Language Selection

English French German Italian Portuguese Spanish

Moz/FF

Mozilla News

Filed under
Moz/FF
  • A Quantum Leap for the Web

    Over the past year, our top priority for Firefox was the Electrolysis project to deliver a multi-process browsing experience to users. Running Firefox in multiple processes greatly improves security and performance. This is the largest change we’ve ever made to Firefox, and we’ll be rolling out the first stage of Electrolysis to 100% of Firefox desktop users over the next few months.

    But, that doesn’t mean we’re all out of ideas in terms of how to improve performance and security. In fact, Electrolysis has just set us up to do something we think will be really big.

  • Mozilla Quantum: New Browser Engine Based On Servo/Rust For Firefox

    Mozilla's latest secret project to go public is Quantum, a new browser engine for Firefox. But before wondering what happened to Servo, don't worry, Quantum makes use of Servo and Rust.

  • Porting a few C functions to Rust

    Last time I showed you my beginnings of porting parts of Librsvg to Rust. In this post I'll do an annotated porting of a few functions.

    Disclaimers: I'm learning Rust as I go. I don't know all the borrowing/lending rules; "Rust means never having to close a socket" is a very enlightening article, although it doesn't tell the whole story. I don't know Rust idioms that would make my code prettier. I am trying to refactor things to be prettier after a the initial pass of C-to-Rust. If you know an idiom that would be useful, please mail me!

Mozilla News

Filed under
Moz/FF
  • Our Role in Protecting the Internet — With Your Help

    Protecting the security of the Internet requires everyone. We talked about this theme in a recent post, and in this post we’ll expand on the role Mozilla plays, and how our work supports and relies on the work of the other participants in the Web.

  • Mozilla Hosts Seventh Annual MozFest in London this weekend

    Now in its seventh year, MozFest is the world’s go-to event for the free and open Internet movement. Part meeting place for like-minded individuals keen to share ideas; part playground for Web enthusiasts, hobbyist netizens and seasoned open source technonauts alike, part hack-a-thon; part living breathing creative brainstorm; part speaker-series; MozFest is a buzzy hive of activity. It attracts thousands of visitors each year (1,800 in 2015) from as many as 50 countries around the world, making it the biggest unconference of its kind.

An introduction to Mozilla's Secure Open Source Fund

Filed under
Interviews
Moz/FF
OSS

Thanks Mark. Mozilla is a unique institution—it's both a nonprofit mission-driven organization and a technology industry corporation. We build open source software (most notably the Firefox Web browser) and we are champions for the open Internet in technical and political fora. We've been a global leader on well-known policy issues like privacy and net neutrality, and we're also very active on most of today's big topics including copyright reform, encryption, and software vulnerabilities.

Read more

Mozilla News

Filed under
Moz/FF
  • Get Better Firefox Look on Linux With These Extensions

    Firefox is one of the most used web browsers on the Web. According to Clicky, it holds around 20% of the global market share. Firefox is also installed by default in almost all Linux distributions. So it’s very likely to see Linux users using it all the time, although many other alternatives are available like Chromium and Epiphany.

    Since the web browser’s window is all what many of us see the whole day, you may want to customize its appearance. We are not talking about “personas” or those simple backgrounds that you put to colorize a small part of the browser’s window. We are talking about changing the theme totally. Firefox does this using “Complete Themes“.

  • Firefox sandbox on Linux tightened

    As just announced on mozilla.dev.platform, we landed a set of changes in today's Nightly that tightens our sandboxing on Linux. The content process, which is the part of Firefox that renders webpages and executes any JavaScript on them, had been previously restricted in the amount of system calls that it could access. As of today, it no longer has write access to the filesystem, barring an exception for shared memory and /tmp. We plan to also remove the latter, eventually.

  • Mozilla is working on Form Autofill for Firefox

    Mozilla is currently working on bringing form autofill functionality to its Firefox web browser.

    Firefox remembers form data by default that you enter on sites, but the browser does not ship with options to create profiles that you may use on any form you encounter while using the browser.

Mozilla awards $300,000 to four open source projects

Filed under
Moz/FF

Mozilla's love of open source is nothing new -- just look to the Mozilla Open Source Support (MOSS) program. Loving a philosophy is one thing, but Mozilla has also put its money where its mouth is.

In the third quarter of this year, MOSS awarded more than $300,000 to four projects which it either already supported, or which were aligned with the organization's mission. One of the smallest awards -- $56,000 -- was made to Speech Rule Engine, a text-to-speech style component that makes mathematical and scientific content more accessible.

Read more

Also: MOSS supports four more open source projects in Q3 2016 with $300k

Mozilla, Firefox News

Filed under
Moz/FF
  • Firefox ready to block certificate authority that threatened Web security

    The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.

    The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.

    "Taking into account all the issues listed above, Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," Monday's report stated. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands."

  • Firefox gains serious speed and reliability and loses some bloat

    There's no way around it. Firefox has struggled. As of this writing, Firefox 47 is the top of the Firefox market share heap at a scant 3.14 %. Given that Chrome 52 holds 23.96 % and IE 11 holds 17.74 %, the chances of Firefox displacing either, anytime soon, is slim. If you scroll way down on the browser market share listing, you'll notice Firefox 49 (the latest release) is at .19 %. Considering 49 is the stable release candidate that was only recently unleashed, that is understandable (to a point).

    Thing is, Firefox 49 is a really, really good browser. But is it good enough to give the open source browser any significant gains in the realm of market share? Let's take a look at what the Mozilla developers have brought to the fore with the latest release of their flagship browser and see how much hope it holds for the future of the software that was once leader among its peers.

  • Mozilla's Project Mortar Wants Pepper API Flash & PDFium In Firefox

    This week word of Mozilla's "Project Mortar" surfaced, which aims to explore the possibility of bringing the PDFium library and Pepper API based Flash plugin into Firefox. This project is being led by various Mozilla engineers.

    Mozilla is so far developing Project Mortar in private while they plan to open it up in the future.

Mozilla's Rust 1.12

Filed under
Development
Moz/FF
  • Announcing Rust 1.12

    The Rust team is happy to announce the latest version of Rust, 1.12. Rust is a systems programming language with the slogan “fast, reliable, productive: pick three.”

    As always, you can install Rust 1.12 from the appropriate page on our website, and check out the detailed release notes for 1.12 on GitHub. 1361 patches were landed in this release.

  • Rust 1.12 Programming Language Released

    Rust 1.12 has been released as the newest version of this popular programming language with a focus on "fast, reliable, productive: pick three."

Firefox Changes

Filed under
Moz/FF
  • Mozilla has “stopped all commercial development of Firefox OS”

    Remember when Mozilla said it was ceasing development of Firefox OS for smartphones, but that it wasn’t giving up on the browser-based operating system altogether? Yeah, now the organization has pretty much thrown in the towel.

    After shifting the focus from phones to smart TVs and other Internet of Things products for a while, Mozilla senior engineering program manager Julie McCracken says development of the operating system was “gradually wound down” and that as of the end of July Mozilla has “stopped all commercial development of Firefox OS.

  • Firefox’s Test Pilot Program Launches Three New Experimental Features

    Earlier this year we launched our first set of experiments for Test Pilot, a program designed to give you access to experimental Firefox features that are in the early stages of development. We’ve been delighted to see so many of you participating in the experiments and providing feedback, which ultimately, will help us determine which features end up in Firefox for all to enjoy.

    Since our launch, we’ve been hard at work on new innovations, and today we’re excited to announce the release of three new Test Pilot experiments. These features will help you share and manage screenshots; keep streaming video front and center; and protect your online privacy.

Mozilla, Firefox, and FirefoxOS

Filed under
Moz/FF
  • B2G OS and Gecko Annoucement from Ari Jaaksi & David Bryant

    In the spring and summer of 2016 the Connected Devices team dug deeper into opportunities for Firefox OS. They concluded that Firefox OS TV was a project to be run by our commercial partner and not a project to be led by Mozilla. Further, Firefox OS was determined to not be sufficiently useful for ongoing Connected Devices work to justify the effort to maintain it. This meant that development of the Firefox OS stack was no longer a part of Connected Devices, or Mozilla at all. Firefox OS 2.6 would be the last release from Mozilla. Today we are announcing the next phase in that evolution. While work at Mozilla on Firefox OS has ceased, we very much need to continue to evolve the underlying code that comprises Gecko, our web platform engine, as part of the ongoing development of Firefox. In order to evolve quickly and enable substantial new architectural changes in Gecko, Mozilla’s Platform Engineering organization needs to remove all B2G-related code from mozilla-central. This certainly has consequences for B2G OS. For the community to continue working on B2G OS they will have to maintain a code base that includes a full version of Gecko, so will need to fork Gecko and proceed with development on their own, separate branch.

  • Firefox 53 Will Drop Support for Windows XP and Windows Vista

    Software companies are one by one giving up on Windows XP support for their products, and now it appears that it’s Mozilla’s turn to switch the focus to newer versions of Windows.

    Firefox 53 will be the first version of the browser which will no longer support Windows XP and Windows Vista, so users who haven’t yet upgraded to Windows 7 or newer will have to either stick with Firefox 52 or move to a different browser.

  • Boot 2 Gecko Being Stripped From Mozilla's Codebase

    At the end of 2015 Mozilla effectively put an end to Firefox OS / Boot 2 Gecko by concluding things weren't working out for Mozilla Corp and their commercial partners to ship Firefox OS smartphones. All commercial development around it has since stopped and they are now preparing to strip B2G from the mozilla-central code-base.

    The news to report on now is that Ari Jaaksi and David Bryant have announced, "Today we are announcing the next phase in that evolution. While work at Mozilla on Firefox OS has ceased, we very much need to continue to evolve the underlying code that comprises Gecko, our web platform engine, as part of the ongoing development of Firefox. In order to evolve quickly and enable substantial new architectural changes in Gecko, Mozilla’s Platform Engineering organization needs to remove all B2G-related code from mozilla-central. This certainly has consequences for B2G OS. For the community to continue working on B2G OS they will have to maintain a code base that includes a full version of Gecko, so will need to fork Gecko and proceed with development on their own, separate branch."

Mozilla Firefox 49.0 and Thunderbird 45.3 Land in All Supported Ubuntu OSes

Filed under
Moz/FF

Today, September 22, 2016, Chris Coulson from Canonical published two security advisories to inform the Ubuntu Linux community about the availability of the latest Mozilla products in all supported releases.

Read more

Syndicate content

More in Tux Machines

Leftovers: BSD

Security Leftovers

  • Stop using SHA1 encryption: It’s now completely unsafe, Google proves
    Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible. SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made. However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.
  • on pgp
    First and foremost I have to pay respect to PGP, it was an important weapon in the first cryptowar. It has helped many whistleblowers and dissidents. It is software with quite interesting history, if all the cryptograms could tell... PGP is also deeply misunderstood, it is a highly successful political tool. It was essential in getting crypto out to the people. In my view PGP is not dead, it's just old and misunderstood and needs to be retired in honor. However the world has changed from the internet happy times of the '90s, from a passive adversary to many active ones - with cheap commercially available malware as turn-key-solutions, intrusive apps, malware, NSLs, gag orders, etc.
  • Cloudflare’s Cloudbleed is the worst privacy leak in recent Internet history
    Cloudflare revealed today that, for months, all of its protected websites were potentially leaking private information across the Internet. Specifically, Cloudflare’s reverse proxies were dumping uninitialized memory; that is to say, bleeding private data. The issue, termed Cloudbleed by some (but not its discoverer Tavis Ormandy of Google Project Zero), is the greatest privacy leak of 2017 and the year has just started. For months, since 2016-09-22 by their own admission, CloudFlare has been leaking private information through Cloudbleed. Basically, random data from random sites (again, it’s worth mentioning that every site that used CloudFlare in the last half year should be considered to having fallen victim to this) would be randomly distributed across the open Internet, and then indefinitely cached along the way.
  • Serious Cloudflare bug exposed a potpourri of secret customer data
    Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users. A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

Security Leftovers

  • Change all the passwords (again)
    Looks like it is time to change all the passwords again. There’s a tiny little flaw in a CDN used … everywhere, it seems.
  • Today's leading causes of DDoS attacks [Ed: The so-called 'Internet of things' (crappy devices with identical passwords) is a mess; programmers to blame, not Linux]
    Of the most recent mega 100Gbps attacks in the last quarter, most of them were directly attributed to the Mirai botnet. The Mirai botnet works by exploiting the weak security on many Internet of Things (IoT) devices. The program finds its victims by constantly scanning the internet for IoT devices, which use factory default or hard-coded usernames and passwords.
  • How to Set Up An SSL Certificate on Your Website [via "Steps To Secure Your Website With An SSL Certificate"]
  • SHA-1 is dead, long live SHA-1!
    Unless you’ve been living under a rock, you heard that some researchers managed to create a SHA-1 collision. The short story as to why this matters is the whole purpose of a hashing algorithm is to make it impossible to generate collisions on purpose. Unfortunately though impossible things are usually also impossible so in reality we just make sure it’s really really hard to generate a collision. Thanks to Moore’s Law, hard things don’t stay hard forever. This is why MD5 had to go live on a farm out in the country, and we’re not allowed to see it anymore … because it’s having too much fun. SHA-1 will get to join it soon.
  • SHA1 collision via ASCII art
    Happy SHA1 collision day everybody! If you extract the differences between the good.pdf and bad.pdf attached to the paper, you'll find it all comes down to a small ~128 byte chunk of random-looking binary data that varies between the files.
  • PayThink Knowledge is power in fighting new Android attack bot
    Android users and apps have become a major part of payments and financial services, carrying an increased risk for web crime. It is estimated that there are 107.7 million Android Smartphone users in the U.S. who have downloaded more than 65 million apps from the Google App Store, and each one of them represents a smorgasbord of opportunity for hackers to steal user credentials and other information.
  • Red Hat: 'use after free' vulnerability found in Linux kernel's DCCP protocol IPV6 implementation
    Red Hat Product Security has published details of an "important" security vulnerability in the Linux kernel. The IPv6 implementation of the DCCP protocol means that it is possible for a local, unprivileged user to alter kernel memory and escalate their privileges. Known as the "use-after-free" flaw, CVE-2017-6074 affects a number of Red Hat products including Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 and Red Hat Openshift Online v2. Mitigating factors include the requirement for a potential attacker to have access to a local account on a machine, and for IPV6 to be enabled, but it is still something that will be of concern to Linux users. Describing the vulnerability, Red Hat says: "This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures."

Android Leftovers