Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.

CaptainDork shares a report from Motherboard: An Ethereum startup called Prodeum disappeared from the web on Sunday after raising a grand total of $11 USD from investors in a crowdsale. Shortly after the website disappeared, a message appeared on its homepage: "penis." Prodeum's website now redirects visitors to the Twitter account of a cryptocurrency trader (they did not immediately respond to our request for comment), and its Twitter account has been deactivated. Prodeum is at least the second Ethereum startup to pull up stakes after raising money from people in events called Initial Coin Offerings, or ICOs, in which a startup funds their enterprise by taking cryptocurrency from people in exchange for digital tokens. Some ICOs have managed to raise millions of dollars, and the last startup to vanish after conducting an ICO -- Confido, which disappeared from the internet in late 2017 -- made off with roughly $374,000. (A message later appeared on Confido's site stating that it would buy back investors' tokens, but it's unclear if that took place.)

Prodeum, by comparison, only seems to have raised $11 based on the Ethereum address that was advertised on Prodeum's site as being the ICO address. (Update: After this article was published the contents of the ICO wallet were sent to another wallet. That wallet contains roughly $100, with the other funds all coming from a single wallet that predates the Prodeum ICO and contains 46 cents.) Prodeum's pitch, according to a cached version of its webpage, was to track vegetables in a supply chain using digital addresses on a blockchain -- a decentralized ledger at the heart of Ethereum and other cryptocurrencies like Bitcoin. As for why the "penis" message was left on its homepage, it may have something to do with the name of the startup. Prodeum is a medication that treats urinary tract infections and other urinary problems...

Gnome contributor Tobias Bernard is on a crusade against title bars -- "the largely empty bars at the top of some application windows [that] contain only the window title and a close button." Instead he wants to see header bars -- "a newer, more flexible pattern that allows putting window controls and other UI elements in the same bar." Tobias Bernard writes: Header bars are client-side decorations (CSD), which means they are drawn by the app rather than the display server. This allows for better integration between application and window chrome. All GNOME apps (except for Terminal) have moved to header bars over the past few years, and so have many third-party apps. However, there are still a few holdouts.
He's announcing the CSD Initiative, "an effort to get apps (both GNOME and third-party) to drop title bars and adopt GNOME-style client-side decorations... The only way to solve this problem long-term is to patch applications upstream to not use title bars. So this is what we'll have to do."

• Talk to the maintainers and convince them that this is a good idea
• Do the design work of adapting the layout and make mockups
• Figure out what is required at a technical level
• Actually implement the new layout and get it merged

Implementation is already in progress for Firefox, though it has not yet been started for other high-priority apps like LibreOffice, GNOME Terminal, and Skype. "If you want to help with any of the above tasks," writes Tobias, "come talk to us on #gnome-design on IRC/Matrix."

An anonymous reader quotes the Verge: DuckDuckGo is launching updated versions of its browser extension and mobile app, with the promise of keeping internet users safe from snooping "beyond the search box." The company's flagship product, its privacy-focused search engine, will remain the same, but the revamped extension and app will offer new tools to help users keep their web-browsing as safe and private as possible. These include grade ratings for websites, factoring in their use of encryption and ad tracking networks, and offering summaries of their terms of service (with summaries provided by third-party Terms of Service Didn't Read). The app and extension are available for Firefox, Safari, Chrome, iOS, and Android.

The ability to block ad tracking networks is probably the most important feature here. These networks are used by companies like Google and Facebook to follow users around the web, stitching together their browsing history to create a more accurate profile for targeted advertising.
DuckDuckGo calls it "a major step to simplify online privacy," adding that without it, "It's hard to use the Internet without it feeling a bit creepy -- like there's a nosey neighbor watching everything you do from across the street."

Mozilla released on Tuesday a new version of its Firefox Quantum browser, boosting its graphics speed and improving a couple of new technologies designed to make the web more powerful. From a report: The browser, version 58, is the first major update since Mozilla's recovery plan hit full stride in November with the debut of Firefox Quantum. Speed is of the essence in Mozilla's recovery plan, and Firefox 58 does better than its predecessor in some graphics tasks by splitting work better across the multiple processor cores that computer chips have these days. The result should be scrolling that's smooth, uninterrupted by the stuttering that in computing circles goes by the disparaging term "jank." [...] Firefox 58 helps with two new web technologies. One, called WebAssembly, provides for dramatically faster web apps. Firefox 58 can get WebAssembly software running faster so you don't have to twiddle your thumbs waiting as long after clicking a link. Another is progressive web apps (PWAs), an initiative that came out of Google to help make the web a better match for the apps we all drop on our phones.

Google has cracked down on Fire TV users once again. Today, the technology company blocked Silk and Firefox browsers from displaying the YouTube.com interface usually shown on large screens. Cord Cutters News reports: Now if you try to access YouTube.com/TV on a Fire TV through the Firefox or Silk browser you will be redirected to the desktop version of the site. According to Elias Saba from AFTVnews, "By blocking access to the version of YouTube made for television browsers, Google has deliberately made browsing their website an unusable experience on Amazon Fire TVs, Fire TV Sticks, and Fire TV Edition televisions." This fight over YouTube and Amazon has been going on for some time. The standoff heated up in early December as Google announced plans to pull the YouTube app from the Fire TV on January 1st 2018. Amazon responded by adding a browser to allow access to the web version on the Fire TV. Now Google has countered by blocking the Fire TV's browsers from accessing the made-for-TV edition of YouTube.com. Back on December 15th, The Verge reported that Google and Amazon are in talks to keep YouTube on the Fire TV, but as of today it looks like nothing has come from these talks.

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.

Catalin Cimpanu, reporting for BleepingComputer: Mozilla is currently testing a new feature called "Tab Warming" that engineers hope will improve the tab switching process. According to a description of the feature, Tab Warming will watch the user's mouse cursor and start "painting" content inside a tab whenever the user hovers his mouse over one. Firefox will do this on the assumption the user wants to click and switch to view that tab and will want to keep a pre-rendered tab on hand if this occurs. "Those precious milliseconds are used to do the rendering and uploading, so that when the click event finally comes, the [tab] is ready and waiting for you," said Mike Conley, one of the Firefox engineers who worked on this feature.

An anonymous reader quotes Open Source Observatory: The City of Barcelona is migrating its computer systems away from the Windows platform, reports the Spanish newspaper El País. The City's strategy is first to replace all user applications with open-source alternatives, until the underlying Windows operating system is the only proprietary software remaining. In a final step, the operating system will be replaced with Linux... According to Francesca Bria, the Commissioner of Technology and Digital Innovation at the City Council, the transition will be completed before the current administration's mandate ends in spring 2019. For starters, the Outlook mail client and Exchange Server will be replaced with Open-Xchange. In a similar fashion, Internet Explorer and Office will be replaced with Firefox and LibreOffice, respectively. The Linux distribution eventually used will probably be Ubuntu, since the City of Barcelona is already running 1,000 Ubuntu-based desktops as part of a pilot...

Barcelona is the first municipality to have joined the European campaign 'Public Money, Public Code'. This campaign is an initiative of the Free Software Foundation Europe (FSFE) and revolves around an open letter advocating that publicly funded software should be free. Currently, this call to public agencies is supported by more than 100 organisations and almost 15,000 individuals. With the new open-source strategy, Barcelona's City Council aims to avoid spending large amounts of money on licence-based software and to reduce its dependence on proprietary suppliers through contracts that in some cases have been closed for decades.

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

Tom Warren, writing for The Verge: Chrome now has the type of dominance that Internet Explorer once did, and we're starting to see Google's own apps diverge from supporting web standards much in the same way Microsoft did a decade and a half ago. Whether you blame Google or the often slow moving World Wide Web Consortium (W3C), the results have been particularly evident throughout 2017. Google has been at the center of a lot of "works best with Chrome" messages we're starting to see appear on the web. Google Meet, Allo, YouTube TV, Google Earth, and YouTube Studio Beta all block Windows 10's default browser, Microsoft Edge, from accessing them and they all point users to download Chrome instead. Some also block Firefox with messages to download Chrome. Hangouts, Inbox, and AdWords 3 were all in the same boat when they first debuted.

It's led to one developer at Microsoft to describe Google's behavior as a strategic pattern. "When the largest web company in the world blocks out competitors, it smells less like an accident and more like strategy," said a Microsoft developer in a now-deleted tweet. Google also controls the most popular site in the world, and it regularly uses it to push Chrome. If you visit Google.com in a non-Chrome browser you're prompted up to three times if you'd like to download Chrome. Google has also even extended that prompt to take over the entire page at times to really push Chrome in certain regions. Microsoft has been using similar tactics to convince Windows 10 users to stick with Edge. The troubling part for anyone who's invested in an open web is that Google is starting to ignore a principle it championed by making its own services Chrome-only -- even if it's only initially.

Last month, a notification that YouTube would no longer be available through Fire TV and Fire TV Stick devices starting Jan. 1 popped up, threatening to leave a huge hole in Amazon's streaming lineup. But just last week, Amazon added the ability to surf the web and get to YouTube via a browser. But does it work? GeekWire thinks so: The result is a simple path to YouTube, circumventing Google's move to pull it from Fire TV. Web browsing probably wasn't a direct response to Amazon's issues with Google, which owns YouTube, but it provides a convenient alternative to keep the service accessible for Fire TV users. The first step is downloading one or both of the web browsers. Opening Firefox leads to this home screen with easy access tiles to both Google and YouTube. On Silk, the home screen defaults to Bing search. But as I poked around, I noticed that YouTube for TV showed up in my bookmarks even though this was the first time I opened the browser. A YouTube interface optimized for TV, the same one you would see on other streaming devices, pops up on both browsers. To sign in, YouTube prompted me to activate YouTube for TV through a phone or computer. Once that process was complete, YouTube showed the same personalized recommendations as my phone and computer.

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.

In what may be a signal of changing attitudes for Windows 10, visits to U.S. government sites via Windows 10 have surpassed Windows 7 for the first time. On MSFT reports: This United States government website reports that of the 2.54 billion visits to U.S. Government websites over the past 90 days, 20.9% came from Windows 10, and 20.7% from Windows 7. Interestingly, Windows 8.1 came in at 2.7%, Windows 8 .05%, and other OS 0.8%. The numbers are a bit niche and could be just from a holiday bump based on the sites 90-day average, but they still do give a solid number comparison for the state of various OS and browser stats. When it comes to browser share, Edge was not popularly used to visit U.S. Government websites. Chrome was on top with 44.4%, Followed up Safari with 27.6%, Internet Explorer at 12.3%, and then Firefox at 5.9% and Edge at 3.9%. Though all these government percentages may be bleak for Microsoft, the latest AdDuplex December report also shows strong adoption for Windows 10 Fall Creators Update, so things can only go up from Microsoft from here on out.

Amazon has already deactivated its YouTube app on Fire TV devices, four days before a planned blockade by Google. Instead of opening YouTube directly, the app now encourages users to install Silk or Firefox, and will open a link to the site once either browser is installed. From a report: Google has said it will cut off YouTube access on Fire TV starting January 1, citing Amazon's unwillingness to support Prime Video on Chromecast, or to sell Google hardware (including Chromecast) on its website. The companies say they're having productive discussions, and Amazon now has a product listing up for Chromecast, but the YouTube app's deactivation suggests an agreement isn't imminent.

In a column, Steven Sinofsky, former President of the Windows Division at Microsoft, cites various examples from the past to suggest that it is often when incumbents in technology space have established market dominance that new startups rise and displace them: While the tech incumbents are clearly generating massive revenue and profits, nearly all of this comes from products developed long ago. In fact, as we now know in hindsight, it is exactly when conventional wisdom conflates today's economic success with forward-looking product innovation that seeds are being planted for the next massive wave of innovation. Google was formed at time when the incumbents of AOL and even Yahoo were stronger than ever. Facebook came just after the dot com bubble burst. Even the reincarnation of Apple took place after the bubble burst with products being developed as the bubble peaked. And for what it is worth, the PC ecosystem, particularly Windows, was relatively "flat" mired in Windows Vista while Firefox dominated and Google Chrome was appeared (Windows 7 wouldn't come out for a year after Chrome). In the infrastructure space, the seeds were planted for both AWS and VMWare in the shadow of the dot com bubble. In an historical context it is highly likely that the next wave of innovation in new technologies and new companies will happen right under the noses of big companies operating at what the public markets think of as peak (earnings) potential.

An anonymous reader writes: "There are indications that telecommunications operators and traditional ISPs in the country are frustrating adoption of Internet Protocol version six (IPv6) by other networks," reports Nigeria's Guardian newspaper, citing Nigeria CommunicationsWeek. The magazine found 32 networks with IPv6 addresses -- but only three which are using them. And the newspaper cites "a network engineer with a university who does not want to be named" frustrated that their ISP's network isn't IPv6-compatible, so the university can't use its own IPv6 address. "Mohammed Rudman, chairman, IPv6 Council Nigeria, said that most telecommunications operators and internet service providers in the country have not adopted IPv6 which raises the issue of compatibility with other networks."
Firefox has a fast-fallback-to-IPv4 option, which you can disable in about:config (as well as an option to disable IPv6 altogether). But "the Chrome browser supports IPv6 natively and doesn't allow users to decide which protocol to use," reports TechGlimpse.com.

How does your browser perform? Long-time Slashdot reader ourlovecanlastforeve shared a link to Test-IPv6.com, which detects whether "when given the choice, your browser decided it would prefer to use IPv4 instead of IPv6."

An anonymous reader quotes ZDNet: A Mozilla engineer has revealed one of the hidden techniques that Firefox 57 -- known as Quantum -- is using to improve page load times... It delays scripts from tracking domains, such as www.google-analytics.com. The technique was developed by Mozilla engineer Honza Bambas, who calls it "tailing". It works by delaying scripts from tracking domains when a page is actively loading and rendering...

Tailing only briefly prevents the tracking scripts loading, rather than disabling them entirely. Page load performance is improved by saving on network bandwidth and computing resources while loading a page, in a way that prioritizes site requests over tracking requests. "Requests are kept on hold only while there are site sub-resources still loading and only up to about 6 seconds. The delay is engaged only for scripts added dynamically or as async. Tracking images are always delayed. This is legal according all HTML specifications and it's assumed that well built sites will not be affected regarding functionality," explains Bambas.