use disparate, potentially conflicting open source licenses, but all the code is interpreted. I’m relatively new to this area, but generally speaking outside of copying and pasting, “linking” appears to be the critical threshold for whether or not the obligations imposed by the GPL kick in and I don’t understand what that means for, say, Javascript or Python.

TLS 1.3 Published: in Firefox Today

On friday the IETF published TLS 1.3 as RFC 8446. It’s already shipping in Firefox and you can use it today. This version of TLS incorporates significant improvements in both security and speed.

Transport Layer Security (TLS) is the protocol that powers every secure transaction on the Web. The version of TLS in widest use, TLS 1.2, is ten years old this month and hasn’t really changed that much from its roots in the Secure Sockets Layer (SSL) protocol, designed back in the mid-1990s. Despite the minor number version bump, this isn’t the minor revision it appears to be. TLS 1.3 is a major revision that represents more than 20 years of experience with communication security protocols, and four years of careful work from the standards, security, implementation, and research communities (see Nick Sullivan’s great post for the cool details).

Chatting with your website visitors through Chatra

When I started the blog, I didn’t add a message board below each article because I don’t have the time to deal with spam. Due to broken windows theory, if I leave the spam unattended my blog will soon become a landfill for spammers. But nowadays many e-commerce site or brand sites have a live chatting box, which will solve my problem because I can simply ignore spam, while interested readers can ask questions and provide feedbacks easily. That’s why when my sponsor, Chatra.io, approached me with their great tool, I fell in love with it right away and must share it with everyone.

Send: Going Bigger

Send encrypts your files in the browser. This is good for your privacy because it means only you and the people you share the key with can decrypt it. For me, as a software engineer, the challenge with doing it this way is the limited API set available in the browser to “go full circle”. There’s a few things that make it a difficult problem.

The biggest limitation on Send today is the size of the file. This is because we load the entire thing into memory and encrypt it all at once. It’s a simple and effective way to handle small files but it makes large files prone to failure from running out of memory. What size of file is too big also varies by device. We’d like everyone to be able to send large files securely regardless of what device they use. So how can we do it?

The first challenge is to not load and encrypt the file all at once. RFC 8188 specifies a standard for an encrypted content encoding over HTTP that is designed for streaming. This ensures we won’t run out of memory during encryption and decryption by breaking the file into smaller chunks. Implementing the RFC as a Stream give us a nice way to represent our encrypted content.

Never patterns, exhaustive matching, and uninhabited types (oh my!)

One of the long-standing issues that we’ve been wrestling with in Rust is how to integrate the concept of an “uninhabited type” – that is, a type which has no values at all. Uninhabited types are useful to represent the “result” of some computation you know will never execute – for example, if you have to define an error type for some computation, but this particular computation can never fail, you might use an uninhabited type.

Firefox DevEdition 62 Beta 18 Testday, August 17th

We are happy to let you know that Friday, August 17th, we are organizing Firefox 62 DevEdition Beta 18 Testday. We’ll be focusing our testing on Activity Stream, React Animation Inspector and Toolbars & Window Controls features. We will also have fixed bugs verification and unconfirmed bugs triage ongoing.

How to DoH-only with Firefox

Firefox supports DNS-over-HTTPS (aka DoH) since version 62.

You can instruct your Firefox to only use DoH and never fall-back and try the native resolver; the mode we call trr-only. Without any other ability to resolve host names, this is a little tricky so this guide is here to help you. (This situation might improve in the future.)

In trr-only mode, nobody on your local network nor on your ISP can snoop on your name resolves. The SNI part of HTTPS connections are still clear text though, so eavesdroppers on path can still figure out which hosts you connect to.

[...]

network.trr.uri - set this to the URI of the DoH server you want to use. This should be a server you trust and want to hand over your name resolves to. The Cloudflare one we've previously used in DoH tests with Firefox is https://mozilla.cloudflare-dns.com/dns-query.

#5 State of Mozilla Support: 2018 Mid-year Update – Part 5

We are happy to share with you the final post of the series, which started with two external research report analyses, moved on to sharing updates and plans for support forums, social support, and localization, and now is about to conclude with our strategic summary.

Rep of the Month – July 2018

Please join us in congratulating Lívia Takács, our Rep of the Month for July 2018!

Livia is a UI developer and visual designer from Hungary and has been part of the Reps program for a bit more than a year. In that time she organized a lot of events with different communities (like LibreOffice) and also workshops.

Updated Firefox 61.0.2 includes Bug Fixes and Automatic Recovery feature for Windows

The latest update to Firefox 61.0.2 adds support for automatic restoring of Firefox session after Windows is restarted. Presently this feature is not available by default for majority of users but will possibly be enabled gradually in the coming few weeks.

Make your Firefox browser a privacy superpower with these extensions

Privacy is important for everyone, but often in different ways. That’s part of why Firefox Extensions are so powerful. Starting with a browser like Firefox, that’s built for privacy out of the box, you can use extensions to customize your browser to suit your personal privacy needs.

The Video Wars of 2027

This post imagines a dystopian future for web video, if we continue to rely on patented codecs to transmit media files. What if one company had a perpetual monopoly on those patents? How could it limit our access to media and culture? The premise of this cautionary tale is grounded in fact. However, the future scenario is fiction, and the entities and events portrayed are not intended to represent real people, companies, or events.

[...]

In 1998, the U.S. Congress passed the Sonny Bono Copyright Term Extension Act. This new law extended copyrights on corporate works to the author’s lifetime plus 95 years. The effort was driven by the Walt Disney Company, to protect its lucrative retail franchise around the animated character Mickey Mouse. Without this extension, Mickey would have entered the public domain, meaning anyone could create new cartoons and merchandise without fear of being sued by Disney. When the extension passed, it gave Disney another 20 years to profit from Mickey. The news sparked outrage from lawyers and academics at the time, but it was a dull and complex topic that most people didn’t understand or care about.

In 2020, Disney again lobbied to extend the law, so its copyright would last for 10,000 years. Its monopoly on our culture was complete. No art, music, video, or story would pass into the public domain for millennia. All copyrighted ideas would remain the private property of corporations. The quiet strangulation of our collective creativity had begun.