Industry analysts and former Mozilla employees are concerned about Firefox's future, reports Ars Technica, warning that the ultimate fate of Firefox "has larger implications for the web as a whole." Since its release in 2008, [Google's] Chrome has become synonymous with the web: it's used by around 65 percent of everyone online and has a huge influence on how people experience the Internet. When Google launched its AMP publishing standard, websites jumped to implement it. Similar plans to replace third-party cookies in Chrome — a move that will impact millions of marketers and publishers — are shaped in Google's image.

"Chrome has won the desktop browser war," says one former Firefox staff member, who worked on browser development at Mozilla but does not want to be named, as they still work in the industry. Their hopes for a Firefox revival are not high. "It's not super reasonable for Firefox to expect to win back even any browser share at this point." Another former Mozilla employee, who also asked not to be named for fear of career repercussions, says: "They're just going to have to accept the reality that Firefox is not going to come back from the ashes...."

Mozilla's financial declarations from 2020 said that despite the layoffs it is in a healthy place, and it expects its financial results for 2021 to show revenue growth. However, Mozilla and Firefox acknowledge that for its long-term future it needs to diversify the ways it makes money. These efforts have ramped up since 2019. The company owns read-it-later service Pocket, which includes a paid premium subscription service. It has also launched two similar VPN-style products that people can subscribe to. And the company is pushing more into advertising as well, placing ads on new tabs that are opened in the Firefox browser.... Selena Deckelmann, senior vice president of Firefox, says Firefox is likely to continue looking for ways to keep personalizing people's online browsing. "I'm not sure that what's going to come out of that is going to be what people traditionally expect from a browser, but the intention will always be to put people first," she says. Just this week, Firefox announced a partnership with Disney — linked to a new Pixar film — that involves changing the color of the browser and ads to win subscriptions to Disney+. The deal speaks both to Firefox's personalization push and the strange roads its search for revenue streams can lead down.

Deckelmann adds that Firefox doesn't need to be as big as Chrome or Apple's Safari, the second largest browser, to succeed. "All we really want is to be a viable choice," Deckelmann says. "Because we think that this makes a better Internet for everybody to have these different options."
Interesting stats from the article:

• "Mozilla's own statistics show a drop of around 30 million monthly active users from the start of 2019 to the start of 2022."

• Mozilla's figures now also show around 215 million Firefox Desktop clients active in the past 28 days — a number which has stayed stable.

• Yet In 2008, a full 20% of the 1.5 billion people online were using Firefox to surf the web — including more than half the web surfers in Indonesia, Macedonia, and Slovenia.

• "Across all devices, the browser has slid to less than 4 percent of the market," writes Ars Technica. "On mobile it's a measly half a percent..."

• Next year, Firefox's "lucrative search deal with Google — responsible for the vast majority of its revenue" — is set to expire.

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021.

ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days.

By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days.

Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.

As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.

Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

The Washington Post reports: Google announced it will begin the process of getting rid of long-standing ad trackers on its Android operating system, upending how advertising and data-collection work on phones and tablets used by more than 2.5 billion people around the world.

Right now, Google assigns special IDs to each Android device, allowing advertisers to build profiles of what people do on their phones and serve them highly targeted ads. Google will begin testing alternatives to those IDs this year and eventually remove them completely, the company said in a Wednesday blog post. Google said the changes will improve privacy for Android users, limiting the massive amounts of data that app developers collect from people using the platform.

But the move also could give Google even more power over digital advertising, and is likely to deepen concerns regulators have already expressed about the company's competitive practices... It made $61 billion in advertising revenue in the fourth quarter of 2021 alone....

The announcement comes over a year after Apple began blocking trackers on its own operating system, which runs on its iPhones, giving customers more tools to limit the data they share with app developers.... Google contrasted its plan with Apple's, saying it would make the changes over the next two years, working closely with app developers and the advertising industry to craft new ways of targeting ads and measuring their effectiveness before making any drastic changes.

"We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers," said Anthony Chavez, vice president of product management for Android security and privacy, in the blog post. "We believe that without first providing a privacy-preserving alternative path such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses."
The Post also includes this quote from the chief security office of Mozilla (which began restricting ad tracking in Firefox several years ago). "Google's two year plan is too long. People deserve better privacy now."

As both the Chrome and Firefox browsers approach their 100th versions, what should be a reason for the developers to celebrate could turn into a bit of a mess. From a report: It turns out that much like the Y2K bug, the triple-digit release numbers coded in the browsers' User-Agents (UAs) could cause issues with a small number of sites, Bleeping Computer reported. Mozilla launched an experiment last year to see if version number 100 would affect sites, and it just released a blogpost with the results. It did affect a small number of sites (some very big ones, though) that couldn't parse a user-agent string containing a three-digit number. Notable ones still affected included HBO Go, Bethesda and Yahoo, according to a tracking site. The bugs include "browser not supported" messages, site rendering issues, parsing failures, 403 errors and so on.

"The OS/2 community is getting close to obtaining a modern browser on their platform," writes Slashdot reader martiniturbide. In an announcement article on Monday, president of the OS/2 Voice community, Roderick Klein, revealed that a public beta of the new Chromium-based Otter Browser will arrive "in the last week of February or the first week of March." XDA Developers reports: OS/2 was the operating system developed jointly by IBM and Microsoft in the late 1980s and early 1990s, with the intended goal of replacing all DOS and Windows-based systems. However, Microsoft decided to focus on Windows after the immense popularity of Windows 3.0 and 3.1, leaving IBM to continue development on its own. IBM eventually stopped working on OS/2 in 2001, but two other companies licensed the operating system to continue where IBM left off -- first eComStation, and more recently, ArcaOS.

BitWise Works GmbH and the Dutch OS/2 Voice foundation started work on Otter Browser in 2017, as it was becoming increasingly difficult to keep an updated version of Firefox available on OS/2 and ArcaOS. Firefox 49 ESR from 2016 is the latest version available, because that's around the time Mozilla started rewriting significant parts of Firefox with Rust code, and there's no Rust compiler for OS/2. Since then, the main focus has been porting Qt 5.0 to OS/2, which includes the QtWebEngine (based on Chromium). This effort also has the side effect of making more cross-platform ports possible in the future.

Slashdot reader sombragris writes: Slackware, the oldest actively maintained Linux distribution, released version 15.0 yesterday after a long release cycle that goes all the way back to 2016 where the last version (14.2) was released. According to the release notes, the whole spirit of this release is: "Keep it familiar, but make it modern."

Among the news, this release offers kernel 5.15.19, PAM, PipeWire and PulseAudio, Wayland and X11 graphical systems, and Rust and Python 3. As graphical environments, both Xfce 4.16 and the latest Plasma 5 (Plasma 5.23.5, Frameworks 5.90, KDE apps 21.12 running under Qt 5.15.3) are available, with Cinnamon and Mate also available from third parties. The main compilers are gcc-11.2 and llvm 13.0. The default browser is Firefox 91.5esr, with Chromium available as a third-party repository. And... no systemd at all.

Slackware can be downloaded from a variety of mirrors. BitTorrent downloads are going to be available too. I've used Slackware for 20 years and it's always impressed me with its stability and speed. I encourage everyone interested to try it. Slashdot readers arfonrg and saxa also shared the news.

A top VR web browser is closing down. Today, Mozilla announced it's shutting down its Firefox Reality browser -- the four-year-old browser built for use in virtual reality environments. The technology had allowed users to access the web from within their VR headset, doing things like visiting URLs, performing searches, and browsing both the 2D and 3D internet using your VR hand controllers, instead of a mouse. From a report: Firefox Reality first launched in fall 2018 and has been available on Viveport, Oculus, Pico, and Hololens platforms through their various app stores. While capable of surfing the 2D web, the expectation was that users would largely use the new technology to browse and interact with the web's 3D content, like 360-degree panoramic images and videos, 3D models, and WebVR games, for example. But in an announcement published today, Mozilla says the browser will be removed from the stores where it's been available for download in the "coming weeks." Mozilla is instead directing users who still want to utilize a web browser in VR to Igalia's upcoming open-source browser, Wolvic, which is based on Firefox Reality's source code. This browser will be available for download starting next week, so users won't have to go without -- they'll just have to make the switch.

Mozilla is rolling out new updates to its mobile and desktop VPN offerings, the company announced on Tuesday. From a report: With the launch of Mozilla VPN 2.7, the company is bringing one of Firefox's popular add-ons, Multi-Account Containers, to the desktop platform and also introducing a multi-hop feature to the Android and iOS version of the VPN service. Firefox's Multi-Account Containers allow users to separate different parts of their online activities, such as work, shopping and banking. Instead of having to open a new window or different browser to check your work email, you can isolate that activity in a container tab, which prevents other sites from tracking your activity across the web. The company says combining the add-on with Mozilla's VPN adds an extra layer of protection to users' compartmentalized browsing activity and also adds extra protection to their locational information.

An anonymous reader quotes a report from Gizmodo: Researchers at Mozilla announced this week the launch of its "Facebook Pixel Hunt" study, which seeks to track the company's immense web-wide tracking network and investigate the intel it's collecting on users. As the name suggests, this study is focused on a piece of tracking tech known as the "Facebook pixel." Chances are, you've visited a site that uses it; these tiny pieces of tech are buried in literally millions of sites across the web, from online stores to news outlets to... well, you name it. In exchange for onboarding a free pixel on their site, these sites can then track their own visitors and microtarget ads with the same sort of precision you'd expect from a data-hungry company like Facebook.

In exchange for giving these sites the power to track every pageview, purchase, search query, and much, much more, Facebook (naturally) requires that this data be shared with it, too. In cases where the website visitor has an account on some Facebook platform, this offsite data just gets glombed onto whatever Facebook already knows about that person. If they don't have a Facebook account, then the company collects that data anyway, and uses it to create a "shadow profile" of that particular person. These are the sorts of shadowy practices that Mozilla's team wants to research with this study -- and you can help them do it if you're a Firefox user. Mozilla teamed up with reporters from the Markup to gather details about Facebook tracking using a free-to-download browser extension, Mozilla Rally, that will hoover up data sent out by Facebook's pixels as you browse across the web. Aside from that data, the extension also keeps track of the time spent on different web pages, the URLs that the browser visits, and more. Mozilla was quick to note in its announcement that the only data being exported from the extension will be de-identified, and not shared with any third parties besides the Markup's reporters.

Firefox 96.0 is officially shipping today as the first update of 2022 for this open-source web browser. From a report: Firefox 96.0 has "significantly" reduced the amount of load placed on the browser's main thread and there is also "significant" improvements in noise suppression and auto-gain-control and improvements in echo cancellation. In addition to that performance work, there are also WebRTC improvements, an improved cookie policy to reduce the likelihood of Cross-Site Request Forgery (CSRF) attacks, video quality degradation fixes, and other fixes. Over on developer.mozilla.org are some of the web developer changes with Firefox 96 including CSS color value function hwb() support for specifying the hue/whiteness/blackness, support for the CSS color-scheme property, the Web Locks API is enabled by default, image encoder support for WebP for exporting HTML5 canvas elements, and other additions.

Brian Fagioli, reporting for BetaNews: The developers of the Ubuntu-based operating system have agreed to accept an undisclosed amount of money from Mozilla in exchange for making significant changes to Linux Mint. This includes removal of modifications to Firefox and a big change for search. The devs share the upcoming changes to Firefox in Linux Mint 19 and higher.
The default start page no longer points to https://www.linuxmint.com/start/
The default search engines no longer include Linux Mint search partners (Yahoo, DuckDuckGo...) but Mozilla search partners (Google, Amazon, Bing, DuckDuckGo, Ebay...)
The default configuration switches from Mint defaults to Mozilla defaults.
Firefox no longer includes code changes or patches from Linux Mint, Debian or Ubuntu.

Mike Melanson's "This Week in Programming" column looks at what happened after Mozilla founder Jamie "jwz" Zawinski slammed the group for accepting donations in cryptocurrency (which Zawinski called partnering "with planet-incinerating Ponzi grifters.") Peter Linss, one of the creators of the Gecko browser engine on which Mozilla Firefox is based, also stepped in to back up Zawinski, saying that he was 100% with him and that Mozilla was "meant to be better than this."

When Mozilla first announced it would accept Bitcoin donations in 2014, it cited Khan Academy, Electronic Frontier Foundation, United Way, Greenpeace, and Wikimedia Foundation among its moral and upstanding cryptocurrency-accepting compatriots. Of that list, just Greenpeace has since stopped accepting cryptocurrency donations, telling the Financial Times earlier this year that "as the amount of energy needed to run bitcoin became clearer, this policy [of accepting cryptocurrency donations] became no longer tenable."
Thursday the Mozilla Foundation announced it was pausing cryptocurrency donations to review whether the idea "fits with our climate goals" — a fact the column also addresses: Mike Shaver, another Mozilla project founder, also tweeted his support, writing that he was "glad to see this reflection happening."

In a follow-up blog post to the ordeal, Zawinski doubled down on his condemnation of Mozilla's cryptocurrency acceptance, writing that "cryptocurrencies are not only an apocalyptic ecological disaster, and a greater-fool pyramid scheme, but are also incredibly toxic to the open web, another ideal that Mozilla used to support" — an idea also espoused in many of the comments on the initial Twitter thread.

Meanwhile, although Mozilla says that it is pausing the ability to donate cryptocurrencies during its review, the donations page still lists BitPay among its payment methods.

The Mozilla Foundation is pausing accepting donations in cryptocurrency following a backlash from scores of people including a founder of the Mozilla Project. From a report: The foundation, which oversees the development of Firefox browser, on Thursday acknowledged conversations around the environment impact that cryptocurrency potentially pose and said it is reviewing whether its current policy on crypto donations "fits with our climate goals."

The foundation started to face backlash following a tweet late last year that invited people to donate via using a variety of crypto tokens including Bitcoin. In response to it, Jamie Zawinski expressed dismay at the foundation's move. "Everyone involved in the project should be witheringly ashamed of this decision to partner with planet-incinerating Ponzi grifters," he said, adding an expletive.

A user writes: Jamie "jwz" Zawinski, famous for being one of the original Netscape developers, being a founder of the Mozilla project, and for this axiom, has laid into Mozilla after the Firefox developers announced they was accepting Dogecoin, Bitcoin, and Ethereum cryptocurrency payments, via Bitpay, for Mozilla's services and donations. Quote jwz: "I'm here to say fuck you and fuck this. Everyone involved in the project should be witheringly ashamed of this decision to partner with planet-incinerating Ponzi grifters."
UPDATE (1/6/2021): Days later the Mozilla Foundation announced they were instead pausing cryptocurrency donations to review whether the idea "fits with our climate goals."

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...."

Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message.

There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.

Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity.
The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.

"Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

Mozilla has fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, in what the organization categorized as a severe security risk that could have exposed credentials to non-owners whenever users copied or cut a password. From a report: The issue was fixed in Firefox 94, released last month, but was detailed in more depth this week by Mozilla developers. At its core, the bug is related to Windows Cloud Clipboard, a feature added to Windows 10 in September 2018 (v1809 release), a feature that allows users to sync their local clipboard history to their Microsoft accounts. The feature is disabled by default, but once enabled, it allows users to access the cloud clipboard section by pressing the Windows+V shortcut. This grants users access to clipboard data from all devices, but the feature is also used for its clipboard history capabilities, allowing users to go through past items they copied or cut and re-paste the same data in new contexts, making it extremely useful for most IT workers. In a blog post on Wednesday, Mozilla said that they have now modified the Firefox browser so that usernames and passwords copied from the browser's password section (about:logins) won't be stored in the Windows Cloud Clipboard feature, but instead will be stored only locally, in a separate clipboard section.

The Mozilla Foundation today released its financial report for 2020. As usual, this gives us a good picture of the organization's financial health from a year ago, but for the first time this year, Mozilla also provided us with more recent data. From a report: It's no secret that Mozilla recently went through a number of difficult years, with major layoffs in 2020 as it restructured its for-profit arm, Mozilla Corporation. Its flagship Firefox browser, despite a number of technical advances, is also struggling in a marketplace that is now dominated by Chromium-based browsers. Still, in 2020, Mozilla Corporation's revenue was $466 million from its search partnerships (largely driven by its search deal with Google), subscriptions and advertising revenue. That's essentially the same as in 2019, when Mozilla Corporation generated $465 million from these sources.

For 2021, the organization forecasts revenue of over $500 million. What's maybe most important, though, is that Mozilla's new products like its Mozilla VPN service, Firefox Relay Premium, Pocket and other commercial initiatives are slowly but surely starting to pay off. As Mozilla executive VP Angela Plohman and CFO Eric Muhlheim noted in today's announcement, revenue from new product offerings will grow 150% this year and account for 14% of the organization's revenue in 2021. The Mozilla VPN service saw a revenue increase of 450% from 2020 to 2021.

In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.

Mozilla has announced through its Mozilla Hacks blog that it plans to ship a 'novel sandboxing technology' called RLBox with Firefox 95 which it has been developing alongside researchers from the University of California San Diego and the University of Texas. From a report: It said RLBox makes it easier to isolate subcomponents of the browser efficiently and gives Mozilla more options than traditional sandboxing granted it. Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.

Microsoft is backtracking on changes it made to Windows 11 that made it more difficult to switch default browsers. From a report: A new test build of Windows 11 now allows users of Chrome, Firefox, and other browsers to set a default browser with a single button, which is a far simpler process. Rafael Rivera, developer of the excellent EarTrumpet Windows app, discovered the new Windows 11 changes earlier this week. Instead of having to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, Windows 11 now offers a simple button that lets people switch default browsers in a similar way to Windows 10. Microsoft has confirmed the changes are intentional and are currently being tested. "In the Windows 11 Insider Preview Build 22509 released to the Dev Channel on Wednesday, we streamlined the ability for a Windows Insider to set the 'default browser' to apps that register for HTTP:, HTTPS:, .HTM, and .HTML," explains Aaron Woodman, vice president of Windows marketing, in a statement to The Verge. "Through the Windows Insider Program you will continue to see us try new things based on customer feedback and testing."