Slashdot reader SmartAboutThings writes: While Microsoft Edge is right on track to replace Internet Explorer, it seems that the last one is a bigger security liability then you may think. In a newly released advisory, the Cybersecurity and Infrastructure Security Agency (CISA) [an agency within America's Department of Homeland Security] is warning users about an IE vulnerability.

To keep your personal data safe and don't expose your PC to dangerous malware, the agency further recommends "Consider using Microsoft Edge or an alternate browser until patches are made available." As a reminder, this is not the first international agency that ranks IE's security very low, as Germany's BSI shared a couple of months back a similar study.
Lifehacker's senior technology editor notes that the new vulnerability affects "various permutations of Internet Explorer 9, 10, and 11 across Windows 7, 8.1, and Windows 10 (as well as various editions of Windows Server).

"The bad news is that Microsoft won't likely patch this problem until February -- when the next major batch of security updates hits." But they offer a work-around of their own until then which involves opening an administrative command prompt to restrict access to the deprecated JScript library used by the exploit.

Otherwise, don't click on links from strangers, and if you're using IE switch to Edge. And Microsoft explains what will happen if you used Internet Explorer to visit a web site designed to exploit the vulnerability. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

An anonymous reader quotes a report from Motherboard: The Mozilla Foundation, the non-profit arm of the company known for its privacy-friendly web browser Firefox, released a guide today for helping students navigate ethical issues in the tech industry, in particular, during the recruitment process. The guide advises students not to work for companies that build technology that harms vulnerable communities, and to educate themselves "on governance" inside companies before taking a job. It also discusses unions drives, walkouts, petitions, and other forms of worker organizing.

The guide, which takes the form of a zine titled "With Great Tech Comes Great Responsibility," follows events hosted by the Mozilla Foundation last fall in partnership with six university campuses, including UC Berkeley, N.Y.U., M.I.T., Stanford, UC San Diego, and CSU Boulder. Not so subtly, it calls out Amazon, Palantir, and Google, which have faced backlash in recent months from tech workers as well as students on the campuses where they recruit. "Addressing ethical issues in tech can be overwhelming for students interested in working in tech. But change in the industry is not impossible. And it is increasingly necessary," reads the opening of the 11-page handbook -- citing military contracts, algorithmic bias, inhumane working conditions in warehouses, biased facial recognition software, and intrusive data mining as causes for concern.

The Verge argues that the browser wars "are back, but it's different this time."
The mobile web is broken and unfettered tracking and data sharing have made visiting websites feel toxic, but since the ecosystem of websites and ad companies can't fix it through collective action, it falls on browser makers to use technological innovations to limit that surveillance, however each company that makes a browser is taking a different approach to creating those innovations, and everybody distrusts everybody else to act in the best interest of the web instead of the best interest of their employers' profits... I've been avoiding getting into the precise details of the proposals out there to fix the tracking problem because things are changing so quickly across so many different tracks... Until then, know that there are two important things to know.

First: there are new browser technologies and limits coming that could radically change how ads work and could make it easier for you to protect your privacy no matter what browser you use. Since this is the web, it'll take time, but everybody seems committed. Second: the way many of us think about a Browser War is in terms of marketshare -- and that is the wrong metric this time. There is a browser war, but it won't be won or lost based on who can convince the most people to switch to their browser. Because most people can't or won't switch on the platform that matters: mobile.

In 2020, the desktop is a minor skirmish compared to browsers on phones. On phones, many people aren't really free to choose their browser. That's literally true on the iPhone, which Apple locks down so apps can only use its web rendering technology. And it's for-intents-and-purposes true on Android, where the vast majority of browsers just use Chromium. Yes, there is an Android browser ballot happening in Europe, but it's much too early to know what its effects will be....

The new Browser Wars aren't about who makes the fastest or best browser, they're about whose services you want and whose data policies you trust.

An anonymous reader writes: It's been some 18 months since VentureBeat's last browser benchmark battle. What better time to get the latest results than the start of a new year? Over the past year and a half, Google Chrome has continued to dominate market share, Mozilla Firefox has doubled down on privacy, Microsoft Edge has embraced Chromium, and Brave launched out of beta.

You can click on the individual test to see the results:
SunSpider: Edge wins!
Octane: Chrome wins!
Kraken: Firefox wins!
JetStream: Edge wins!
MotionMark: Edge wins!
Speedometer: Edge wins!
Basemark: Brave wins!
WebXPRT: Firefox wins!

The Chromium version of Edge did a lot better given that the stable release only arrived this week. We were expecting improvements, but not so many outright wins. That said, browser performance was solid across all four contestants -- each browser won at least one test. Performance of course shouldn't be your only consideration when picking your preferred app for consuming internet content. As long as you're using a browser that receives regular updates (and all four of these meet that criteria), you can expect performance to be solid. There is certainly room for improvement, but Chrome, Firefox, and now Edge, as well as Brave, are all quite capable.

According to TechCrunch, Mozilla has laid off about 70 employees today. From the report: In an internal memo, Mozilla chairwoman and interim CEO Mitchell Baker specifically mentions the slow rollout of the organization's new revenue-generating products as the reason for why it needed to take this decision. The overall number may still be higher, though, as Mozilla is still looking into how this decision will affect workers in the UK and France. In 2018, Mozilla Corporation (as opposed to the much smaller Mozilla Foundation) said it had about 1,000 employees worldwide.

Baker says laid-off employees will receive "generous exit packages" and outplacement support. She also notes that the leadership team looked into shutting down the Mozilla innovation fund but decided that it needed it in order to continue developing new products. In total, Mozilla is dedicating $43 million to building new products. "You may recall that we expected to be earning revenue in 2019 and 2020 from new subscription products as well as higher revenue from sources outside of search. This did not happen," Baker writes in her memo. "Our 2019 plan underestimated how long it would take to build and ship new, revenue-generating products. Given that, and all we learned in 2019 about the pace of innovation, we decided to take a more conservative approach to projecting our revenue for 2020. We also agreed to a principle of living within our means, of not spending more than we earn for the foreseeable future."

"As we look to the future, we know we must take bold steps to evolve and ensure the strength and longevity of our mission," Baker adds. "Mozilla has a strong line of sight to future revenue generation, but we are taking a more conservative approach to our finances. This will enable us to pivot as needed to respond to market threats to internet health, and champion user privacy and agency."

Microsoft today launched its new Edge browser based on Google's Chromium open source project. You can download Chromium Edge now for Windows 7, Windows 8, Windows 10, and macOS directly from microsoft.com/edge in more than 90 languages. From a report: Business features aside, there's also support for Chrome-based extensions, 4K streaming, Dolby audio, inking in PDF, and privacy tools. For the last one, it's worth noting that tracking prevention is on by default and offers three levels of control, like Firefox's tracking protection. Chrome extension support is probably the most important feature for most users. By default, extensions that have been ported over to Edge can be downloaded from the Microsoft Store. Chromium Edge also has an option to "Allow extensions from other stores" to get Chrome extensions from the Chrome Web Store. There are still a few features missing from Chromium Edge, most notably history sync and extension sync. Microsoft is working on these and some other inking functionality that it still wants to port from legacy Edge, as Microsoft is calling it. Microsoft also claims that Chromium Edge is "twice as fast as legacy Edge." Curiously, the team isn't making any claims against other browsers -- at least not yet.

In 2018 an associate technology editor at Fast Company's Co.Design wrote an article titled "Why I'm switching from Chrome to Firefox and you should too."

Today shanen shared a similar article from Digital Trends. Their writer announces that after years of experimenting with both browsers, they've also finally switched from Chrome to Mozilla Firefox -- "and you should too." The biggest draw for me was, of course, the fact that Mozilla Firefox can finally go toe-to-toe with Google Chrome on the performance front, and often manages to edge it out as well... Today, in addition to being fast, Firefox is resource-efficient, unlike most of its peers. I don't have to think twice before firing up yet another tab. It's rare that I'm forced to close an existing tab to make room for a new one. On Firefox, my 2015 MacBook Pro's fans don't blast past my noise-canceling headphones, which happened fairly regularly on Chrome as it pushed my laptop's fans to their helicopter-like limits to keep things running. This rare balance of efficiency and performance is the result of the countless under-the-hood upgrades Firefox has rolled out in the last couple of years...

Its Enhanced Tracking Protection framework keeps your identity safe by blocking trackers and cookies that otherwise follow you around the internet and collect sensitive information you probably didn't even know you were giving up. On top of that, Firefox can warn if a website is covertly mining cryptocurrency in the background. Most of these protections kick in by default and you have an exhaustive set of options to customize them the way you want. Firefox also lets you look into just how invasive a website is. It actively updates your personal privacy report so you can check how many trackers it has shut overall and for a specific website...

What really clinched the switch to Mozilla Firefox was the fact that it's the only cross-platform browser that's not running Google's open-source Chromium platform. Microsoft's Edge, Brave, Opera, Vivaldi -- each of these browsers run on Chromium, accelerating Google's dominance over the web even when you're not directly using a Chrome user. Firefox, on the other hand, is powered by Mozilla's in-house Gecko engine that's not dependent on Chromium in any way. It may not seem like as vital of a trait as I make it sound, but it truly is, even though Chromium is open-source. Google oversees a huge chunk of the web, including ads, browser, and search, and this supremacy has allowed the company to pretty much run a monopoly and set its own rules for the open internet...

Mozilla as a company has, despite a rocky journey, often taken bold stances in complex situations. In the Cambridge Analytica aftermath, Mozilla announced it would no longer run Facebook advertisements, cutting off direct marketing to over 2 billion users. In a world of tech companies taking frail, facile shots at protecting user privacy and barely delivering on their commitments, Mozilla is a breath of fresh air and you no longer have to live with any compromises to support it.

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in "targeted attacks" against users. From a report: The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox's just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer. In practical terms, that means an attacker can quietly break into a victim's computer by tricking the victim into accessing a website running malicious JavaScript code. But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

Following in Mozilla's footsteps, Google announced today plans to hide notification popup prompts inside Chrome starting next month, February 2020. ZDNet reports: According to a blog post published today, Google plans to roll out a "quieter notification permission UI that reduces the interruptiveness of notification permission requests." The change is scheduled for Google Chrome 80, scheduled for release on February 4, next month.

Starting with Chrome 80 next month, Google's browser will also block most notification popups by default, and show an icon in the URL bar, similar to Firefox. When Chrome 80 launches next month, a new option will be added in the Chrome settings section that allows users to enroll in the new "quieter notification UI." Users can enable this option as soon as Chrome 80 is released, or they can wait for Google to enable it by default as the feature rolls out to the wider Chrome userbase in the following weeks. According to Google, the new feature works by hiding notification requests for Chrome users who regularly dismiss notification prompts. Furthermore, Chrome will also automatically block notification prompts on sites where users rarely accept notifications.

Mozilla today launched Firefox 72 for Windows, Mac, Linux, and Android. Firefox 72 includes fingerprinting scripts blocked by default, less annoying notifications, and Picture-in-Picture video on macOS and Linux. There isn't too much else here, as Mozilla has now transitioned Firefox releases to a four-week cadence (from six to eight weeks).

Mozilla has announced that it's rolling out changes under the California Consumer Privacy Act (CCPA) to all Firefox users worldwide. ZDNet reports: The CCPA, known as America's toughest privacy legislation, came into effect on January 1, 2020, offering Californian users data-protection rules better suited to today's world of data collection. Much like Europe's GDPR, the CCPA gives consumers the right to know what personal information is collected about them and to be able to access it. While the law technically only applies to data processed about residents in California, Microsoft has already announced that it will roll out CCPA rights to all its U.S. users so they can control their data.

The Californian proposal wasn't popular among Silicon Valley tech giants, but Mozilla notes it was one of the few companies to endorse CCPA from the outset. Mozilla has now outlined the key change it's made to Firefox, which will ensure CCPA regulations benefit all its users worldwide. The move would seem to make business sense too, saving Mozilla from having to ship a California-only version of Firefox and another version for the rest of the world. The main change it's introducing is allowing users to request that Mozilla deletes Firefox telemetry data stored on its servers. That data doesn't include web history, which Mozilla doesn't collect anyway, but it does include data about how many tabs were opened and browser session lengths. The new control will ship in the next version of Firefox due out on January 7, which will include a feature to request desktop telemetry data be deleted directly from the browser.

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.
Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."

Because some internet websites unfairly block browsers from accessing their services, starting with Vivaldi 2.10, released today, the Vivaldi browser plans to disguise itself as Chrome to allow users to access websites that unfairly block them. From a report: Vivaldi will do this by modifying its default user-agent (UA) string to the UA string used by Chrome. A UA string is a piece of text that browsers send to websites when they initiate a connection. The UA String contains data about the browser type, rendering engine, and operating system. For example, a UA string for Firefox on Windows looks like this: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0. UA strings have been in use since the 90s. For decades, websites have used UA agent strings to fine-tune performance and features or block outdated browsers. However, many website owners these days use UA strings to block users from accessing their sites. Some do it because they're not willing to deal with browser-specific bugs, some do it because of pettiness, while big tech companies like Google and Microsoft have done it (and continue to do it) to sabotage competitors on the browser market.

Mozilla has announced that NextDNS would be joining Cloudflare as the second DNS-over-HTTPS (DoH) provider inside Firefox. From a report: The browser maker says NextDNS passed the conditions imposed by its Trusted Recursive Resolver (TRR) program, and can now be added as a second option for DoH inside Firefox. These conditions include (1) limiting the data NextDNS collects from the DoH server used by Firefox users; (2) being transparent about the data they collect; and (3) promising not to censor, filter, or block DNS traffic unless specifically requested by law enforcement.

DNS-over-HTTPS, or DoH, is a new feature that was added to Firefox last year. When enabled, it encrypts DNS traffic coming in and out of the browser. DNS traffic is not only encrypted but also moved from port 53 (for DNS traffic) to port 443 (for HTTPS traffic), effectively hiding DNS queries and replies inside the browser's normal stream of HTTPS content. This encrypted DNS traffic reaches a so-called DoH resolver. Here, the DoH traffic is decrypted and the DoH resolver makes the DNS query on the user's behalf, receives the result, encrypts it, and sends it back to the user's browser -- also disguised inside encrypted HTTPS content.

Android Authority argues that the new Microsoft Chromium Edge browser "is full of neat tricks" and "packs more features than Firefox": The final major feature is called Apps. Essentially, Apps allows you to download and install web pages and web apps for use without the Edge browser. Previously, you had to find these dedicated web apps via the Microsoft Store, but now Edge handles downloading and managing web apps all in the browser. For example, you can download the Twitter web app via Edge just by visiting the Twitter website and clicking "install this site as an app" from the settings menu. Once installed, you can run the webpage as an app directly from your desktop, taskbar, or start menu like any other piece of software. It's like saving links only better, as some web apps can run offline too. Alternatively, you can install the Android Authority webpage and run it as an app to catch up with the latest news without having to boot up Edge each time. It's pretty neat and something that I intend to use more often.

Overall, Edge offers everything you'll want in a web browser and more. Microsoft finally feels on the cutting edge of the internet.
The browser does have a smaller range of supported extensions, but you can also manually install Chrome extensions, according to the article. It adds that Microsoft Edge Chromium "typically uses just 70 to 75 percent of the RAM required by Chrome [and] is even more lightweight than Firefox."

And while acknowledging that Microsoft's Windows 10 "has its share" of telemetry issues, the article adds that "at no point during my couple of weeks with Edge have I noticed it thrashing my hard drive.

"Chrome has a habit of scanning various files on my computer, despite opting out of all the available data sharing options. This isn't great for system performance and raises obvious security questions."

An anonymous reader quotes Mike Melanson's "This Week in Programming" column: WebAssembly is a binary instruction format for a stack-based virtual machine and this week, the World Wide Web Consortium (W3C) dubbed it an official web standard and the fourth language for the Web that allows code to run in the browser, joining HTML, CSS and JavaScript... With this week's news, WebAssembly has officially reached version 1.0 and is supported in the browser engines for Firefox, Chrome, Safari, and Internet Explorer, and the Bytecode Alliance launched last month to help ensure "a WebAssembly ecosystem that is secure by default" and for bringing WebAssembly to outside-the-browser use.

Of course, not everything is 100% rosy. As pointed out by an article in The Register, WebAssembly also brings with it an increased level of obfuscation of what exactly is going on, giving it an increased ability to perform some surreptitious actions. For example, they cite one study that "found 'over 50 percent of all sites using WebAssembly apply it for malicious deeds, such as [crypto] mining and obfuscation.'" Nonetheless, with WebAssembly gaining this designation by W3C, it is, indeed, time to pay closer attention to the newly nominated Web language standard.

Mozilla announced this week that all developers of Firefox add-ons must enable a two-factor authentication (2FA) solution for their account. From a report: "Starting in early 2020, extension developers will be required to have 2FA enabled on AMO [the Mozilla Add-Ons portal]," said Caitlin Neiman, Add-ons Community Manager at Mozilla. "This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users," Neiman added. When this happens, hackers can use the developers' compromised accounts to ship tainted add-on updates to Firefox users. Since Firefox add-ons have a pretty privileged position inside the browser, an attacker can use a compromised add-on to steal passwords, authentication/session cookies, spy on a user's browsing habits, or redirect users to phishing pages or malware download sites. These types of incidents are usually referred to as supply-chain attacks.

"Linux users can now stream shows and movies from the Disney+ streaming service after Disney lowered the level of their DRM requirements," reports Bleeping Computer: When Disney+ was first launched, Linux users who attempted to watch shows and movies were shown an error stating "Something went wrong. Please try again. If the problem persists, visit the Disney+ Help Center (Error Code 83)."

As explained by Hans de Goede, this error was being caused by the Disney+ service using the highest level of security for the Widevine Digital Rights Management (DRM) technology. As some Linux and Android devices did not support this higher DRM security level, they were unable to stream Disney+ shows in their browsers... Yesterday, Twitter users discovered that Disney+ had suddenly started working on Linux browsers after the streaming service tweaked their DRM security levels...

Even with Disney+ lowering the DRM requirements, users must first make sure DRM is enabled in the browser. For example, Disney+ will not work with Firefox unless you enable the "Play DRM-controlled content" setting in the browser.

Mozilla today removed four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories. From a report: The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons. Mozilla removed the four extensions from its add-ons portal after receiving a report from Wladimir Palant, the creator of the AdBlock Plus ad-blocking extension. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google.

Mozilla today released Firefox 71 for Windows, Mac, Linux, Android, and iOS. Firefox 71 includes Lockwise password manager improvements, Enhanced Tracking Protection tweaks, and Picture-in-Picture video on Windows.