An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.

An anonymous reader writes: Mozilla engineers have added a mechanism to Firefox 52 that prevents websites from fingerprinting users using system fonts. The user privacy protection system was borrowed from the Tor Browser, where a similar mechanism blocks websites from identifying users based on the fonts installed on their computers, only returning a list of "default fonts" per each OS. While sabotaging system font queries won't stop user fingerprinting as a whole, this is just one of the latest privacy-related updates Mozilla has added to Firefox, taken from Tor. Back in July 2016, Mozilla engineers started the Tor Uplift project, which aims to improve Firefox's privacy features with the ones present in the Tor Browser.

Krystalo writes: Mozilla today announced that it will continue to support Firefox for Windows XP and Windows Vista until September 2017. In March 2017, XP and Vista users will automatically be moved to the Firefox Extended Support Release (ESR) and in mid-2017 the company will reassess user numbers to announce a final support end date for the two operating systems. Firefox ESR is a version designed for schools, universities, businesses, and others who need help with mass deployments. Firefox ESR releases are maintained for one year. This means Mozilla will provide regular Firefox security patches for XP and Vista users for nine more months. After that, it may continue for a few more months, but eventually the browser won't get new versions on those operating systems. Mozilla correctly notes that "unsupported operating systems receive no security updates, have known exploits, and are dangerous for you to use." The company also tells enterprises that September 2017 should be considered the support end date for planning purposes and "strongly recommends" that all users "upgrade to a version of Windows that is supported by Microsoft."

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.

Designer Ilya Birman writes: I understand why rendering a complicated layout may be slow. Or why executing a complicated script may be slow. Actually, browsers are rather fast doing these things. If you studied programming and have a rough idea about how many computations are made to render a page, it is surprising the browsers can do it all that fast. But I am not talking about rendering and scripts. I am talking about everything else. Safari may take a second or two just to open a new blank tab on a 2014 iMac. And with ten or fifteen open tabs it eventually becomes sluggish as hell. Chrome is better, but not much so. What are they doing? The tabs are already open. Everything has been rendered. Why does it take more than, say, a thousandth of a second to switch between tabs or create a new one? Opening a 20-megapixel photo from disk doesn't take any noticeable amount of time, it renders instantaneously. Browsers store their stuff in memory. Why can't they just show the pixels immediately when I ask for them? [...] Unfortunately, modern browsers are so stupid that they reload all the tabs when you restart them. Which takes ages if you have a hundred of tabs. Opera was sane: it did not reload a tab unless you asked for it. It just reopened everything from cache. Which took a couple of seconds. Modern browsers boast their rendering and script execution performance, but that's not what matters to me as a user. I just don't understand why programmers spend any time optimising for that while the Chrome is laughably slow even by ten-years-old standards.Do you agree with Birman? If yes, why do you think browsers are generally slow today?

Microsoft is pushing hard for Windows 10 to become the operating system of choice for everyone across the world, but this isn't happening just yet, as Windows 7 keeps dominating the desktop market. From a report on Softpedia: The Firefox Hardware Report published recently by Mozilla shows that Windows 7 is the number one browser for users running the company's browser, with a share of 44.86 percent, followed by Windows 10 with 25.67 percent. Seeing Windows 7 dominating the desktop OS charts is not surprising, but on the other hand, it's living proof that Microsoft will really have a hard time moving users to Windows 10 before 2020 when it reaches end of support. Microsoft's Windows 10, however, already improved substantially since its launch in 2015, mostly thanks to the free upgrade offer targeting Windows 7 and 8.1 users, but this still isn't enough to become the number one choice for PC users.

An anonymous reader writes: To protect Tor users from FBI hacking tools that include all sorts of Firefox zero-days, the Tor Project started working on a sandboxed version of the Tor Browser in September. Over the weekend, the Tor Project released the first alpha version of the sandboxed Tor Browser. "Currently, this version is in an early alpha stage, and only available for Linux," reports BleepingComputer. "There are also no binaries available, and users must compile it themselves from the source code, which they can grab from here." The report notes: "Sandboxing is a security mechanism employed to separate running processes. In computer security, sandboxing an application means separating its process from the OS, so vulnerabilities in that app can't be leveraged to extend access to the underlying operating system. This is because the sandboxed application works with its own separate portion of disk and memory that isn't linked with the OS."

Stephen Shankland, writing for CNET: Mozilla is marshaling public support for political positions, like backing net neutrality, defending encryption and keeping government surveillance from getting out of hand, says Denelle Dixon-Thayer, Mozilla's chief legal and business officer. The organization is funding the efforts with revenue from Firefox searches, which has jumped since 2014 when it switched from a global deal with Google to a set of regional deals. Mozilla brought in $421 million in revenue last year largely through partnerships with Yahoo in the US, Yandex in Russia and Baidu in China, according to tax documents released alongside Mozilla's 2015 annual report on Thursday. Pushing policy work brings new challenges well beyond traditional Mozilla work competing against Google's Chrome browser and Microsoft's Internet Explorer. They include squaring off against the incoming administration of Donald Trump.

An anonymous reader quotes a report from Computerworld: A Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users. A Tor browser user notified the Tor mailing list of the newly discovered exploit, posting the exploit code to the mailing list via a Sigaint darknet email address. A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had "found the bug" and were "working on a patch." On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox. Dan Guido, CEO of TrailofBits, noted on Twitter, that "it's a garden variety use-after-free, not a heap overflow" and it's "not an advanced exploit." He added that the vulnerability is also present on the Mac OS, "but the exploit does not include support for targeting any operating system but Windows." Security researcher Joshua Yabut told Ars Technica that the exploit code is "100% effective for remote code execution on Windows systems." "The shellcode used is almost exactly the shellcode of the 2013 one," tweeted a security researcher going by TheWack0lian. He added, "When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post." He's referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.

An anonymous reader shares a VentureBeat report:Microsoft has turned on a new set of Windows Tips that inform Chrome and Firefox users on Windows 10 that Edge is a "safer" browser. We reached out to Microsoft to find out how long this latest recommendation has been active. "This wave of Windows Tips for Windows 10 users began in early November," a Microsoft spokesperson told VentureBeat. If this sounds familiar, that's because Microsoft turned on similar Windows 10 tips back in July, warning Chrome/Firefox users about battery drain and then recommending Edge instead.

Krystalo quotes a report from VentureBeat: Mozilla today launched a new browser for iOS. In addition to Firefox, the company now also offers Firefox Focus, a browser dedicated to user privacy that by default blocks many web trackers, including analytics, social, and advertising. You can download the new app now from Apple's App Store. If you're getting a huge feeling of deja vu, that's because in December 2015, Mozilla launched Focus by Firefox, a content blocker for iOS. The company has now rebranded the app as Firefox Focus, and it serves two purposes. The content blocker, which can still be used with Safari, remains unchanged. The basic browser, which can be used in conjunction with Firefox for iOS, is new. Firefox Focus is basically just an iOS web view with tracking protection. If you shut it down, or iOS shuts it down while it's in the background, the session is lost. There's also an erase button if you want to wipe your session sooner. But those are really the only features -- there's no history, menus, or even tabs.

Mozilla has begun seeding the binary and source packages of the final release of Firefox 50 web browser on all supported platforms, including GNU/Linux and macOS. From a report on Softpedia: We have to admit that we expected to see some major features and improvements, but that hasn't happened. The biggest new feature of the Firefox 50.0 release appears to be emoji for everyone. That's right, the web browser now ships with built-in emoji for GNU/Linux distributions, as well as other operating systems that don't include native emoji fonts by default, such as Windows 8.0 and previous versions. Also new, Firefox 50.0 now shows lock icon strikethrough for web pages that offer insecure password fields. Another interesting change that landed in the Mozilla Firefox 50.0 web browser is the ability to cycle through tabs in recently used order using the Ctrl+Tab keyboard shortcut. Moreover, it's now possible to search for whole words only using the "Find in page" feature. Last but not the least, printing was improved as well by using the Reader Mode, which now uses the accel-(opt/alt)-r keyboard shortcut, the Guarana (gn) locale is now supported, the rendering of dotted and dashed borders with rounded corners (border-radius) has been fixed as well.

Reader dryriver writes: There is no shortage of internet websites these days that peddle "information", "knowledge", "analysis", "explanations" or even supposed "facts" that don't hold up to even the most basic scrutiny -- one quick trip over to Wikipedia, Snopes, an academic journal or another reasonably factual/unbiased source, and you realize that you've just been fed a triple dose of factually inaccurate horsecrap masquerading as "fact". Unfortunately, many millions of more naive internet users appear to frequent sites daily that very blatantly peddle "untruths", "pseudo-facts" or even "agitprop-like disinformation", the latter sometimes paid for by someone somewhere. No small number of these more gullible internet users then wind up believing just about everything they read or watch on these sites, and in some cases cause other gullible people in the offline world to believe in them too. Now here is an interesting idea: What if your internet browser -- whether Edge, Firefox, Chrome, Opera or other -- was able provide an "information accuracy rating" of some sort when you visit a certain URL. Perhaps something like "11,992 internet users give this website a factual accuracy rating of 3.7/10. This may mean that the website you are visiting is prone to presenting information that may not be factually accurate." You could also take this 2 steps further. You could have a small army of "certified fact checkers" -- people with scientific credentials, positions in academia or similar -- provide a rolling "expert rating" on the very worst of these websites, displayed as "warning scores" by the web browser. Or you could have a keyword analysis algorithm/AI/web crawler go through the webpage you are looking at, try to cross-reference the information presented to you against a selection of "more trusted sources" in the background, and warn you if information presented on a webpage as "fact" simply does not check out. Is this a good idea? Could it be made to work technically? Might a browser feature like this make the internet as a whole a "more factually accurate place" to get information from?That's a remarkable idea. It appears to me that many companies are working on it -- albeit not fast enough, many can say. Google, for instance, recently began adding "Fact check" to some stories in search results. I am not sure how every participating player in this game could implement this in their respective web browsers though. Then there is this fundamental issue: the ability to quickly check whether or not something is indeed accurate. There's too much noise out there, and many publications and blogs report on things (upcoming products, for instance) before things are official. How do you verify such stories? If the NYTimes says, for instance, Apple is not going to launch any iPhone next year, and every website cites NYTimes and republishes it, how do you fact check that? And at last, a lot of fake stories circulate on Facebook. You may think it's a problem. Obama may think it's a problem, but does Facebook see it as a problem? For all it care, those stories are still generating engagement on its site.

According to multiple reports, Web of Trust, one of the top privacy and security extensions for web browsers with over 140 million downloads, collects and sells some of the data of its users -- and it does without properly anonymizing it. Upon learning about this, Mozilla, Google and Opera quickly pulled the extension off their respective extension stores. From a report on The Register: A browser extension which was found to be harvesting users' browsing histories and selling them to third parties has had its availability pulled from a number of web browsers' add-on repositories. Last week, an investigative report by journalists at the Hamburg-based German television broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust Services (WoT) had been harvesting netizens' web browsing histories through its browser add-on and then selling them to third parties. While WoT claimed it anonymised the data that it sold, the journalists were able to identify more than 50 users from the sample data it acquired from an intermediary. NDR quoted the data protection commissioner of Hamburg, Johannes Caspar, criticising WoT for not adequately establishing whether users consented to the tracking and selling of their browsing data. Those consent issues have resulted in the browser add-on being pulled from the add-on repositories of both Mozilla Firefox and Google Chrome, although those who have already installed the extension in their browsers will need to manually uninstall it to stop their browsing being tracked.

Google's Chrome browser "now accounts for more than half of all desktop browser usage and has nearly double the market share of Edge and Internet Explorer combined," reports Hot Hardware: Market research firm Net Applications has Chrome sitting pretty with a 54.99% share of the desktop browser market, up from 31.12% at this moment a year ago, while Internet Explorer and Edge combine for 28.39 percent and Firefox stuck at around 11%. Even more interesting is that when Windows 10 launched to the public at the end of July 2015, Chrome had a 27.82% share of the market while IE still dominated the landscape with a 54% share. Now the script has flipped.
Just six months ago, the same research firm reported Chrome with a 41.66%, share barely beating Microsoft's 41.35%.

An anonymous reader asks: In an age of evercookies, zombie cookies, and always expanding efforts to track browsers, devices, and people -- is there any way to browse totally anonymous to the sites you are visiting?
With so many technologies quietly monitoring your activity, "How can a user today browse with confidence that they can't be tracked or identified, avoiding even being identified anonymously as a returning user or device?" Leave your best answers in the comments. What's the best way to browse the web anonymously?

itwbennett quotes a report from CSO Online: Following similar decisions by Mozilla and Apple, Google plans to reject new digital certificates issued by certificate authorities WoSign and StartCom because they violated industry rules and best practices. The ban will go into effect in Chrome version 56, which is currently in the dev release channel, and will apply to all certificates issued by the two authorities after October 21. Browsers rely on digital certificates to verify the identity of websites and to establish encrypted connections with them. Certificates issued before October 21 will continue to be trusted as long as they're published to the public Certificate Transparency logs or have been issued to a limited set of domains owned by known WoSign and StartCom customers. "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," said Chrome security team member Andrew Whalley in a blog post Monday. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56. Sites that find themselves on the whitelist will be able to request early removal once they've transitioned to new certificates," Whalley said. "Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust."

New submitter xogg writes: Battery Status API allows web sites to read the battery level of user's system. The API was found to bring privacy risks and abuse potential and a number of implementation bugs. Now with apparent no legitimate use cases, Mozilla is taking the unprecedented decision to vaporize a browser API due to privacy concerns. And apparently, WebKit, powering Apple's Safari follows. Is that the first time a browser reduces functionality following research reports warning of privacy risks?