Firefox 96.0 is officially shipping today as the first update of 2022 for this open-source web browser. From a report: Firefox 96.0 has "significantly" reduced the amount of load placed on the browser's main thread and there is also "significant" improvements in noise suppression and auto-gain-control and improvements in echo cancellation. In addition to that performance work, there are also WebRTC improvements, an improved cookie policy to reduce the likelihood of Cross-Site Request Forgery (CSRF) attacks, video quality degradation fixes, and other fixes. Over on developer.mozilla.org are some of the web developer changes with Firefox 96 including CSS color value function hwb() support for specifying the hue/whiteness/blackness, support for the CSS color-scheme property, the Web Locks API is enabled by default, image encoder support for WebP for exporting HTML5 canvas elements, and other additions.

Brian Fagioli, reporting for BetaNews: The developers of the Ubuntu-based operating system have agreed to accept an undisclosed amount of money from Mozilla in exchange for making significant changes to Linux Mint. This includes removal of modifications to Firefox and a big change for search. The devs share the upcoming changes to Firefox in Linux Mint 19 and higher.
The default start page no longer points to https://www.linuxmint.com/start/
The default search engines no longer include Linux Mint search partners (Yahoo, DuckDuckGo...) but Mozilla search partners (Google, Amazon, Bing, DuckDuckGo, Ebay...)
The default configuration switches from Mint defaults to Mozilla defaults.
Firefox no longer includes code changes or patches from Linux Mint, Debian or Ubuntu.

Mike Melanson's "This Week in Programming" column looks at what happened after Mozilla founder Jamie "jwz" Zawinski slammed the group for accepting donations in cryptocurrency (which Zawinski called partnering "with planet-incinerating Ponzi grifters.") Peter Linss, one of the creators of the Gecko browser engine on which Mozilla Firefox is based, also stepped in to back up Zawinski, saying that he was 100% with him and that Mozilla was "meant to be better than this."

When Mozilla first announced it would accept Bitcoin donations in 2014, it cited Khan Academy, Electronic Frontier Foundation, United Way, Greenpeace, and Wikimedia Foundation among its moral and upstanding cryptocurrency-accepting compatriots. Of that list, just Greenpeace has since stopped accepting cryptocurrency donations, telling the Financial Times earlier this year that "as the amount of energy needed to run bitcoin became clearer, this policy [of accepting cryptocurrency donations] became no longer tenable."
Thursday the Mozilla Foundation announced it was pausing cryptocurrency donations to review whether the idea "fits with our climate goals" — a fact the column also addresses: Mike Shaver, another Mozilla project founder, also tweeted his support, writing that he was "glad to see this reflection happening."

In a follow-up blog post to the ordeal, Zawinski doubled down on his condemnation of Mozilla's cryptocurrency acceptance, writing that "cryptocurrencies are not only an apocalyptic ecological disaster, and a greater-fool pyramid scheme, but are also incredibly toxic to the open web, another ideal that Mozilla used to support" — an idea also espoused in many of the comments on the initial Twitter thread.

Meanwhile, although Mozilla says that it is pausing the ability to donate cryptocurrencies during its review, the donations page still lists BitPay among its payment methods.

The Mozilla Foundation is pausing accepting donations in cryptocurrency following a backlash from scores of people including a founder of the Mozilla Project. From a report: The foundation, which oversees the development of Firefox browser, on Thursday acknowledged conversations around the environment impact that cryptocurrency potentially pose and said it is reviewing whether its current policy on crypto donations "fits with our climate goals."

The foundation started to face backlash following a tweet late last year that invited people to donate via using a variety of crypto tokens including Bitcoin. In response to it, Jamie Zawinski expressed dismay at the foundation's move. "Everyone involved in the project should be witheringly ashamed of this decision to partner with planet-incinerating Ponzi grifters," he said, adding an expletive.

A user writes: Jamie "jwz" Zawinski, famous for being one of the original Netscape developers, being a founder of the Mozilla project, and for this axiom, has laid into Mozilla after the Firefox developers announced they was accepting Dogecoin, Bitcoin, and Ethereum cryptocurrency payments, via Bitpay, for Mozilla's services and donations. Quote jwz: "I'm here to say fuck you and fuck this. Everyone involved in the project should be witheringly ashamed of this decision to partner with planet-incinerating Ponzi grifters."
UPDATE (1/6/2021): Days later the Mozilla Foundation announced they were instead pausing cryptocurrency donations to review whether the idea "fits with our climate goals."

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...."

Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message.

There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.

Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity.
The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.

"Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

Mozilla has fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, in what the organization categorized as a severe security risk that could have exposed credentials to non-owners whenever users copied or cut a password. From a report: The issue was fixed in Firefox 94, released last month, but was detailed in more depth this week by Mozilla developers. At its core, the bug is related to Windows Cloud Clipboard, a feature added to Windows 10 in September 2018 (v1809 release), a feature that allows users to sync their local clipboard history to their Microsoft accounts. The feature is disabled by default, but once enabled, it allows users to access the cloud clipboard section by pressing the Windows+V shortcut. This grants users access to clipboard data from all devices, but the feature is also used for its clipboard history capabilities, allowing users to go through past items they copied or cut and re-paste the same data in new contexts, making it extremely useful for most IT workers. In a blog post on Wednesday, Mozilla said that they have now modified the Firefox browser so that usernames and passwords copied from the browser's password section (about:logins) won't be stored in the Windows Cloud Clipboard feature, but instead will be stored only locally, in a separate clipboard section.

The Mozilla Foundation today released its financial report for 2020. As usual, this gives us a good picture of the organization's financial health from a year ago, but for the first time this year, Mozilla also provided us with more recent data. From a report: It's no secret that Mozilla recently went through a number of difficult years, with major layoffs in 2020 as it restructured its for-profit arm, Mozilla Corporation. Its flagship Firefox browser, despite a number of technical advances, is also struggling in a marketplace that is now dominated by Chromium-based browsers. Still, in 2020, Mozilla Corporation's revenue was $466 million from its search partnerships (largely driven by its search deal with Google), subscriptions and advertising revenue. That's essentially the same as in 2019, when Mozilla Corporation generated $465 million from these sources.

For 2021, the organization forecasts revenue of over $500 million. What's maybe most important, though, is that Mozilla's new products like its Mozilla VPN service, Firefox Relay Premium, Pocket and other commercial initiatives are slowly but surely starting to pay off. As Mozilla executive VP Angela Plohman and CFO Eric Muhlheim noted in today's announcement, revenue from new product offerings will grow 150% this year and account for 14% of the organization's revenue in 2021. The Mozilla VPN service saw a revenue increase of 450% from 2020 to 2021.

In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.

Mozilla has announced through its Mozilla Hacks blog that it plans to ship a 'novel sandboxing technology' called RLBox with Firefox 95 which it has been developing alongside researchers from the University of California San Diego and the University of Texas. From a report: It said RLBox makes it easier to isolate subcomponents of the browser efficiently and gives Mozilla more options than traditional sandboxing granted it. Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.

Microsoft is backtracking on changes it made to Windows 11 that made it more difficult to switch default browsers. From a report: A new test build of Windows 11 now allows users of Chrome, Firefox, and other browsers to set a default browser with a single button, which is a far simpler process. Rafael Rivera, developer of the excellent EarTrumpet Windows app, discovered the new Windows 11 changes earlier this week. Instead of having to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, Windows 11 now offers a simple button that lets people switch default browsers in a similar way to Windows 10. Microsoft has confirmed the changes are intentional and are currently being tested. "In the Windows 11 Insider Preview Build 22509 released to the Dev Channel on Wednesday, we streamlined the ability for a Windows Insider to set the 'default browser' to apps that register for HTTP:, HTTPS:, .HTM, and .HTML," explains Aaron Woodman, vice president of Windows marketing, in a statement to The Verge. "Through the Windows Insider Program you will continue to see us try new things based on customer feedback and testing."

A new browser extension promises to show you which products in your Amazon search results are sold by brands that are either owned by or are exclusive to Amazon, giving you a better idea of who's selling what you're buying. The Verge reports: It's called Amazon Brand Detector, and it uses a list of Amazon brands created by The Markup, along with filters and other techniques (detailed here) to detect and highlight products that are a part of Amazon's Our Brands program. The Markup created this extension after its investigation into how Amazon ranks its in-house brands in search results and says the tool (available for Chrome-like browsers and Firefox) is designed to make searches more transparent. When we tested it, it obviously highlighted Amazon Basics and Essentials products, but it also drew attention to results that were otherwise indistinguishable from ones not affiliated with Amazon: a dog leash labeled as being made by Panykoo, socks by Teebulen, a sweater by Ofeefan.

While Amazon marked some of those results as "featured from our brands," that wasn't the case for all of them. That advisory text is also small and grey, making it easy to miss if you're casually browsing (especially since there may not be any notice of the affiliation on the actual product page), and it didn't show up on every result the tool highlighted. Amazon isn't necessarily shadowy about these brands: it has a page that lists its "private and select exclusive brands," many of which have legit-sounding names: Happy Belly, Wag, Nature's Wonder. Some are private labels owned by Amazon, where some are "curated selections" sold exclusively on Amazon but not necessarily operated by the company. According to The Markup, the extension "does not collect any data" and should be compatible with other extensions.

Mozilla announced last week via a support article that its Firefox Lockwise password manager app will reach end-of-life on December 13th. The final release versions are 1.8.1 (iOS) and 4.0.3 (Android) and will no longer be available to download or reinstall after that date. The Verge reports: What started in 2018 as a small experimental mobile app called Lockbox ended up bringing a way to access saved passwords and perform autofills on iOS, Android, and desktop devices to a small but enthusiastic following of Firefox fans. The app was also later adapted as a Firefox extension. It seemed like it was apt to stick around for the long run.

The support article recommends that users continue accessing passwords using the native Firefox browsers on desktop and mobile. In an added note on the support site, Mozilla suggests that later in December, the Firefox iOS app will gain the ability to manage Firefox passwords systemwide. The note alludes to Mozilla adopting the features of Lockwise and eventually integrating them into the Firefox browser apps natively on all platforms.

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. The Register reports: These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork." Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."

Marlin then asked whether he could make his findings public and was told he's free to do so. "I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake. Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."

Mozilla launched Firefox Relay as a free product that gives you five email aliases you can use every time you need to sign up for a random account online. From a report: Now, the organization has introduced a paid Premium tier for the service that will give you access to even more aliases. You'll get your own subdomain (yourdomain.mozmail.com) when you subscribe, and you'll be able to create an unlimited number of emails. The tier will also give you access to a summary dashboard with the emails you make, the option to use your aliases when you reply to messages and a 150 kb attachment allowance. After you sign up for Relay, you'll have to install its Firefox extension to be able to take advantage of its features. Every time you visit a website that asks for an email address, the Relay icon will appear on your browser, and you can click it to generate a random address.The service will forward messages you get using your aliases to your primary email account, and you can block all messages from coming in or even delete the alias when it starts getting spam. Mozilla didn't say how much a Premium subscription will cost in the future, but it's offering the tier at an introductory price of $1/EUR1 per month for a limited time.

The creator of EdgeDeflector said this week that the latest Insider build of Windows 11 now blocks all default browser workarounds. If this functionality makes its way to the finished product, it will mark a new, dark chapter for Microsoft, which told the media at the Windows 11 launch that it was aware that it had made changing app defaults pointlessly difficult, but that it had not done so maliciously and would fix it. This is the opposite of that claim. From a report: "Something changed between Windows 11 builds 22483 and 22494 (both Windows Insider Preview builds)," EdgeDeflector creator Daniel Aleksandersen writes in a new blog entry. "The build changelog ... omitted the headline news: you can no longer bypass Microsoft Edge using apps like EdgeDeflector."

Microsoft not communicating effectively? I find that hard to believe. Cough. But Microsoft moving to make Windows 11 behave even more maliciously towards its users and browser rivals? That I have a hard time with. Basically, EdgeDeflector, as well as third-party browsers like Mozilla Firefox and Brave, intercept OS-level URL requests that force you to use Microsoft Edge even when you have gone through the incredibly ponderous steps to make a non-Edge browser the default in Windows 11. But in the latest Insider Preview build, Microsoft is changing how these URL requests work. And it's no longer possible to intercept URL requests that force users to use Edge instead of their default browser. (In the Insider builds. This functionality will come to mainstream users in the coming months unless we can change Microsoft's collective mind.)

In case you missed it, Google officially ended support for its Bookmarks service on September 30, 2021. But fear not, you can still export your bookmarks if you haven't already. Long-time Slashdot reader GPS Pilot writes: Google has dropped support for yet another one of its services. If you're like me, you don't visit Google Bookmarks very often, so you're not aware that Google dropped support on September 30th, 2021. The service still had its uses -- like being able to access a collection of bookmarks across different browsers, or when you're using a strange computer. You can still export your Google bookmarks to alternative services that are "arguably better." Some Google Bookmarks alternatives include Saved, Raindrop, Pinboard, and Mozilla Pocket. Which bookmark manager is your favorite?

Scott Gilbertson, writing for The Register: The legacy of Internet Explorer 6 haunts web developer nightmares to this day. Microsoft's browser of yore made their lives miserable and it's only slightly hyperbolic to say it very nearly destroyed the entire internet. It really was that bad, kids. It made us walk to school in the snow. Uphill. Both ways. You wouldn't understand. Or maybe you would. Today developers who want to use "cutting-edge" web APIs find themselves resorting to the same kind of browser-specific workarounds, but this time the browser dragging things down comes from Apple. Apple's Safari lags considerably behind its peers in supporting web features. Whether it's far enough behind to be considered "the new IE" is debatable and may say more about the shadow IE still casts across the web than it does about Safari. But Safari -- or more specifically the WebKit engine that powers it -- is well behind the competition. According to the Web Platform Tests dashboard, Chrome-based browsers support 94 per cent of the test suite, and Firefox pulls off 91 per cent, but Safari only manages 71 per cent.

On the desktop this doesn't matter all that much because users can always switch to Google Chrome (or even better, Vivaldi). On iOS devices, however, that's not possible. According to Apple's App Store rules: "apps that browse the web must use the appropriate WebKit framework and WebKit Javascript." Every iPhone user is a Safari/WebKit user whether they use Safari or Chrome. Apple has a browser monopoly on iOS, which is something Microsoft was never able to achieve with IE. In Windows you could at least install Firefox. If you do that on iOS it might say Firefox, but you're still using WebKit. The reality is if you have an iOS device, you use Safari and are bound by its limitations. Another thing web developers find distressing is Apple's slow development cycle. Apple updates Safari roughly every six months at best. Blink-based browsers update every six weeks (soon every four), Firefox releases every four weeks, and Brave releases every three. This means that not only is Apple slow to add new features, but its development cycle means that even simple bug fixes have to wait a long time before they actually land on users' devices. Safari workarounds are not quick fixes. If your website is affected by a Safari bug, you can expect to wait up to a year before the problem is solved. One theme that emerges when you dig into the Web Platform Tests data on Safari's shortcomings is that even where WebKit has implemented a feature, it's often not complete.

Andrew Cunningham writes via Ars Technica: It has been well over a decade since PowerPC Macs roamed the earth -- so long that the Intel Macs that replaced them are themselves being replaced by something else. But to this day, there's a small community of people still developing software for PowerPC Macs and Mac OS 9. One of those projects was TenFourFox, a fork of the Firefox browser for G3, G4, and G5-based PowerPC Macs running Mac OS X 10.4 or 10.5. Maintained primarily by Cameron Kaiser, the TenFourFox project sprang up in late 2010 after Mozilla pulled PowerPC support from Firefox 4 during its development. And amazingly, the browser has continued to trundle on ever since.

But continuing to backport Firefox features to aging, stuck-in-time PowerPC processors only got more difficult as time went on. And in March of this year, Kaiser announced that TenFourFox updates would be ending after over a decade of development. The final planned release of TenFourFox was earlier this month. Kaiser's full post is long, but it's worth a read for vintage-computer enthusiasts or anyone who works on software -- Kaiser expresses frustration with the realities of developing and supporting a niche app, but he also highlights TenFourFox's impressive technical achievements and ruminates on the nature of the modern Internet and open source software development [...].

Kaiser doesn't intend to fully halt work on the browser, but he is downshifting it into what he calls "hobby mode." He will continue to backport security patches from newer ESR releases of Firefox and post them to the TenFourFox Github page, but anyone who wants to use these will need to build the app themselves. Kaiser also won't commit to providing support for these additions or providing them on any kind of schedule. Other developers are also welcome to continue to release TenFourFox builds on their own.

Following a brief beta-testing period, Ubuntu 21.10 has finally become available to download in the "final" stable form. BetaNews: Code-named "Impish Indri," this version of Ubuntu is not a Long Term Support (LTS) version, so it is only supported for nine months. Ubuntu 21.10 features Linux kernel 5.13 and a Snap variant of the Mozilla Firefox browser. "Ubuntu 21.10 brings the all-new PHP 8 and GCC 11 including full support for static analysis, greatly improving everyday developer security awareness in low-level programming. With Gnome 40 desktop users gain dynamic workspaces and touchpad gestures. The new Firefox snap, published by Mozilla, improves security and guarantees access to both the latest and the extended support release versions of the browser. The exact same versions of the browser are available on multiple different versions of Ubuntu, simplifying enterprise developer platform management," says Canonical.