An anonymous reader writes: Google this week released Chrome 75 for Windows, Mac, Linux, Android, and iOS. The release includes hint for low latency canvas contexts, files supported in the Web Share API, numeric separators, and more developer features. [...] Next, files are now supported by the Web Share API. For years, Google has been working to bring native sharing capabilities to the web. The Web Share API allows web apps to invoke the same share dialog box as a native app. The implementation brings a new method and a new shareData property. Numeric literals now allow underscores (_, U+005F) as separators to make them more readable. Underscores can only appear between digits, and consecutive underscores are not allowed. There is also a reader mode that is not enabled by default. From a report: The big feature included with Chrome 75 is the addition of a hidden Reader Mode, similar to the one included with Firefox. This new Reader Mode is not active by default and must be turned on using one of Google Chrome's experimental flags -- which until recently has only been available in the Chrome Canary distribution. To enable and test Chrome's new Reader Mode, users must visit the chrome://flags/#enable-reader-mode section, and enable the Reader Mode option, as in the screenshot below. Chrome for Android includes these two features: 1. Generate strong and unique passwords with Chrome's built-in password manager. 2. Quickly look up your passwords by tapping any password field and using the new keyboard option.

An anonymous reader quotes a report from VentureBeat: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses.

If you download a fresh copy of Firefox today, Enhanced Tracking Protection will be on by default as part of the Standard setting. That means third-party tracking cookies are blocked without users having to change a thing. You will notice Enhanced Tracking Protection working if there is a shield icon in the address bar. If you click on the shield icon and open the Content Blocking section and then Cookies, you'll see a Blocking Tracking Cookies section. There you can see the companies listed as third-party cookies and trackers that Firefox has blocked. You can also turn off blocking for a specific site. The feature focuses on third-party trackers (the ad industry) while allowing first-party cookies (logins, where you last left off, and so on). Mozilla says it is enabling Enhanced Tracking Protection by default because most users don't change their browser settings.

An anonymous reader writes: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses. Mozilla added basic Tracking Protection to Firefox 42's private browsing mode in November 2015. The feature blocked website elements (ads, analytics trackers, and social share buttons) based on Disconnect's tracking protection rules. With the release of Firefox 57 in November 2017, Mozilla added an option to enable Tracking Protection outside of private browsing. (Tracking Protection was not turned on by default because it can break websites and cut off revenue streams for content creators who depend on third-party advertising.)

An anonymous reader quotes a report from Thurrott: Microsoft started testing a new Microsoft Edge browser based on Chromium a little while ago. The company has been releasing new canary and dev builds for the browser over the last few weeks, and the preview is actually really great. But if you watch YouTube quite a lot, you will face a new problem on the new Edge. It turns out, Google has randomly disabled the modern YouTube experience for users of the new Microsoft Edge. Users are now redirected to the old YouTube experience, which lacks the modern design as well as the dark theme for YouTube, as first spotted by Gustave Monce. And when you try to manually access the new YouTube from youtube.com/new, YouTube simply asks users to download Google Chrome, stating that the Edge browser isn't supported. Ironically, the same page states "We support the latest versions of Chrome, Firefox, Opera, Safari, and Edge." The change affects the latest versions of Microsoft Edge Canary and Dev channels. It is worth noting that the classic Microsoft Edge based on EdgeHTML continues to work fine with the modern YouTube experience.

Few home-grown Google products have been as successful as Chrome. Launched in 2008, it has more than 63% of the market and about 70% on desktop computers, according to StatCounter data. Mozilla's Firefox is far behind, while Apple's Safari is the default browser for iPhones. Microsoft's Internet Explorer and Edge browsers are punchlines. From a report: Google won by offering consumers a fast, customizable browser for free, while embracing open web standards. Now that Chrome is the clear leader, it controls how the standards are set. That's sparking concern Google is using the browser and its Chromium open-source underpinnings to elbow out online competitors and tilt entire industries in its favor. Most major browsers are now built on the Chromium software code base that Google maintains. Opera, an indie browser that's been used by techies for years, swapped its code base for Chromium in 2013. Even Microsoft is making the switch this year. That creates a snowball effect, where fewer web developers build for niche browsers, leading those browsers to switch over to Chromium to avoid getting left behind.

This leaves Chrome's competitors relying on Google employees who do most of the work to keep Chromium software code up to date. Chromium is open source, so anyone can suggest changes to it, but the majority of programmers who approve contributions are Google employees, and any major disagreements get settled by a small circle of senior Google employees. Chrome is so ascendant these days that web developers often don't bother to test their sites on competing browsers. Google services including YouTube, Docs and Gmail sometimes don't work as well on rival browsers, sending frustrated users to Chrome. Instead of just another ship slicing through the sea of the web, Chrome is becoming the ocean.

An anonymous reader writes: For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week. "We identified a gaping hole in the protection of top mobile web browsers," the research team said. "Shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection." The issue only impacted mobile browsers that sued the Google Safe Browsing link blacklisting technology. The research team -- consisting of academics from Arizona State University and PayPal staff -- notified Google of the problem, and the issue was fixed in late 2018. "Following our disclosure, we learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended," researchers said.

Mozilla today launched Firefox 67 for Windows, Mac, Linux, and Android. From a report: The 10th release since Mozilla's big Firefox Quantum launch in November 2017 doubles down on performance and privacy. Firefox 67 includes deprioritizing least commonly used features, suspending unused tabs, faster startup, blocking of cryptomining and fingerprinting, Private Browsing improvements, voice input in the Android search widget, and more. [...] Firefox 67 is better at performing tasks at the optimal time, resulting in faster "painting" of the page. Specifically, the browser deprioritizes least commonly used features and delays set Timeout to prioritize scripts for things you need. Mozilla says Instagram, Amazon, and Google searches now execute between 40% and 80% faster. Firefox also now scans for alternative style sheets after page load and doesn't load the auto-fill module unless there is a form to complete. Next, Firefox 67 detects if your computer's memory is running low (under 400MB) and suspends unused tabs. If you do click on a tab that you haven't used or looked at in a while, it will reload where you left off. Finally, Firefox 67 promises faster startup for users that customized their browser with an add-on.

In the wake of the mass disablement of Mozilla Firefox's add-on ecosystem last weekend, Mozilla has committed to improving its asset tracking and developing a mechanism that can quickly push updates to users when needed. From a report: Due to an intermediate certificate expiring on May 4 at 1AM UTC, users found their browser add-ons were switched off and could not be re-enabled. Thanks to timezones and the rotation of the planet, users on the western side of the Pacific were the first hit. Writing in a blog post, Firefox CTO Eric Rescorla detailed some initial thoughts and announced a formal post-mortem would be published next week. "First, we should have a much better way of tracking the status of everything in Firefox that is a potential time bomb and making sure that we don't find ourselves in a situation where one goes off unexpectedly. We're still working out the details here, but at minimum we need to inventory everything of this nature," Rescorla wrote. "Second, we need a mechanism to be able to quickly push updates to our users even when -- especially when -- everything else is down.

Google is set to launch new tools to limit the use of tracking cookies, a move that could strengthen the search giant's advertising dominance and deal a blow to other digital-marketing companies, WSJ reported Monday, citing people familiar with the matter. [Editor's note: the link may be paywalled; alternative source.] From the report: After years of internal debate, Google could as soon as this week roll out a dashboard-like function in its Chrome browser that will give internet users more information about what cookies are tracking them and offer options to fend them off, the people said. This is a more incremental approach than less-popular browsers, such as Apple's Safari and Mozilla's Firefox, which introduced updates to restrict by default the majority of tracking cookies in 2017 and 2018, respectively. Google's move, which could be announced at its developer conference in Mountain View, Calif., starting Tuesday, is expected to be touted as part of the company's commitment to privacy -- a complicated sell, given the torrent of data it continues to store on users -- and press its sizable advantage over online-advertising rivals.

An anonymous reader quotes CNET: "Mozilla on Sunday began distributing new Firefox updates to fix a problem that broke extensions for many browser users on Friday," reports CNET: Mozilla had released an update Saturday, but Sunday's fix should help more people who were still affected. "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday," Mozilla said in a tweet Sunday... "No active steps need to be taken to make add-ons work again. In particular, please do not delete and/or reinstall any add-ons as an attempt to fix the issue," Kev Needham, Mozilla's product manager for add-ons, said in a blog post about the problem.

"When you turn on the setting in your browser that says 'Do Not Track', you probably expect to no longer be tracked on most websites you visit. Right? Well, you would be wrong," explains DuckDuckGo's blog.

Their recent study found "a quarter of people have turned on this setting" -- representing hundreds of millions of web surfers -- and that most of them were unaware that in fact, "no law requires websites to respect your Do Not Track signals, and the vast majority of sites, including most all of the big tech companies, sadly choose to simply ignore them."

Now they've written draft legislation -- "the Do-Not-Track Act of 2019" -- to "serve as a starting point" for legislators to close this loophole. SearchEngineLand reports: If the act picks up steam and passes into law, sites would be required to cease certain user tracking methods, which means less data available to inform marketing and advertising campaigns. The impact could also cascade into platforms that leverage consumer data, possibly making them less effective. For example, one of the advantages of advertising on a platform like Google or Facebook is the ability to target audiences. If a user enables DNT, the ads displayed to them when browsing those websites won't be informed by their external browsing history...

This proposal is quite far from being signed into law, but the technology is already built into Chrome, Firefox, Opera, Edge and Internet Explorer. With the adoption of GDPR just a year behind us and presidential candidate Elizabeth Warren's proposed legislation to regulate "big tech companies" drawing more attention to digital privacy issues in Washington, the Do-Not-Track Act could be a realistic outcome.
DuckDuckGo says they're announcing their draft legislation because "It is extremely rare to have such an exciting legislative opportunity like this, where the hardest work -- coordinated mainstream technical implementation and widespread consumer adoption -- is already done....

"We hope the Do-Not-Track Act of 2019 serves as a useful guide to start thinking seriously about this amazing legislative opportunity."

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."

DarkRookie2 writes: As Mozilla continues to try to make it safer than ever to use Firefox, the organization has updated its Add-on Policy so that any updates that include obfuscated code are explicitly banned. Mozilla has also set out in plain terms its blocking process for add-ons and extensions. While there is nothing surprising here, the clarification should mean that there are fewer causes for disputes when an add-on is blocklisted. The updated Add-on policy comes into force on June 10, so add-on developers have a little more than a month to take note of the changes and comply. Mozilla says that the move is designed to help it better deal with malicious extensions. Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a heavy focus on security issues. ZDNet adds: [...] Starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies."We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.

An anonymous reader shares a report: Firefox browser made by the non-profit Mozilla Foundation, was born as "Phoenix." It rose from the ashes of Netscape Navigator, slain by Microsoft's Internet Explorer. In 2012 Mozilla created Firefox OS, to rival Apple's iOS and Google's Android mobile operating systems. Unable to compete with the duopoly, Mozilla killed the project. Another phoenix has arisen from it [Editor's note: the link may be paywalled]. KaiOS, an operating system conjured from the defunct software, powered 30m devices in 2017 and another 50m in 2018. Most were simple flip-phones sold in the West for about $80 apiece, or even simpler ones which Indians and Indonesians can have for as little as $20 or $7, respectively.

Smartphones start at about $100. The company behind the software, also called KaiOS and based in Hong Kong, designed it for smart-ish phones -- with an old-fashioned number pad and long battery life, plus 4G connectivity, popular apps such as Facebook and modern features like contactless payments, but not snazzy touchscreens. Most such devices are found in India. Reliance Jio, a network that has upended the local mobile industry with heavily discounted 4G data plans, sells subsidised, Jio-branded phones that use KaiOS software. Google, which invested $22m in Kaios last year, prioritises getting people in emerging markets online, where it can sell their attention to advertisers, over getting them onto Android smartphones. Smart-ish phones help with this.

Alex Gaynor is a software engineer at Mozilla working on Firefox, after previously serving as a director of both the Python Software Foundation and the Django Software Foundation.

In a new blog post today, he argues that memory unsafe languages, "principally C and C++," induce an exceptional number of security vulnerabilities, and that the industry needs to migrate to memory-safe languages like Rust and Swift by default. One of the responses I frequently receive is that the problem isn't C and C++ themselves, developers are simply holding them wrong. In particular, I often receive defenses of C++ of the form, "C++ is safe if you don't use any of the functionality inherited from C" or similarly that if you use modern C++ types and idioms you will be immune from the memory corruption vulnerabilities that plague other projects. I would like to credit C++'s smart pointer types, because they do significantly help. Unfortunately, my experience working on large C++ projects which use modern idioms is that these are not nearly sufficient to stop the flood of vulnerabilities...

Modern C++ idioms introduce many changes which have the potential to improve security: smart pointers better express expected lifetimes, std::span ensures you always have a correct length handy, std::variant provides a safer abstraction for unions. However modern C++ also introduces some incredible new sources of vulnerabilities: lambda capture use-after-free, uninitialized-value optionals, and un-bounds-checked span.

My professional experience writing relatively modern C++, and auditing Rust code (including Rust code that makes significant use of unsafe) is that the safety of modern C++ is simply no match for memory safe by default languages like Rust and Swift (or Python and JavaScript, though I find it rare in life to have a program that makes sense to write in either Python or C++). There are significant challenges to migrating existing, large, C and C++ codebases to a different language -- no one can deny this. Nonetheless, the question simply must be how we can accomplish it, rather than if we should try.
The post highlights what he describes as "completely modern C++ idioms which produce vulnerabilities" -- including an example of dangling pointers "despite our meticulous use of smart pointers throughout..."

"Even with the most modern C++ idioms available, the evidence is clear that, at scale, it's simply not possible to hold C++ right."

Firefox's former VP accused Google of sabotaging Firefox -- for example, when Gmail and Google Docs "started to experience selective performance issues and bugs on Firefox" and demo sites "would falsely block Firefox as 'incompatible'... There were dozens of oopses. Hundreds maybe... [W]hen you see a sustained pattern of 'oops' and delays from this organization -- you're being outfoxed."

Now Nightingale's accusations have stirred up some follow-up from technology reporters. An anonymous reader shares a blog post by ZDNet security reporter Catalin Cimpanu: Nightingale is not the first Firefox team member to come forward and make such accusations. In July 2018, Mozilla Program Manager Chris Peterson accused Google of intentionally slowing down YouTube performance on Firefox. He revealed that both Firefox and Edge were superior when loading YouTube content when compared to Chrome, and in order to counteract this performance issue, Google switched to using a JavaScript library for YouTube that they knew wasn't supported by Firefox.

At this point, it's very hard not to believe or take Nightingale's comments seriously. Slowly but surely, Google is becoming the new Microsoft, and Chrome is slowly turning into the new IE, an opinion that more and more users are starting to share. On Twitter, a senior editor at the Verge added "Google did a lot of 'oops' accidents to Windows Phone, too. Same pattern of behavior with its services and Edge. Oopsy this, oopsy that." The site MSPowerUser also shares a similar story from former Microsoft Edge intern, Joshua Bakita. "I very recently worked on the Edge team, and one of the reasons we decided to end EdgeHTML was because Google kept making changes to its sites that broke other browsers, and we couldn't keep up."

Meanwhile, Computerworld argues that data "backs up Nightingale's admission, to a point." [I]f Google monkey business contributed to Firefox's fall, it must have really damaged Microsoft's IE. During the time it took Chrome to replace Firefox as the No. 2 browser, Firefox lost just 9% of its user share, while IE shed 22%. And Chrome's most explosive growth - which began in early 2016 - didn't come at Firefox's expense; instead, it first hollowed out IE, then suppressed any potential enthusiasm for the follow-on Edge.

Chrome didn't reach its current place -- last month capturing nearly 68% of all browser activity -- by raiding Firefox. It did it by destroying IE.

Oops.

tedlistens writes: One of the most common techniques people think can help hide their activity is the use of an "incognito" mode in a browser," writes Michael Grothaus at Fast Company. But "despite what most people assume, incognito modes are primarily built to block traces of your online activity being left on your computer -- not the web. Just because you are using incognito mode, that doesn't mean your ISP and sites like Google, Facebook, and Amazon can't track your activity."

However, there's still a way to brew your own, safer "incognito mode." It's called browser compartmentalization. Grothaus writes: "The technique sees users using two or even three browsers on the same computer. However, instead of switching between browsers at random, users of browser compartmentalization dedicate one browser to one type of internet activity, and another browser to another type of internet activity.
Specifically, the article recommends one browser for sites you need to log into, and another for random web surfing and any web searches. "By splitting up your web activity between two browsers, you'll obtain the utmost privacy and anonymity possible without sacrificing convenience or the ease of use of the websites you need to log in to." It recommends choosing a privacy-focused browser like Brave, Firefox, Apple's Safari, or Microsoft's Edge. "As for Chrome: It's made by Google, whose sole aim is to know everything you do online, so it's probably best to stay away from Chrome if you value your privacy."

The article is part of a series titled "The Privacy Divide," which explores "misconceptions, disparities, and paradoxes that have developed around our privacy and its broader impacts on society."

Google's Chrome browser will get a Reader Mode, similar to the one found in competing browsers like Firefox and the old Microsoft Edge. From a report: The feature is currently under development, but Chrome Canary users can test it starting today. Chrome's Reader Mode will work by stripping pages of most of their useless content, such as ads, comments sections, or animations, and leave a bare-bones version behind, showing only titles, article text, and article images. Work on the feature started in February this year when Google engineers began porting the "simplified view" offered by Chrome on Android to desktop editions. Today is the first day that a fully-functional Reader Mode is active in Chrome's desktop versions -- via Google Chrome Canary distributions. To test Chrome's upcoming Reader Mode, users must first visit the chrome://flags/#enable-reader-mode section in their Chrome Canary version, and enable the Reader Mode option.

An anonymous reader quotes a report from VentureBeat: In a step toward its goal of building out a data science development stack for web browsers, Mozilla today detailed Pyodide, an experimental Python project that's designed to perform computation without the need for a remote kernel (i.e., a program that runs and inspects code). As staff data engineer Mike Droettboom explained in a blog post, it's a standard Python interpreter that runs entirely in the browser. And while Pyodide isn't exactly novel -- projects like Transcrypt, Brython, Skulpt, and PyPyJs are among several efforts to bring Python to browsers -- it doesn't require a rewrite of popular scientific computing tools (like NumPy, Pandas, Scipy, and Matplotlib) to achieve adequate performance, and its ability to convert built-in data types enables interactions among browser APIs and other JavaScript libraries.

Pyodide is built on WebAssembly, a low-level programming language that runs with near-native performance, and emscripten (specifically a build of Python for emscripten dubbed "cpython-emscripten"), which comprises a compiler from C and C++ to WebAssembly and a compatibility layer. Emscripten additionally provides a virtual file system (written in JavaScript) that the Python interpreter can use, in which files disappear when the browser tab is closed. To use Pyodide, you'll need the compiled Python interpreter as WebAssembly, JavaScript from emscripten (which provides the system emulation), and a packaged file system containing the files required by the Python interpreter. Once all three components are downloaded, they'll be stored in your browser's cache, obviating the need to download them again. The report notes that "the Python interpreter inside the JavaScript virtual machine runs between one to 12 times slower in Firefox and up to 16 times slower on Chrome."

Mozilla has launched a petition today to get Apple to rotate the IDFA unique identifier of iOS users every month. From a report: The purpose of this request is to prevent online advertisers from creating profiles that contain too much information about iOS users. IDFA stands for "IDentifier For Advertisers" and is a per-device unique ID. Apps running on a device can request access to this ID and relay the number to advertising SDKs/partners they use to show ads to their users. As experts from Singular, a mobile marketing firm explain, "IDFAs take the place of cookies in mobile advertising delivered to iOS devices because cookies are problematic in the mobile world." IDFAs are different from UDIDs, which stand for "unique device identifiers," which are permanent and unchangeable device identifiers. Apple added support for IDFAs specifically to replace UDIDs, which many apps were collecting for all sorts of shady reasons, enabling pervasive tracking of iOS users.