With the news earlier today that Microsoft is embracing Chromium for Edge browser development on the desktop, VentureBeat decided to see what the other browser companies had to say about the decision. From the report: Google largely sees Microsoft's decision as a good thing, which is not exactly a surprise given that the company created the Chromium open source project. "Chrome has been a champion of the open web since inception and we welcome Microsoft to the community of Chromium contributors. We look forward to working with Microsoft and the web standards community to advance the open web, support user choice, and deliver great browsing experiences."

Mozilla meanwhile sees Microsoft's move as further validation that users should switch to Firefox. "This just increases the importance of Mozilla's role as the only independent choice. We are not going to concede that Google's implementation of the web is the only option consumers should have. That's why we built Firefox in the first place and why we will always fight for a truly open web." Mozilla regularly points out it develops the only independent browser -- meaning it's not tied to a tech company that has priorities which often don't align with the web. Apple (Safari), Google (Chrome), and Microsoft (Edge) all have their own corporate interests.

Opera thinks Microsoft is making a smart move, because it did the same thing six years ago. "We noticed that Microsoft seems very much to be following in Opera's footsteps. Switching to Chromium is part of a strategy Opera successfully adopted in 2012. This strategy has proved fruitful for Opera, allowing us to focus on bringing unique features to our products. As for the impact on the Chromium ecosystem, we are yet to see how it will turn out, but we hope this will be a positive move for the future of the web."

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers. From a report: This is the first time an APT (Advanced Persistent Threat -- an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the Russian-linked Turla APT previously used a Firefox add-on in 2015. According to a report that's going to be published later today by the ASERT team at Netscout reveals the details of a spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018.

Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.

An anonymous reader writes from a report via ZDNet: Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried out. Researchers say a SplitSpectre attack is both faster and easier to execute, improving an attacker's ability to recover code from targeted CPUs. The research team says they were successfully able to carry out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine. The good news is that existing Spectre mitigations would thwart the SplitSpectre attacks.

Google and Mozilla are heading a group that is devising a way for users to save changes they make using web apps. From a report: The idea is to allow users to save changes they've made using web apps, without the hassle of having to download new files after each edit, as is necessary today. "Today, if a user wants to edit a local file in a web app, the web app needs to ask the user to open the file," said Google developer advocate Pete LePage. "Then, after editing the file, the only way to save changes is by downloading the file to the Downloads folder, or having to replace the original file by navigating the directory structure to find the original folder and file. This user experience leaves a lot to be desired, and makes it hard to build web apps that access user files."

To this end, the W3C Web Incubator Community Group (WICG), which is chaired by representatives from Chrome developer Google and Firefox developer Mozilla, is working on developing the new Writable Files API, which would allow web apps running in the browser to open a file, edit it, and save the changes back to the same file. However, the group says the biggest challenge will be guarding against malicious sites seeking to abuse persistent access to files on a user's system. "By far the hardest part for this API is of course going to be the security model to use," warns the WICG's explainer page for the API. "The API provides a lot of scary power to websites that could be abused in many terrible ways."

If you're a tab-hoarder, and you use Chrome browser, Google may have some news for you soon. The company is working on a scrollable tabstrip to make it easier for users to navigate through tabs, a developer was quoted as saying. Peter Casting, who works on Chrome UI, said, "scrollable tabstrip is in the works. In the meantime, try shift-clicking and ctrl-clicking to select multiple tabs at once, then drag out to separate Windows to group tabs by Window." TechDows, which first reported the development: We're expecting this as the related bug, the 'UI: tab overflow' bug created 10 years back, reports opening too many tabs causes add tab button (+) to disappear and tabs do not scroll then, the expected result has been mentioned as 'scrollable tabs.' Further reading: Google is raiding Firefox for Chrome's next UI features.

Mozilla has released its second annual "Privacy Not Included" guide that rates 70 products to help give you an idea as to how secure or insecure they are. "We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet," says Ashley Boyd, vice president of advocacy at Mozilla. "These products are becoming really popular. And in some cases, it's easy to forget that they're even connected to the internet." Wired reports: Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn't take a PhD to parse. The most surprising result of Mozilla's testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the "Privacy Not Included" guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier.

On the other end of the scale, Mozilla highlighted seven products that may not hit the mark -- yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor. The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. "If you can't tell, that says that there's a problem of communication between manufacturers and consumers," says Boyd. "We would love for makers of these products to be more clear and more transparent about what they're doing and not doing. That's a big place we think change is needed."

The Firefox Test Pilot team on Monday rolled out two new experimental features, one of which is aimed to make this year's holiday shopping a bit easier on your wallet. It's called Price Wise, and it's an online shopping comparison tool that lets you add items from across several retailers to a Price Watcher list. From a report: When a price drops, a notification is automatically sent to your browser, and you can click regardless of what web page you are currently on. For now, Price Wise tracks just five retailers -- Amazon, Best Buy, eBay, Walmart, and the Home Depot -- but the company said it's planning on expanding to cover more outlets in the future.

Elsewhere, Mozilla is also rolling out a new feature called Email Tabs as part of its early adopter program. While Mozilla already offers a service for bookmarking content to read later via Pocket, Email Tabs enables users to choose multiple tabs and send links to one or more of them to their Gmail address. There are a number of options here. Users can choose to send links with screenshots, just links, or links with full articles. Price Wise is only available to users in the U.S. for now.

Exploit developers Yushi Laing and Alexander Kochkov have teased a zero-day exploit for Microsoft's Edge browser that can allow a malicious actor to run commands on a user's machine. "Laing teased the 'stable exploit' for the Microsoft-developed web browser last week with an image that appeared to show the Windows Calculator app launched from a web browser, after working on the project for just under a week," reports IT PRO. From the report: The researcher had initially been looking into three remote code execution bugs for Firefox as part of an 'exploit chain', but struggled to establish code for the third. He then found two similar flaws on Microsoft Edge using the Wadi Fuzzer app developed by SensePost. Laing told BleepingComputer the pair wanted to develop a stable exploit for Microsoft Edge and escape the sandbox, termed as an exploit that force-crashes and incorrectly reloads an app with manipulated permissions.

This would allow a user to run functions, and access other apps, beyond its normal permissions, as well as access data from other applications. They were also looking for a way to effectively seize control of a machine by escalating execution privileges to "system." They published a proof-of-concept for the Edge exploit in a short clip which shows the team using the browser to open the landing page for Google Chrome via Firefox.

An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.

The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

Mozilla today launched Firefox 63 for Windows, Mac, Linux, and Android. The release brings Enhanced Tracking Protection, performance improvements on Windows and macOS, search shortcuts, and Picture-In-Picture on Android. From a report: Firefox 63 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. According to Mozilla, Firefox has about 300 million active users. In other words, it's a major platform that web developers must consider. Firefox 63 for desktop brings support for Enhanced Tracking Protection. [...] Firefox 63's Enhanced Tracking Protection blocks cookies and storage access from third-party trackers, which Mozilla says targets the problem of cross-site tracking without breaking sites and impacting revenue streams like the original Tracking Protection. It does this by preventing known trackers from setting third-party cookies -- the primary method of tracking across sites -- but still gives you the option to block all known trackers (under Firefox Options/Preferences).

[...] Search shortcuts essentially pins sites like Google and Amazon on the new tab page. When you click or tap them, you're redirected to Firefox's awesome bar, which automatically fills the corresponding keyword (@google or @amazon in this case) for the search engine. This way, you can type your query, hit enter, and get your search results without having to first load the Google or Amazon homepage. [...] The only major new feature for this Firefox for Android release is a picture-in-picture mode (Android Oreo and up). This means that if you're watching a video in full-screen, when you switch away from Firefox it will move the video into a small floating window, which you can tap to return to the full video player.

Mozilla is reportedly preparing to offer a VPN service for Firefox users to help protect them when surfing the web. According to Trusted Reviews, Mozilla has partnered with the ProtonVPN service, "with a new notification piping-up when the browser detects an unsecured connection, or in a scenario when VPN might be preferable to users." From the report: However, it appears Firefox users will have to pay for the privilege. Austrian site Soeren-hentzschel reports the premium VPN service will be $10 a month, which is what ProtonVPN charges its users. Users will receive a "Firefox Recommends" pop-up when browsing an unsecured wireless network. The pop-up says the VPN service will provide a "private and secure' internet connection. According to the reports, a subset of Firefox 62 users in the United States will begin receiving the pop-up from today. Mozilla will reportedly get a cut of any subscription fee handed over by users to access the VPN service. MSPowerUser points out that this will be the first advertised service that costs money for Firefox users.

Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."

The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.

The head of the Mozilla Foundation, Mitchell Baker, is warning that companies need to diversify their hiring practices to include more people from backgrounds in philosophy and psychology if they want to tackle the problem of misinformation online. He also "warned that hiring employees who mainly come from Stem -- science, technology, engineering and maths -- will produce a new generation of technologists with the same blindspots as those who are currently in charge, a move that will 'come back to bite us,'" reports the Guardian. From the report: "Stem is a necessity, and educating more people in Stem topics clearly critical," Baker told the Guardian. "Every student of today needs some higher level of literacy across the Stem bases. "But one thing that's happened in 2018 is that we've looked at the platforms, and the thinking behind the platforms, and the lack of focus on impact or result. It crystallized for me that if we have Stem education without the humanities, or without ethics, or without understanding human behavior, then we are intentionally building the next generation of technologists who have not even the framework or the education or vocabulary to think about the relationship of Stem to society or humans or life."

"Stem is a necessity, and educating more people in Stem topics clearly critical," Baker told the Guardian. "Every student of today needs some higher level of literacy across the Stem bases. "But one thing that's happened in 2018 is that we've looked at the platforms, and the thinking behind the platforms, and the lack of focus on impact or result. It crystallized for me that if we have Stem education without the humanities, or without ethics, or without understanding human behavior, then we are intentionally building the next generation of technologists who have not even the framework or the education or vocabulary to think about the relationship of Stem to society or humans or life."

Starting with Firefox 64, RSS/Atom feed support will be handled via add-ons, rather than in-product. Mozilla's Gijs Kruitbosch writes: After considering the maintenance, performance and security costs of the feed preview and subscription features in Firefox, we've concluded that it is no longer sustainable to keep feed support in the core of the product. While we still believe in RSS and support the goals of open, interoperable formats on the Web, we strongly believe that the best way to meet the needs of RSS and its users is via WebExtensions.

With that in mind, we have decided to remove the built-in feed preview feature, subscription UI, and the "live bookmarks" support from the core of Firefox, now that improved replacements for those features are available via add-ons.

By virtue of being baked into the core of Firefox, these features have long had outsized maintenance and security costs relative to their usage. Making sure these features are as well-tested, modern and secure as the rest of Firefox would take a surprising amount of engineering work, and unfortunately the usage of these features does not justify such an investment: feed previews and live bookmarks are both used in around 0.01% of sessions.

Firefox has joined Google's WebP party, another endorsement for the internet giant's effort to speed up the web with a better image format. From a report: Google revealed WebP eight years ago and since then has built it into its Chrome web browser, Android phone software and many of its online properties in an effort to put websites on a diet and cut network data usage. But Google had trouble encouraging rival browser makers to embrace it. Mozilla initially rejected WebP as not offering enough of an improvement over more widely used image formats, JPEG and PNG. It seriously evaluated WebP but chose to try to squeeze more out of JPEG. But now Mozilla -- like Microsoft with its Edge browser earlier this week -- has had a change of heart. "Mozilla is moving forward with implementing support for WebP," the nonprofit organization said. WebP will work in versions of Firefox based on its Gecko browser engine, Firefox for personal computers and Android but not for iOS.

Mozilla announced today a new recovery option for Firefox Accounts, the user system included inside the Firefox browser. ZDNet: Starting today, users can generate a one-time recover key that will be associated with their account, and which they can use to regain access to Firefox data if they ever forget their passwords. Firefox Accounts is included with all recent versions of the Firefox browser.

Most users are familiar with it because of Firefox Sync, the system that synchronizes Firefox data such as passwords, browsing history, open tabs, bookmarks, installed add-ons, and general browser options between multiple Firefox instances. But while Sync does the actual synchronization, Firefox Accounts is at the core of Sync and is the system that manages the identities of Firefox users. Sync works by taking a user's Firefox account password and encrypting the user's browser data on the local computer.

Vivaldi announced Wednesday it has released a major update to its namesake desktop web browser, remaining as one of the rare companies that is still attempting to fight Google's monopoly in the space. Major features in Vivaldi 2.0 include: Syncing browsers across computers:Version 2.0 allows users to sync data, including bookmarks, passwords, autofill information, and history. Vivaldi uses its own servers to store the data, which is all encrypted end-to-end.
Panels: These are expandable, multi-tasking dashboards that can be opened in the sidebar.
Tab management: Additional features are included that allow for better searching through tabs, stacking them, and even renaming them.
History: Offers new ways to track your usage, including generating statistics and a visual history feature. Vivaldi was founded by Jon von Tetzchner, who also co-founded Opera and served as its chief executive for a number of years. Jon has been vocal about what many find unfair tactics employed by Google and Microsoft to aggressively expand the user bases of their respective browsers. Slashdot had a chance to speak with Jon recently: Slashdot: One of the biggest complaints that people have about browsers today is just how much memory they consume. Is it a lost-cause? What is Vivaldi doing to address this?
Jon: This is very true. Browsers can use a lot of memory. We have worked hard to reduce that load. The most important thing we have done there is the lazy loading of tabs. When you have a lot of tabs, you use a lot of memory, but with Vivaldi, we will only load the tabs once you need them. We also have the ability to hibernate background tabs, by right clicking the tab bar, which will free up a lot of memory. Besides this we are always looking at how to make the browser use less memory and be faster. There is a lot of details there, but with the feedback from our users, we continue to improve every single part of the browser.

Slashdot: You are offering a browser, and a web email client and service provider. Is Vivaldi attempting to offer a catalog of services? And if so, what more could we expect from the company in the long-term?
Jon: The focus for us is the browser, but we believe the browser should be able to do more than it does today, so we will continue to expand on the features we offer in the browser. We have been open about the fact that we aim to provide an email client in the browser, but that will come in the future, but we are, as you pointed out, providing the free email service. This is in addition to our free blog, forums and sync service. We feel there is a need for these services, free from ads and free from building of super profiles. Our free webmail service is thus without ads and we do not scan mails, except for spam and viruses. We will continue to add services to support the browser or where we feel a service supplements the browser in a good way.

Slashdot: You have been vocal about some of the tactics Google and Microsoft use to promote their own browsers. Following the news cycle, we don't think things have changed much. What's your view on it?
Jon: No, sadly things have not changed much. Microsoft continues to push their browser in their operating system, at times taking over the default browser as well. They also block competing browsers on their Windows 10S. Google sadly blocks some competing browsers from using their services, even browsers such as Vivaldi, that is based on Chromium. We need to change our identity when visiting many Google services. I guess my feeling is that those large companies should not and should not need to behave this way.

Slashdot: Chrome continues to be a market leader. Firefox, despite some of its recent changes, has lost some of the market. How hard is it for a browser company to survive these days? And why is it important that someone continues to fight back?
Jon: We all know that browser choice is a good thing, even more so than for most other products. The browser is your view into the Internet and we all spend a lot of time there. Healthy competition means product innovation and lower prices (this is not only about the price of the product, but also what you have to give up in other ways, such as your private information). Monopolies tend slow down innovation and also there is a tendency for them to use their position in one market to attack another.
It is not trivial to compete with these large corporations, but it is something we enjoy. We fight for our users and for the future of the Internet. That is definitely something worth fighting for.

Slashdot: Are you folks still working on a mobile browser?
Jon: Indeed we are. We aim to get it out there as soon as we can. We are ramping up the team after then 2.0 release to move faster. Further reading: The Next Web, and VentureBeat.

Earlier this year, Mozilla announced Firefox Monitor, a service that will inform you if your online accounts were hacked in a recent data breach. It's now available to general public. A report adds: For the new security-focused tool, Mozilla partnered with Troy Hunt, the renowned security expert behind Have I Been Pwned? (HIBP), which is a database of data breaches that allows anyone to discover whether one of their online accounts has been compromised. The first iteration of Firefox Monitor is, for all intents and purposes, a clone of HIBP. After you enter your email address and hit the scan button, you're told which online services have leaked your personal details (if any). You can also sign up to be notified of any future data breaches involving one or more of your email addresses.

Earlier last week, several users with a new Windows 10 build reported that they were seeing a warning when they attempted to install Chrome or Firefox browser. It turns out, Microsoft has listened to the complaints and is reversing course. CNET reports: A new "fast-ring" test version of Windows, Insider Preview Build 17760, no longer interrupts the installation of rival browsers, a CNET test shows. Earlier this week, an earlier test version of Windows would warn people who tried to install the Chrome, Firefox, Opera or Vivaldi web browsers, "You already have Microsoft Edge -- the safer, faster browser for Windows 10." The dialog box presented two options: "Open Microsoft Edge" -- the default -- and "Install anyway." The feature raised some hackles and brought back memories of Microsoft's strong-arm tactics promoting its old Internet Explorer browser in the first browser wars two decades ago. But Microsoft isn't alone in such tactics: Google promotes its Chrome browser as faster and safer to people who visit its own websites with other browsers.

RoccamOccam writes: WebRender, an experimental GPU-based renderer for web content, written in Rust, is now enabled by default for Firefox Nightly users on desktop Windows 10 with Nvidia GPUs. The announcement was made on the mailing list.

Lin Clark provides an excellent overview of WebRender and, states, "with WebRender, we want apps to run at a silky smooth 60 frames per second (FPS) or better no matter how big the display is or how much of the page is changing from frame to frame. And it works. Pages that chug along at 15 FPS in Chrome or today's Firefox run at 60 FPS with WebRender.

In describing the WebRender approach Clark, asks, "what if we removed this boundary between painting and compositing and just went back to painting every pixel on every frame? This may sound like a ridiculous idea, but it actually has some precedent. Modern day video games repaint every pixel, and they maintain 60 frames per second more reliably than browsers do. And they do it in an unexpected way instead of creating these invalidation rectangles and layers to minimize what they need to paint, they just repaint the whole screen."