Tor, which is capable of of all that and more, crucially blocks websites from learning any identifying information about you and circumvents censorship. It also stymies eavesdroppers from discovering what you’re doing on the Web. For those reasons, it would be a powerful addition to the arsenal of privacy tools Firefox already possesses.
The Tor Browser is already a modified version of Firefox, developed over the last decade with close communication between the Tor developers and Mozilla on issues such as security and usability.
Instead, libressl is here because of a tragic comedy of other errors. Let's start with the obvious. Why were heartbeats, a feature only useful for the DTLS protocol over UDP, built into the TLS protocol that runs over TCP? And why was this entirely useless feature enabled by default? Then there's some nonsense with the buffer allocator and freelists and exploit mitigation countermeasures, and we keep on digging and we keep on not liking what we're seeing. Bob's talk has all the gory details.
But why fork? Why not start from scratch? Why not start with some other contender? We did look around a bit, but sadly the state of affairs is that the other contenders aren't so great themselves. Not long before Heartbleed, you may recall Apple dealing with goto fail, aka the worst bug ever, but actually about par for the course.
Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features. Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
SILENT CIRCLE has announced a bug bounty programme for its Blackphone venture designed to find security flaws in the "surveillance-proof" smartphone.
Blackphone is a joint venture of Silent Circle and Geeksphone, known as SGP Technologies. Running a secure PrivatOS operating system, it is what the companies call "a truly surveillance-proof smartphone" in the wake of the past year's NSA revelations.
Huawei and their smartphone business have not exactly garnered good press in the past – especially when there were allegations of Huawei churning out spyphones for the China government, which the company vehemently denied. Subsequently, it is said that Huawei themselves decided to pull out from the U.S. market, where we then learned that the tables were turned afterwards with the NSA being accused of spying on Huawei instead. Having said that, it seems as though officials over in China will have a spanking new smartphone soon – and it will not hail from the likes of Samsung, LG, HTC or other big name players, but from Huawei themselves.
Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.
In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)
We plan to add a security warning to the Web Console to remind developers that they should not be using a SHA-1 based certificate. We will display an additional, more prominent warning if the certificate will be valid after January 1, 2017, since we will reject that certificate after that date. We plan to implement these warnings in the next few weeks, so they should be appearing in released versions of Firefox in early 2015. We may implement additional UI indicators later. For instance, after January 1, 2016, we plan to show the “Untrusted Connection” error whenever a newly issued SHA-1 certificate is encountered in Firefox. After January 1, 2017, we plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.
The four freedoms are only meaningful if they result in real-world benefits to the entire population, not a privileged minority. If your approach to releasing free software is merely to ensure that it has an approved license and throw it over the wall, you're doing it wrong. We need to design software from the ground up in such a way that those freedoms provide immediate and real benefits to our users. Anything else is a failure.