A reader shares a report from Ars Technica's Peter Bright: With Microsoft's decision to end development of its own Web rendering engine and switch to Chromium, control over the Web has functionally been ceded to Google. That's a worrying turn of events, given the company's past behavior. Chrome itself has about 72 percent of the desktop-browser market share. Edge has about 4 percent. Opera, based on Chromium, has another 2 percent. The abandoned, no-longer-updated Internet Explorer has 5 percent, and Safari -- only available on macOS -- about 5 percent. When Microsoft's transition is complete, we're looking at a world where Chrome and Chrome-derivatives take about 80 percent of the market, with only Firefox, at 9 percent, actively maintained and available cross-platform.

The mobile story has stronger representation from Safari, thanks to the iPhone, but overall tells a similar story. Chrome has 53 percent directly, plus another 6 percent from Samsung Internet, another 5 percent from Opera, and another 2 percent from Android browser. Safari has about 22 percent, with the Chinese UC Browser sitting at about 9 percent. That's two-thirds of the mobile market going to Chrome and Chrome derivatives. In terms of raw percentages, Google won't have quite as big a lock on the browser space as Microsoft did with Internet Explorer -- Internet Explorer 6 peaked at around 80 percent, and all versions of Internet Explorer together may have reached as high as 95 percent. But Google's reach is, in practice, much greater: not only is the Web a substantially more important place today than it was in the early 2000s, but also there's a whole new mobile Web that operates in addition to the desktop Web. Google has deployed proprietary technology and left the rest of the industry playing catch-up, writes Peter. The company has "tried to push the Web into a Google-controlled proprietary direction to improve the performance of Google's online services when used in conjunction with Google's browser, consolidating Google's market positioning and putting everyone else at a disadvantage."

YouTube has been a particular source of problems. One example Peter provides has to do with a hidden, empty HTML element that was added to each YouTube video to disable Edge's hardware accelerated video decoding: "For no obvious reason, Google changed YouTube to add a hidden, empty HTML element that overlaid each video. This element disabled Edge's fastest, most efficient hardware accelerated video decoding. It hurt Edge's battery-life performance and took it below Chrome's. The change didn't improve Chrome's performance and didn't appear to serve any real purpose; it just hurt Edge, allowing Google to claim that Chrome's battery life was actually superior to Edge's. Microsoft asked Google if the company could remove the element, to no avail."

Starting Tuesday, Firefox will nudge you to try out options designed to make the web more interesting, more useful or more productive. From a report: Mozilla's new Firefox 64 keeps an eye on what you're up to and prompts you to try extensions and features that could help you with that activity, the browser maker said. For example, if you open the same tab lots of times, it could suggest you pin it to your tab strip for easier future access. Other suggestions include installing the Facebook Container extension to curtail the social network's snooping, a Google Translate extension to tap into Google's service, and the Enhancer for YouTube extension to do things like block ads and control playback on Google's video site.

The feature could help you customize Firefox more to your liking -- something that could help you stick with the browser in the face of Google Chrome's dominance. And that, in turn, could help Mozilla pursue its push toward a privacy-respecting web that's not just effectively controlled by Chrome.

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

With the news earlier today that Microsoft is embracing Chromium for Edge browser development on the desktop, VentureBeat decided to see what the other browser companies had to say about the decision. From the report: Google largely sees Microsoft's decision as a good thing, which is not exactly a surprise given that the company created the Chromium open source project. "Chrome has been a champion of the open web since inception and we welcome Microsoft to the community of Chromium contributors. We look forward to working with Microsoft and the web standards community to advance the open web, support user choice, and deliver great browsing experiences."

Mozilla meanwhile sees Microsoft's move as further validation that users should switch to Firefox. "This just increases the importance of Mozilla's role as the only independent choice. We are not going to concede that Google's implementation of the web is the only option consumers should have. That's why we built Firefox in the first place and why we will always fight for a truly open web." Mozilla regularly points out it develops the only independent browser -- meaning it's not tied to a tech company that has priorities which often don't align with the web. Apple (Safari), Google (Chrome), and Microsoft (Edge) all have their own corporate interests.

Opera thinks Microsoft is making a smart move, because it did the same thing six years ago. "We noticed that Microsoft seems very much to be following in Opera's footsteps. Switching to Chromium is part of a strategy Opera successfully adopted in 2012. This strategy has proved fruitful for Opera, allowing us to focus on bringing unique features to our products. As for the impact on the Chromium ecosystem, we are yet to see how it will turn out, but we hope this will be a positive move for the future of the web."

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers. From a report: This is the first time an APT (Advanced Persistent Threat -- an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the Russian-linked Turla APT previously used a Firefox add-on in 2015. According to a report that's going to be published later today by the ASERT team at Netscout reveals the details of a spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018.

Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.

An anonymous reader writes from a report via ZDNet: Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried out. Researchers say a SplitSpectre attack is both faster and easier to execute, improving an attacker's ability to recover code from targeted CPUs. The research team says they were successfully able to carry out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine. The good news is that existing Spectre mitigations would thwart the SplitSpectre attacks.

Google and Mozilla are heading a group that is devising a way for users to save changes they make using web apps. From a report: The idea is to allow users to save changes they've made using web apps, without the hassle of having to download new files after each edit, as is necessary today. "Today, if a user wants to edit a local file in a web app, the web app needs to ask the user to open the file," said Google developer advocate Pete LePage. "Then, after editing the file, the only way to save changes is by downloading the file to the Downloads folder, or having to replace the original file by navigating the directory structure to find the original folder and file. This user experience leaves a lot to be desired, and makes it hard to build web apps that access user files."

To this end, the W3C Web Incubator Community Group (WICG), which is chaired by representatives from Chrome developer Google and Firefox developer Mozilla, is working on developing the new Writable Files API, which would allow web apps running in the browser to open a file, edit it, and save the changes back to the same file. However, the group says the biggest challenge will be guarding against malicious sites seeking to abuse persistent access to files on a user's system. "By far the hardest part for this API is of course going to be the security model to use," warns the WICG's explainer page for the API. "The API provides a lot of scary power to websites that could be abused in many terrible ways."

If you're a tab-hoarder, and you use Chrome browser, Google may have some news for you soon. The company is working on a scrollable tabstrip to make it easier for users to navigate through tabs, a developer was quoted as saying. Peter Casting, who works on Chrome UI, said, "scrollable tabstrip is in the works. In the meantime, try shift-clicking and ctrl-clicking to select multiple tabs at once, then drag out to separate Windows to group tabs by Window." TechDows, which first reported the development: We're expecting this as the related bug, the 'UI: tab overflow' bug created 10 years back, reports opening too many tabs causes add tab button (+) to disappear and tabs do not scroll then, the expected result has been mentioned as 'scrollable tabs.' Further reading: Google is raiding Firefox for Chrome's next UI features.

Mozilla has released its second annual "Privacy Not Included" guide that rates 70 products to help give you an idea as to how secure or insecure they are. "We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet," says Ashley Boyd, vice president of advocacy at Mozilla. "These products are becoming really popular. And in some cases, it's easy to forget that they're even connected to the internet." Wired reports: Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn't take a PhD to parse. The most surprising result of Mozilla's testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the "Privacy Not Included" guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier.

On the other end of the scale, Mozilla highlighted seven products that may not hit the mark -- yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor. The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. "If you can't tell, that says that there's a problem of communication between manufacturers and consumers," says Boyd. "We would love for makers of these products to be more clear and more transparent about what they're doing and not doing. That's a big place we think change is needed."

The Firefox Test Pilot team on Monday rolled out two new experimental features, one of which is aimed to make this year's holiday shopping a bit easier on your wallet. It's called Price Wise, and it's an online shopping comparison tool that lets you add items from across several retailers to a Price Watcher list. From a report: When a price drops, a notification is automatically sent to your browser, and you can click regardless of what web page you are currently on. For now, Price Wise tracks just five retailers -- Amazon, Best Buy, eBay, Walmart, and the Home Depot -- but the company said it's planning on expanding to cover more outlets in the future.

Elsewhere, Mozilla is also rolling out a new feature called Email Tabs as part of its early adopter program. While Mozilla already offers a service for bookmarking content to read later via Pocket, Email Tabs enables users to choose multiple tabs and send links to one or more of them to their Gmail address. There are a number of options here. Users can choose to send links with screenshots, just links, or links with full articles. Price Wise is only available to users in the U.S. for now.

Exploit developers Yushi Laing and Alexander Kochkov have teased a zero-day exploit for Microsoft's Edge browser that can allow a malicious actor to run commands on a user's machine. "Laing teased the 'stable exploit' for the Microsoft-developed web browser last week with an image that appeared to show the Windows Calculator app launched from a web browser, after working on the project for just under a week," reports IT PRO. From the report: The researcher had initially been looking into three remote code execution bugs for Firefox as part of an 'exploit chain', but struggled to establish code for the third. He then found two similar flaws on Microsoft Edge using the Wadi Fuzzer app developed by SensePost. Laing told BleepingComputer the pair wanted to develop a stable exploit for Microsoft Edge and escape the sandbox, termed as an exploit that force-crashes and incorrectly reloads an app with manipulated permissions.

This would allow a user to run functions, and access other apps, beyond its normal permissions, as well as access data from other applications. They were also looking for a way to effectively seize control of a machine by escalating execution privileges to "system." They published a proof-of-concept for the Edge exploit in a short clip which shows the team using the browser to open the landing page for Google Chrome via Firefox.

An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.

The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

Mozilla today launched Firefox 63 for Windows, Mac, Linux, and Android. The release brings Enhanced Tracking Protection, performance improvements on Windows and macOS, search shortcuts, and Picture-In-Picture on Android. From a report: Firefox 63 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. According to Mozilla, Firefox has about 300 million active users. In other words, it's a major platform that web developers must consider. Firefox 63 for desktop brings support for Enhanced Tracking Protection. [...] Firefox 63's Enhanced Tracking Protection blocks cookies and storage access from third-party trackers, which Mozilla says targets the problem of cross-site tracking without breaking sites and impacting revenue streams like the original Tracking Protection. It does this by preventing known trackers from setting third-party cookies -- the primary method of tracking across sites -- but still gives you the option to block all known trackers (under Firefox Options/Preferences).

[...] Search shortcuts essentially pins sites like Google and Amazon on the new tab page. When you click or tap them, you're redirected to Firefox's awesome bar, which automatically fills the corresponding keyword (@google or @amazon in this case) for the search engine. This way, you can type your query, hit enter, and get your search results without having to first load the Google or Amazon homepage. [...] The only major new feature for this Firefox for Android release is a picture-in-picture mode (Android Oreo and up). This means that if you're watching a video in full-screen, when you switch away from Firefox it will move the video into a small floating window, which you can tap to return to the full video player.

Mozilla is reportedly preparing to offer a VPN service for Firefox users to help protect them when surfing the web. According to Trusted Reviews, Mozilla has partnered with the ProtonVPN service, "with a new notification piping-up when the browser detects an unsecured connection, or in a scenario when VPN might be preferable to users." From the report: However, it appears Firefox users will have to pay for the privilege. Austrian site Soeren-hentzschel reports the premium VPN service will be $10 a month, which is what ProtonVPN charges its users. Users will receive a "Firefox Recommends" pop-up when browsing an unsecured wireless network. The pop-up says the VPN service will provide a "private and secure' internet connection. According to the reports, a subset of Firefox 62 users in the United States will begin receiving the pop-up from today. Mozilla will reportedly get a cut of any subscription fee handed over by users to access the VPN service. MSPowerUser points out that this will be the first advertised service that costs money for Firefox users.

Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."

The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.

The head of the Mozilla Foundation, Mitchell Baker, is warning that companies need to diversify their hiring practices to include more people from backgrounds in philosophy and psychology if they want to tackle the problem of misinformation online. He also "warned that hiring employees who mainly come from Stem -- science, technology, engineering and maths -- will produce a new generation of technologists with the same blindspots as those who are currently in charge, a move that will 'come back to bite us,'" reports the Guardian. From the report: "Stem is a necessity, and educating more people in Stem topics clearly critical," Baker told the Guardian. "Every student of today needs some higher level of literacy across the Stem bases. "But one thing that's happened in 2018 is that we've looked at the platforms, and the thinking behind the platforms, and the lack of focus on impact or result. It crystallized for me that if we have Stem education without the humanities, or without ethics, or without understanding human behavior, then we are intentionally building the next generation of technologists who have not even the framework or the education or vocabulary to think about the relationship of Stem to society or humans or life."

"Stem is a necessity, and educating more people in Stem topics clearly critical," Baker told the Guardian. "Every student of today needs some higher level of literacy across the Stem bases. "But one thing that's happened in 2018 is that we've looked at the platforms, and the thinking behind the platforms, and the lack of focus on impact or result. It crystallized for me that if we have Stem education without the humanities, or without ethics, or without understanding human behavior, then we are intentionally building the next generation of technologists who have not even the framework or the education or vocabulary to think about the relationship of Stem to society or humans or life."

Starting with Firefox 64, RSS/Atom feed support will be handled via add-ons, rather than in-product. Mozilla's Gijs Kruitbosch writes: After considering the maintenance, performance and security costs of the feed preview and subscription features in Firefox, we've concluded that it is no longer sustainable to keep feed support in the core of the product. While we still believe in RSS and support the goals of open, interoperable formats on the Web, we strongly believe that the best way to meet the needs of RSS and its users is via WebExtensions.

With that in mind, we have decided to remove the built-in feed preview feature, subscription UI, and the "live bookmarks" support from the core of Firefox, now that improved replacements for those features are available via add-ons.

By virtue of being baked into the core of Firefox, these features have long had outsized maintenance and security costs relative to their usage. Making sure these features are as well-tested, modern and secure as the rest of Firefox would take a surprising amount of engineering work, and unfortunately the usage of these features does not justify such an investment: feed previews and live bookmarks are both used in around 0.01% of sessions.

Firefox has joined Google's WebP party, another endorsement for the internet giant's effort to speed up the web with a better image format. From a report: Google revealed WebP eight years ago and since then has built it into its Chrome web browser, Android phone software and many of its online properties in an effort to put websites on a diet and cut network data usage. But Google had trouble encouraging rival browser makers to embrace it. Mozilla initially rejected WebP as not offering enough of an improvement over more widely used image formats, JPEG and PNG. It seriously evaluated WebP but chose to try to squeeze more out of JPEG. But now Mozilla -- like Microsoft with its Edge browser earlier this week -- has had a change of heart. "Mozilla is moving forward with implementing support for WebP," the nonprofit organization said. WebP will work in versions of Firefox based on its Gecko browser engine, Firefox for personal computers and Android but not for iOS.

Mozilla announced today a new recovery option for Firefox Accounts, the user system included inside the Firefox browser. ZDNet: Starting today, users can generate a one-time recover key that will be associated with their account, and which they can use to regain access to Firefox data if they ever forget their passwords. Firefox Accounts is included with all recent versions of the Firefox browser.

Most users are familiar with it because of Firefox Sync, the system that synchronizes Firefox data such as passwords, browsing history, open tabs, bookmarks, installed add-ons, and general browser options between multiple Firefox instances. But while Sync does the actual synchronization, Firefox Accounts is at the core of Sync and is the system that manages the identities of Firefox users. Sync works by taking a user's Firefox account password and encrypting the user's browser data on the local computer.

Vivaldi announced Wednesday it has released a major update to its namesake desktop web browser, remaining as one of the rare companies that is still attempting to fight Google's monopoly in the space. Major features in Vivaldi 2.0 include: Syncing browsers across computers:Version 2.0 allows users to sync data, including bookmarks, passwords, autofill information, and history. Vivaldi uses its own servers to store the data, which is all encrypted end-to-end.
Panels: These are expandable, multi-tasking dashboards that can be opened in the sidebar.
Tab management: Additional features are included that allow for better searching through tabs, stacking them, and even renaming them.
History: Offers new ways to track your usage, including generating statistics and a visual history feature. Vivaldi was founded by Jon von Tetzchner, who also co-founded Opera and served as its chief executive for a number of years. Jon has been vocal about what many find unfair tactics employed by Google and Microsoft to aggressively expand the user bases of their respective browsers. Slashdot had a chance to speak with Jon recently: Slashdot: One of the biggest complaints that people have about browsers today is just how much memory they consume. Is it a lost-cause? What is Vivaldi doing to address this?
Jon: This is very true. Browsers can use a lot of memory. We have worked hard to reduce that load. The most important thing we have done there is the lazy loading of tabs. When you have a lot of tabs, you use a lot of memory, but with Vivaldi, we will only load the tabs once you need them. We also have the ability to hibernate background tabs, by right clicking the tab bar, which will free up a lot of memory. Besides this we are always looking at how to make the browser use less memory and be faster. There is a lot of details there, but with the feedback from our users, we continue to improve every single part of the browser.

Slashdot: You are offering a browser, and a web email client and service provider. Is Vivaldi attempting to offer a catalog of services? And if so, what more could we expect from the company in the long-term?
Jon: The focus for us is the browser, but we believe the browser should be able to do more than it does today, so we will continue to expand on the features we offer in the browser. We have been open about the fact that we aim to provide an email client in the browser, but that will come in the future, but we are, as you pointed out, providing the free email service. This is in addition to our free blog, forums and sync service. We feel there is a need for these services, free from ads and free from building of super profiles. Our free webmail service is thus without ads and we do not scan mails, except for spam and viruses. We will continue to add services to support the browser or where we feel a service supplements the browser in a good way.

Slashdot: You have been vocal about some of the tactics Google and Microsoft use to promote their own browsers. Following the news cycle, we don't think things have changed much. What's your view on it?
Jon: No, sadly things have not changed much. Microsoft continues to push their browser in their operating system, at times taking over the default browser as well. They also block competing browsers on their Windows 10S. Google sadly blocks some competing browsers from using their services, even browsers such as Vivaldi, that is based on Chromium. We need to change our identity when visiting many Google services. I guess my feeling is that those large companies should not and should not need to behave this way.

Slashdot: Chrome continues to be a market leader. Firefox, despite some of its recent changes, has lost some of the market. How hard is it for a browser company to survive these days? And why is it important that someone continues to fight back?
Jon: We all know that browser choice is a good thing, even more so than for most other products. The browser is your view into the Internet and we all spend a lot of time there. Healthy competition means product innovation and lower prices (this is not only about the price of the product, but also what you have to give up in other ways, such as your private information). Monopolies tend slow down innovation and also there is a tendency for them to use their position in one market to attack another.
It is not trivial to compete with these large corporations, but it is something we enjoy. We fight for our users and for the future of the Internet. That is definitely something worth fighting for.

Slashdot: Are you folks still working on a mobile browser?
Jon: Indeed we are. We aim to get it out there as soon as we can. We are ramping up the team after then 2.0 release to move faster. Further reading: The Next Web, and VentureBeat.