Mozilla blocks spy firm DarkMatter from Firefox citing ‘significant risk’ to users

Firefox maker Mozilla said it will not trust certificates from surveillance maker DarkMatter, ending a months-long effort to be whitelisted by the popular browser.

Months earlier, the United Arab Emirates-based DarkMatter had asked Mozilla to formally trust its root certificates in the Firefox certificate store, a place in the browser reserved for certificate authorities that are trusted and approved to issue HTTPS certificates. Mozilla and other browser makers use this store to know which HTTPS certificates to trust, effectively allowing these certificate authorities to confirm a website’s identity and certify that data going to and from it is secure.

But a rogue or malicious certificate authority could allow the interception of encrypted internet traffic by faking or impersonating websites.

DarkMatter has a history of controversial and shady operations, including developing malware and spyware to be used in surveillance operations, as well as the alleged targeting of journalists critical of the company. Just weeks ago, Reuters reported that the Emirati company — which employs former U.S. National Security Agency hackers — targeted several media personalities and dissidents at the behest of the Arab monarchy.

But the company has a clean record as a certificate authority, putting Mozilla in a tough spot.

Either Mozilla could accept DarkMatter’s record as a certificate authority or reject it based off a perceived risk.

As it turns out, the latter won.

“Our foremost responsibility is to protect individuals who rely on Mozilla products,” said said Wayne Thayer, certification authority program manager at Mozilla, in a discussion group post on Tuesday. He added that DarkMatter poses “a significant risk to our users.”

“I believe this framing strongly supports a decision to revoke trust in DarkMatter’s intermediate certificates,” he wrote.

Thayer added that although both sides of DarkMatter’s business were taken into account, the browser maker cited a core Mozilla principle — “individuals’ security and privacy on the internet are fundamental and must not be treated as optional” — as a reason to reject the proposal.

Mozilla said it would also distrust six intermediary certificates in the meanwhile.

DarkMatter did not respond to a request for comment Tuesday.

Mozilla readies launch of news subscription service

Way back in February, Mozilla announced an upcoming collaboration with Scroll aimed at finding a way to help fund news outlets. The organization appears ready to finally launch to the service, sending users a survey, along with invites to an upcoming beta launch of what it calls “Firefox Ad-free Internet.”

The service is one of countless third-party platforms aimed at helping ailing publications find a way to better monetize in an an era of defunding, when journalistic voices are more important than ever. The Apple News offering is probably the most notable in the category, but Mozilla’s offering provides an interesting alternative to a standalone app.

The Firefox version essentially provides a way to bring users ad-free access to their favorite publications by paying an upfront fee of $5 a month. Per Mozilla:

The service enables web users to pay for an ad-free experience on their favorite sites, across their devices. By enabling more direct funding of publishers, Scroll’s model may offer a compelling alternative in the ecosystem. We will be collaborating with Scroll to better understand consumer attitudes and interest towards an ad-free experience on the web as part of an alternative funding model.

BuzzFeed, Gizmodo Media, Slate, The Atlantic and USA Today all seem to be on board with the offering ahead of launch.

Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature

An industry group of internet service providers has branded Firefox browser maker Mozilla an “internet villain” for supporting a DNS security standard.

The U.K.’s Internet Services Providers’ Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to “bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K.”

Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead.

DNS-over-HTTPS also improves performance, making DNS queries — and the overall browsing experience — faster.

But the ISPA doesn’t think DNS-over-HTTPS is compatible with the U.K.’s current website blocking regime.

Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery. In encrypting DNS queries, it’s claimed that it will make it more difficult for internet providers to filter their subscribers’ internet access.

The ISPA isn’t alone. U.K. spy agency GCHQ and the Internet Watch Foundation, which maintains the U.K.’s internet blocklist, have criticized the move to roll out encrypted DNS features to the browser.

But the ISPA’s nomination quickly drew ire from the security community. Amid a backlash on social media, the ISPA doubled down on its position. “Bringing in DNS-over-HTTPS by default would be harmful for online safety, cybersecurity and consumer choice,” but said it encourages “further debate.”

When reached, a Mozilla spokesperson did not immediately comment.

Mozilla isn’t the first to roll out DNS-over-HTTPS. Last year Cloudflare released a mobile version of its 1.1.1.1 privacy-focused DNS service to include DNS-over-HTTPS. Months earlier Google-owned Jigsaw released its censorship-busting app Infra, which aimed to prevent DNS manipulation.

Mozilla has yet to set a date for the full release of DNS-over-HTTPS in Firefox.

Firefox gets enhanced tracking protection, desktop password manager and more

It’s no secret that Mozilla sees privacy as a differentiating feature for its revitalized Firefox browser. Today, the Firefox team is launching one of its broadest set of releases that aim to keep advertisers and others from following you across the web, while also making it harder for Facebook to track you. In addition, the organization is launching a desktop version of its password manager and some improvements to its Firefox Monitor data breach notification service.

“This past year, we’ve seen tech companies talk a big game about privacy as they’re realizing that, after several global scandals, people feel increasingly vulnerable,” Firefox SVP Dave Camp writes in today’s announcement, explaining the organization’s reasoning for today’s update. “It’s unfortunate that this shift had to happen in order for tech companies to take notice. At Firefox, we’re doing more than that. We believe that in order to truly protect people, we need to establish a new standard that puts people’s privacy first.”

The launch of Enhanced Tracking Protection, which allows you to keep third-party trackers and cookies from following you around the web, doesn’t come as a surprise. Mozilla has been talking about its new anti-tracking measures for a while. Previously, it offered a similar feature, but that was restricted to private windows, which was useful — and probably a good way for Mozilla to test these new capabilities — but far from comprehensive. For new users, Enhanced Tracking Protection will now be on by default, while existing users will either have to enable it manually for now or wait for Mozilla to turn it on for them in the near future.

In the browser, you’ll see these new features in the form of a new set of controls in the settings menu, as well as by clicking on the new shield icon in the URL bar. In its standard setting, which is the default, Enhanced Tracking Protection will block all third-party tracking cookies, based on the Disconnect list. You can also opt for a strict setting, which may break some sites, or opt for your own custom settings, too.

While it’s not directly built into the browser, Mozilla also today launched an updated version of its Facebook container extension that now allows you to also put Facebook share and like buttons into the container and disable them by default. That way, Facebook won’t be able to build a useful a shadow profile of you when you are locked out (or not even a Facebook user).

With today’s announcements, Mozilla is also expanding its Lockbox password manager to the desktop. Until now, Lockbox only existed as a set of mobile apps, but Mozilla launched a Firefox desktop extension, too. It’s also changing the name to Lockwise. It’s a pretty straightforward password manager experience, though, at least for the time being, notably near not as fully features as Dashlane, 1Password, LastPass or similar options.

To round out today’s set of announcements, Mozilla is also launching a new dashboard for Firefox Monitor, its tool that lets you check whether your email addresses popped up in any data breaches and set alerts for any future breaches. Monitor now features a dashboard that lets you see which email addresses you are monitoring and which ones have likely been compromised.

 

What Chrome’s browser changes mean for your privacy and security

At the risk of sounding too optimistic, 2019 might be the year of the private web browser.

In the beginning, browsers were a cobbled together mess that put a premium on making the contents within look good. Security was an afterthought — Internet Explorer is no better example — and user privacy was seldom considered as newer browsers like Google Chrome and Mozilla Firefox focused on speed and reliability.

Ads kept the internet free for so long but with invasive ad-tracking at its peak and concerns about online privacy — or lack of — privacy is finally getting its day in the sun.

Chrome, which claims close to two-thirds of all global browser market share, is the latest to double down on new security and privacy features after Firefox announced new anti-tracking blockers last month, Microsoft’s Chromium-based Edge promised better granular controls to control your data, and Apple’s Safari browser began preventing advertisers from tracking you from site to site.

At Google’s annual developer conference Tuesday, Google revealed two new privacy-focused additions: better cookie controls that limit advertisers from tracking your activities across websites, and a new anti-fingerprint feature.

In case you didn’t know: cookies are tiny bits of information left on your computer or device to help websites or apps remember who you are. Cookies can keep you logged into a website, but can also be used to track what a user does on a site. Some work across different websites to track you from one website to another, allowing them to build up a profile on where you go and what you visit. Cookie management has long been an on or off option. Switching cookies off mean advertisers will find it more difficult to track you across sites but it also means websites won’t remember your login information, which can be an inconvenience.

Soon, Chrome will prevent cross-site cookies from working across domains without obtaining explicit consent from the user. In other words, that means advertisers won’t be able to see what you do on the various sites you visit without asking to track you.

Cookies that work only on a single domain aren’t affected, so you won’t suddenly get logged out.

There’s an added benefit: by blocking cross-site cookies, it makes it more difficult for hackers to exploit cross-site vulnerabilities. Through a cross-site request forgery attack, it’s possible in some cases for malicious websites to run commands on a legitimate site that you’re logged into without you knowing. That can be used to steal your data or take over your accounts.

Going forward, Google said it will only let cross-site cookies travel over HTTPS connections, meaning they cannot be intercepted, modified or stolen by hackers when they’re on their way to your computer.

Cookies are only a small part of how users are tracked across the web. These days it’s just as easy to take the unique fingerprints of your browser to see which sites you’re visiting.

Fingerprinting is a way for websites and advertisers to collect as much information about your browser as possible, including its plugins and extensions, and your device, such as its make, model and screen resolution, which creates a unique “fingerprint that’s unique to your device. Because they don’t use cookies, websites can look at your browser fingerprint even when you’re in incognito mode or private browsing.

Google said — without giving much away as to how — it “plans” to aggressively work against fingerprinting, but didn’t give a timeline of when the feature will roll out.

Make no mistake, Google is stepping up to the privacy plate, following in the footsteps of Apple, Mozilla and Microsoft. Now that Google’s on board, that’s two-thirds of the internet set to soon benefit.

A glitch is breaking all Firefox extensions

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working?

You’re not alone, and it’s nothing you did.

Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions.

Each extension is now being listed as a “legacy” extension, alongside a warning that it “could not be verified for use in Firefox and has been disabled”.

A ticket submitted to Mozilla’s Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time).

Because the glitch stems from an underlying certificate, re-installing extensions won’t help. Getting extensions back for everyone is going to require Mozilla to issue a patch.

In a post on the company’s forum, Mozilla Add-ons Community Manager Caitlin Neiman writes:

At about 6:10 PST we received a report that a certificate issue for Firefox is causing add-ons to stop working and add-on installs to fail.

Our team is actively working on a fix. We will update as soon as we have more information.

Mozilla adds fingerprinting and cryptocurrency mining protection to Firefox

Mozilla is adding a new feature to protect you against web annoyances in future releases of Firefox. The new feature is currently available in the beta version of Firefox 67, and the nightly version of Firefox 68. They will be available in the stable release of Firefox in a few weeks.

The cryptomining and fingerprinting blocks work pretty much like anti-tracking blocks in current version of Firefox. The company has partnered with Disconnect to include scripts that prevent your browser from loading disingenuous content.

Cryptomining and fingerprinting blocks will be disabled by default — at least for now. But you can activate them in a couple of clicks in the browser settings under “Privacy & Security”.

Mozilla already says that these settings will be turned on by default in future nightly versions of Firefox 68. So you can expect cryptomining and fingerprinting blocking by default in a few months.

You can check if those features are activated by clicking on the shield in the address bar. It tells you if scripts are blocked on the current site. You can also whitelist a site from this menu.

Fingerprinting is a creepy method used by adtech companies to identify a user based on multiple factors, such as the browser you’re using, the fonts you have on your computer, your operating system, etc.

Some websites also use cryptocurrency mining scripts to leverage your unused computer ressources to mine Bitcoin, Monero and other cryptocurrencies. Those scripts are automatically enabled by default when you visit a website.

Mozilla’s free password manager, Firefox Lockbox, launches on Android

Mozilla’s free password manager designed for users of the Firefox web browser is today officially arriving on Android. The standalone app, called Firefox Lockbox, offers a simple if a bit basic way for users to access from their mobile device their logins already stored in their Firefox browser.

The app is nowhere near as developed as password managers like 1Password, Dashlane, LastPass and others as it lacks common features like the ability to add, edit or delete passwords; suggest complex passwords; or alert you to potentially compromised passwords resulting from data breaches, among other things.

However, the app is free — and if you’re already using Firefox’s browser, it’s at the very least a more secure alternative to writing down your passwords in an unprotected notepad app, for example. And you can opt to enable Lockbox as an Autofill service on Android.

But the app is really just a companion to Firefox. The passwords in Lockbox securely sync to the app from the Firefox browser — they aren’t entered by hand. For security, the app can be locked with facial recognition or a fingerprint (depending on device support). The passwords are also encrypted in a way that doesn’t allow Mozilla to read your data, it explains in a FAQ.

Firefox Lockbox is now one of several projects Mozilla developed through its now-shuttered Test Flight program. Over a few years’ time, the program had allowed the organization to trial more experimental features — some of which made their way to official products, like the recently launched file-sharing app, Firefox Send.

Others in the program — including Firefox Color⁩⁨Side View⁩⁨Firefox Notes⁩⁨Price Tracker and ⁨Email Tabs⁩ — remain available, but are no longer actively developed beyond occasional maintenance releases. Mozilla’s current focus is on its suite of “privacy-first” solutions, not its other handy utilities.

According to Mozilla, Lockbox was downloaded more than 50,000 times on iOS ahead of today’s Android launch.

The Android version is a free download on Google Play.

Firefox is now a better iPad browser

Mozilla today announced a new iOS version of Firefox that has been specifically optimized for Apple’s iPad. Given the launch of the new iPad mini this week, that’s impeccable timing. It’s also an admission that building a browser for tablets is different from building a browser for phones, which is what Mozilla mostly focused on in recent years.

“We know that iPads aren’t just bigger versions of iPhones,” Mozilla writes in today’s announcement. “You use them differently, you need them for different things. So rather than just make a bigger version of our browser for iOS, we made Firefox for iPad look and feel like it was custom made for a tablet.”

So with this new version, Firefox for iPad gets support for iOS features like split screen and the ability to set Firefox as the default browser in Outlook for iOS. The team also optimized tab management for these larger screens, including the option to see tabs as large tiles, “making it easy to see what they are, see if they spark joy and close with a tap if not.” And if you have a few tabs you want to share, then you can do so with the Send Tabs feature Mozilla introduced earlier this year.

Starting a private browsing session on iOS always took a few extra tabs. The iPad version makes this a one-tap affair as it prominently highlights this feature in the tab bar.

Because quite a few iPad users also use a keyboard, it’s no surprise that this version of Firefox also supports keyboard shortcuts.

If you are an iPad user in search of an alternative browser, Firefox may now be a viable option for you. Give it a try and let us know what you think in the comments (just don’t remind us how you work from home for only a few hours a day and make good money… believe me, we’re aware).

Firefox now automatically blocks autoplaying audio and video

Mozilla today released version 66 of its Firefox browser. It features all of the usual tech updates and bug fixes, but there’s also a clear theme here: reducing online annoyances.

With this update, Firefox can now automatically block autoplaying audio and video — the scourge of the modern web. The way Mozilla has implemented this is smart enough to recognize when a video is playing with the audio muted and it’ll still let the page quietly play that video. If it’s a news site that insists on bombarding you with the unmuted video of an anchor talking about a semi-related news story, though, it’ll mute it and leave you in peace.

To play the video on a site where Firefox has blocked the video, you simply click the play button. You can also always whitelist sites with autoplaying and unmuted videos, too.

Another major annoyance these days is ads that load after the text or other content on a site is already visible. Often, the ad then moves that text around (and occasionally, slow-loading images are to blame here, too). With this update, Firefox is introducing scroll anchoring, which ensures that you’re not going to bounce around on the page as these slow-loading ads load.

Other updates in this release include the ability to search within multiple tabs, better search in private browsing mode, improved and clearer security warnings and web authentication support for Windows Hello. Firefox 66 also promises an improved extension experience that should make pages load faster by storing extension settings in a single file instead of a series of individual files for every extension.

You can find the full release notes here.