HTTP/3, the next major iteration of the HTTP protocol, is getting a big boost today with support added in Cloudflare, Google Chrome, and Mozilla Firefox. From a report: Starting today, Cloudflare announced that customers will be able to enable an option in their dashboards and turn on HTTP/3 support for their domains. That means that whenever users visit a Cloudflare-hosted website from an HTTP/3-capable client, the connection will automatically upgrade to the new protocol, rather than being handled via older versions. On the browser side, Chrome Canary added support for HTTP/3 earlier this month. Users can enable it by using the Chrome command-line flags of "--enable-quic --quic-version=h3-23". In addition, Mozilla too announced it would roll out support for HTTP/3. The browser maker is scheduled to ship HTTP/3 in an upcoming Firefox Nightly version later this fall.

Mozilla announces in a blog post: We typically ship a major Firefox browser (Desktop and Android) release every 6 to 8 weeks. Building and releasing a browser is complicated and involves many players. To optimize the process, and make it more reliable for all users, over the years we've developed a phased release strategy that includes 'pre-release' channels: Firefox Nightly, Beta, and Developer Edition. With this approach, we can test and stabilize new features before delivering them to the majority of Firefox users via general release.

And today we're excited to announce that we're moving to a four-week release cycle! We're adjusting our cadence to increase our agility, and bring you new features more quickly. In recent quarters, we've had many requests to take features to market sooner. Feature teams are increasingly working in sprints that align better with shorter release cycles. Considering these factors, it is time we changed our release cadence. Starting Q1 2020, we plan to ship a major Firefox release every 4 weeks. Firefox ESR release cadence (Extended Support Release for the enterprise) will remain the same. In the years to come, we anticipate a major ESR release every 12 months with 3 months support overlap between new ESR and end-of-life of previous ESR. The next two major ESR releases will be ~June 2020 and ~June 2021.

Mozilla has quietly launched a new product for enterprise customers: Ability to buy paid premium support for Firefox. From a report: The premium enterprise support for Firefox costs $10 per supported installation and offers customers the ability to submit bugs privately, get critical security bug fixes, get access to a private customer portal, get access to the enterprise critical issues distribution list, and have the ability to contribute to Firefox and its roadmap. According to Mozilla, it will support Firefox installations as long as they are running on machines that meet the system requirements. Windows, Mac, and Linux based operating systems are listed in the systems requirements so all platforms should be covered by the premium support.

Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.

Mozilla is resurrecting its recently expunged Test Pilot program with a renewed focus on privacy-focused tools and products. The Firefox developer today lifted the lid on the first product to emerge from the new Test Pilot, and it appears to be something akin to a virtual private network (VPN) in all but name. From a report: Firefox Private Network, as the new tool is called, is available in beta today for logged-in Firefox desktop users in the U.S. only, and is accessible through a browser extension. By way of a quick recap, Mozilla debuted Firefox Test Pilot a decade ago but then relaunched it back in 2016. Test Pilot went on to attain an average of 100,000 daily users, each looking to test Mozilla's latest developments -- including a price-tracking feature for online shoppers, content recommendations based on browsing activity, and more.

Some of these became full-fledged features within Firefox and others did not, but back in January Mozilla announced it was killing its Test Pilot program altogether. This came as something of a surprise given Mozilla's own statements about the success of the program. At the time, Mozilla said it was "evolving" its approach to experimentation and suggested it was looking to ideate more widely across the company. Fast-forward nine months, and Firefox Test Pilot is back for a third time.

This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring.

Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology.
Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic."

"We feel confident that enabling DNS-over-HTTPS by default is the right next step."

New submitter q4Fry writes: When Google released its changes to the Chrome WebExtensions API for comment, many groups criticized them for cutting off ad-blockers at the knees. Now, Mozilla has released its plan for following (and departing from) the APIs that Chrome may adopt.

Mozilla has switched on Firefox's tracking protection feature for everyone on Windows and Android, dialing up its effort to protect privacy from website publishers and advertisers that would like to keep tabs on your online behavior. From a report: Mozilla enabled tracking protection for new Firefox users in June, but now it's on for everyone, the nonprofit said Tuesday. Tracking protection is all the rage among browser makers, including Apple's Safari, Brave Software's Brave and Microsoft's new Chromium-based Edge. Even Google's Chrome, long the laggard among major browsers, is starting to tackle the problem. It's a thorny issue for websites and advertisers that seek to improve advertising revenue by targeting ads based on their assessment of your interests. "Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today's release, we expect to provide protection for 100% of ours users by default," Mozilla said in a blog post Tuesday.

Mozilla teased today an upcoming update for Firefox on macOS that it says will reduce power consumption by a factor of up to three. From a report: The primary beneficiaries of this upcoming update are Macbook users, who can now expect longer battery lives while using Firefox. Firefox's increased battery consumption has been a problem for Mozilla, and a black stain on the Firefox Quantum release -- a revamped, performance-centric version of the older Firefox browser. While Firefox Quantum has received praises for its increased page loading speeds, Macbook users haven't been that delighted, especially when they're mobile and have to rely on the notebook's battery as long as possible.

thegarbz writes: It seems not a day goes by without yet another story reflecting poorly on major browsers. Not uncommon are stories that are mixed with a degree of bloat, either discussing rarely used features or directly criticizing memory consumption of major browsers. Unfortunately memory consumption is quite often the result of complete feature implementation of technologies used on the web, including DRM for streaming services and WebRTC. Other times it's the result of security measures, feature creep, or poor coding.

So in 2019 for those of us with slower tablets, what browser do you use as an alternative to the big two? How well does it work with the modern HTML5 internet? Are websites frequently broken does the simplicity of other browsers largely go unnoticed?

An EFF analysis looks at the problems with some of Google's new "Privacy Sandbox" proposals, a few of which it calls "downright dangerous": Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised....? Google's ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user's browsing habits.

Even worse is Google's proposal for Federated Learning of Cohorts (or "FLoC").... FLoC would use Chrome users' browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a "flock"). At the end of the process, each browser will receive a "flock name" which identifies it as a certain kind of web user. In Google's proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web. This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate...

If the Privacy Sandbox won't actually help users, why is Google proposing all these changes? Google can probably see which way the wind is blowing. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection have severely curtailed third-party trackers' access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. As a result, Google has apparently decided to defend its business model on two fronts. First, it's continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers' access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The "Privacy Sandbox" proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google's targeting business will continue as usual.

The Sandbox isn't about your privacy. It's about Google's bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Chris Beard announced today his plans to step down as Mozilla Corporation CEO at the end of 2019. Beard joined the web software company in 2004, remaining an employee since then, with the exception of 2013, when he left to become Greylock's "executive-in-residence," while remaining on as an advisor. From a report: Beard was appointed interim CEO for Mozilla in April 2014, coming on as full time chief executive in July of that same year. The company has seen a bit of a resurgence in recent years, after having ceded much of its browser marketshare to the likes of Google and Apple. Firefox has undergone something of a renaissance over the past year, as have the company's security tools. "Today our products, technology and policy efforts are stronger and more resonant in the market than ever, and we have built significant new organizational capabilities and financial strength to fuel our work," Beard said in the blog post. "From our new privacy-forward product strategy to initiatives like the State of the Internet we're ready to seize the tremendous opportunity and challenges ahead to ensure we're doing even more to put people in control of their connected lives and shape the future of the internet for the public good."

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

Earlier this week on the Linux kernel mailing list, Artem S. Tashkinov described a low-memory scenario where "the system will stall hard. You will barely be able to move the mouse pointer. Your disk LED will be flashing incessantly..."

"I'm afraid I have bad news for the people snickering at Linux here," wrote Chris Siebenmann, a sys-admin at the University of Toronto's CS lab. "If you're running without swap space, you can probably get any Unix to behave this way under memory pressure..." In the old days, this usually was not very much of an issue because system RAM was generally large compared to the size of programs and thus the amount of file-backed pages that were likely to be in memory. That's no longer the case today; modern large programs such as Firefox and its shared libraries can have significant amounts of file-backed code and data pages (in addition to their often large use of dynamically allocated memory, ie anonymous pages).
A production engineer (now on Facebook's Web Foundation team) wrote about experiencing similar issues years ago when another company had disabled swapping when they replaced or reinstalled machines -- leading to lots of pages from hosts that had to be dealt with. This week they wrote: I stand by my original position: have some swap. Not a lot. Just a little. Linux boxes just plain act weirdly without it. This is not permission to beat your machine silly in terms of memory allocation, either... If you allocate all of the RAM on the machine, you have screwed the kernel out of buffer cache it sorely needs. Back off.

Put another way, disk I/O that isn't brutally slow costs memory. Network I/O costs memory. All kinds of stuff costs memory. It's not JUST the RSS of your process. Other stuff you do needs space to operate. If you try to fill a 2 GB box with 2 GB of data, something's going to have a bad day! You have to leave room for the actual system to run or it's going to grind to a stop.

Dan Goodin, reporting for ArsTechnica: When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people's browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head. DataSpii begins with browser extensions -- available mostly for Chrome but in more limited cases for Firefox as well -- that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as "God mode for the Internet" and uses the tag line "See Anyone's Analytics Account."

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords -- but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.) Further reading: More on DataSpii: How extensions hide their data grabs -- and how they're discovered.

Starting in Firefox 70, Mozilla aims to have the browser report when any of your saved logins were found in data breaches. This will be done through their partnership with the Have I Been Pwned data breach site. From a report: Mozilla is slowly integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into Firefox. Mozilla is also considering premium services based around these features in the future. As part of this integration, Firefox will scan the saved login names and passwords and see if they were exposed in a data breach listed on Have I been Pwned. If one is found, Firefox will alert the user and prompt them to change their password. This new feature will only work, though, for data breaches that exposed passwords and when the password was saved prior to an associated data breach.

Mozilla today launched Firefox 68 for Windows, Mac, Linux, Android, and iOS. Firefox 68 includes a darker reader view, recommended extensions, IT Pro customizations, and more. From a report: As part of this release, Mozilla has curated a list of recommended extensions "that have been thoroughly reviewed for security, usability, and usefulness." You can find the list on the Get Add-ons page in the Firefox Add-ons Manager (about:addons). While Firefox has had dark mode for months, the Reader View's dark contrast only covered the text area. Now, when you change the contrast to dark, all sections of the site (including sidebars and toolbars) will be immersed in dark mode.

With Firefox 60, Mozilla introduced an enterprise version of the browser that employers can customize. This let IT professionals configure Firefox for their organization, either using Group Policy on Windows or a JSON file that works across Windows, Mac, and Linux. With Firefox 68, Mozilla has added more enterprise policies -- to configure or remove the new tab page, turn off search suggestions, and so on.

Firefox browser maker Mozilla is blocking the United Arab Emirates' government from serving as one of its internet security gatekeepers, citing Reuters reports on a UAE cyber espionage program. From a report: Mozilla said in a statement on Tuesday it was rejecting the UAE's bid to become a globally recognized internet security watchdog, empowered to certify the safety of websites for Firefox users. Mozilla said it made the decision because cybersecurity firm DarkMatter would have administered the gatekeeper role and it had been linked by Reuters and other reports to a state-run hacking program. Reuters reported in January that Abu Dhabi-based DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter's headquarters.

Mozilla is funding a project for bringing the Julia programming language to Firefox and the general browser environment. From a report: The project received funding part of the Mozilla Research Grants for the first half of 2019, which the browser maker announced on Friday. In April, when Mozilla opened this year's submissions period for research grants, the organization said it was looking for a way to bring data science and scientific computing tools to the web. It said it was specifically interested in receiving submissions about supporting R or Julia at the browser level. Both R and Julia are programming languages designed for high-performance numerical, statistical, and computational science.

Mozilla engineers have worked in previous years to port data science tools at the browser level, as part of Project Iodide. Previously, as part of this project, Mozilla engineers ported the Python interpreter to run in the browser using WebAssembly. "This project, Pyodide, has demonstrated the practicality of running language interpreters in WebAssembly," Mozilla engineers said.