Turn Firefox into a Security Information Powerhouse

"The majority of things that happen when you load a website in your browser of choice happen in the background. Unless you have installed security extensions in the browser or software on the system, you may be completely unaware of the connections that are initiated when a page is loaded in the browser.
"While you can check that manually using the browser's developer tools (hit F12 and switch to network for that), it is only displaying information to you while the page is loading.
"The Firefox web browser is probably the browser with the best selection of extensions that provide you with security information, often before you connect to a website.
"This guide provides you with a list of extensions that you may want to consider for that. ..."
Source: gHacks Tech News
---> Turn Firefox into a Security Information Powerhouse

How to remove the Dropbox Update plugin from Firefox

"Dropbox users who run Firefox on Windows may want to check the plugins listing of the browser as the browser may have picked up the Dropbox Update plugin automatically after a recent update.
"Mozilla, for unknown reasons, never fixed the automatic plugin installation issue in Firefox. While you can block the automatic installation of plugins manually in Firefox, there is no default indicator or permission system in place to protect users.
"Firefox checks various locations on the computer automatically for plugins and integrates them automatically.
"Programs too may install plugins in Firefox without informing users about that. This is one of the reasons why you have plugins like Google Update or the more recent Dropbox Update installed in the browser.
"Unless you check the plugins listing regularly, you may miss new plugin installations as there is no indication that new plugins have been added to Firefox. ..."
Source: gHacks Tech News
---> How to remove the Dropbox Update plugin from Firefox

Firefox 38.0.1/38.0.1 ESR Released

Mozilla released an update for Firefox 38 regular and ESR versions on Thursday, May 14th with the Firefox 38.0.1 release. Fixes in this version include:
  • Systems with first generation NVidia Optimus graphics cards may crash on start-up
  • Users who import cookies from Google Chrome can end up with broken websites
  • Large animated images may fail to play and may stop other images from loading
Complete details can be found in the Firefox 38.0.1 Release Notes. Depending on their update settings, users will be prompted to update within the next 24-48 hours. Users can also manually update by going to the Firefox Help Menu and selecting About Firefox and follow the prompts to update. Alternatively users can also down and manually install the update via getfirefox.com site. The next planned release for Firefox is Firefox 38.0.5 on June 2, 2015.

Firefox 37.0.2 > 38.0 In-Browser Updates Disabled

Mozilla has temporally disabled the updates (auto and manual) from Firefox 37.0.2 to Firefox 38 to address a couple regressions. Once these included a start-up crash on Windows for users with certain Nivida video cards due to an incorrectly referenced DLL file. Updates should be functioning again in a couple days and users may be prompted to update to Firefox 38.0.5 once the updates are re-enabled. Firefox 38 can still be manually downloaded and installed via getfirefox.com download site. The next planned release is Firefox 38.0.5 on June 2nd, 2015.

Mozilla gags, but supports video copy protection in Firefox 38

"... Mozilla first announced it would adopt DRM in May 2014, when the head of the Mozilla Foundation, Mitchell Baker, acknowledged that copy protection 'goes against Mozilla's fundamental approach,' but said that it had no choice but to hold its nose.
" 'We've contemplated not implementing the new iteration of DRM due to its flaws,' Baker wrote in a May 14, 2014 blog post. But 'a browser that doesn't enable video would itself be deeply flawed as a consumer product.' ..."

Source: Computerworld
More ---> Mozilla gags, but supports video copy protection in Firefox 38

Firefox 38/38.0 ESR Released

Mozilla released the next regular and ESR versions of Firefox on Tuesday, May 12th with Firefox 38. New features in this version include:
  • New tab-based preferences (Preferences panel is now its own tab)
  • Ruby annotation support
Complete details can be found in the Firefox 38 Release Notes. Depending on their update settings, users will be prompted to update within the next 24-48 hours. Users can also manually update by going to the Firefox Help Menu and selecting About Firefox and follow the prompts to update. Alternatively users can also down and manually install the update via getfirefox.com site. The next planned release for Firefox is Firefox 39 and 38.1 ESR on June 30, 2015.

Mozilla plans to phase out non-secure HTTP

Last night Mozilla announced on The Mozilla Security Blog: Deprecating Non-Secure HTTP.
There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Governmentcalling for universal use of encryption by Internet applications, which in the case of the web means HTTPS. After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.
While they don't specify in details as to "removing capabilities from the non-secure web", a broad assumption would be anything that allows users to provide information. This could included the obvious such as payment processing and site logins (which should already be using an HTTPS connection anyway), but could also include submission forms, bulletin boards, blog comments, etc. Most drastic would be Firefox would not display a site (such as this blog) over regular HTTP. Now before I continue I believe it might helpful to explain what HTTPS actually is/does. All HTTPS does it encrypt the connection between you and the web server. That means if someone intercepts the transmission between Firefox and the web server, they are not going to be able to see (technically the can see what is transmitted but it will be encrypted or scrambled, so it is of no use to them) what is being sent from your computer to the website's server. This is good when sending sensitive information (credit card numbers, social security numbers, date of birth, etc.), but not so good if you want to post cat videos on your favorite message board site. HTTPS has nothing to do with encrypting that data once it reaches and is stored on the server, that is the responsibility of the website owner and their hosting provider. There has been major backlash in the comments in regards to this proposal. The biggest complaint is this going to hurt the web as many small sites, that have no real reason to be using an HTTPS connection. Furthermore, there is a major cost and time involved in making a site use an HTTPS connection. You need to purchase and apply for an SSL Certificate for each site. That is fine if you are running these sites on your own server, but not for folks like myself using shared hosting. I can host as many sites as I want for $7 a month, however only one site can have an SSL. I don't use HTTPS on this site or any of the others I manage. There is no need to...other than for the admin login. There is no need to have an HTTPS connection when readers submit their comments. Go Firefox! would be another example of where this is going to cause troubles. The message board platform software used by Delphi Forums uses an HTTPS connection only when logging in and then once logged in the rest of the site is over regular HTTP. Even when users post content it is over a regular HTTP connection. The user's don't care if someone intercepts the transmission which is a link to a cat video. So what does this mean to me as a Firefox user? At this point being still in the very early stages of this proposal it is unclear. What a lot of people foresee happening is in the future sites they normally visit and use, will be broken (either partially or completely) when using Firefox. So when that happens, people are going to switch to another browser (IE, Opera, Chrome, Safari, Pale Moon, Vivaldi, etc.) and dump Firefox (if they haven't already after the Australis interface was introduced). Another issue I could see with this involves the Certificate Authority (CA) which is an entity issuing digital certificates for secure communications. The developers are going to start paying for certificates from the CA so their sites will still work with Firefox. But what happens when the CA they were using does something unethical or refuses to provide audit records and gets blacklisted by Mozilla (as was the case with e-Guven and CNNIC)? Now the developer is out the money for the certificate (possibly costs for installation on their server) and now their site is broken in Firefox. They will now need remove the certificate (possibly at an additional cost), obtain (buy) a new certificate from a "trusted" CA and install (or have it done for them) that certificate on the server. For once this not Mozilla trying to imitate Chrome. They are trying to be an innovator here, but seem to be think this should apply for the entire web. "Since the goal of this effort is to send a message to the web developer community that they need to be secure." As I mentioned earlier this makes sense for eCommerce and other sites where people are providing sensitive information, but not for the entire web. If anything they are going to send a message to the web developer community "spend a bunch of time and money to make your sites secure or else visitor won't be able to access your sites with Firefox." Again, this is in the early stages and may be Mozilla will post some clarifications. I tried to look through the "robust discussion" on their community mailings, list but found most of it to be more technical about how this could (could not) be accomplished and not so much about the possible repercussions this could create.

Mozilla Firefox Add-on Signing has started

" ... Add-on signing impacts users and developers to varying degrees. Add-on developers for instance need to submit their add-ons to Mozilla regardless of whether they plan to release it on Mozilla AMO or not.
"While it is theoretically possible to skip the submission, it would mean that only Dev and Nightly users can install the add-on as those are the two only channels for which signing is not mandatory. ... "
Source: gHacks Tech News
Details ---> Mozilla Firefox Add-on Signing has started

Firefox 37.0.2 Released

Mozilla released an update to the Firefox 37 branch on Monday, April 20th with the Firefox 37.0.2 release. This update addressed these issues: Depending on their update settings, users will be prompted to update within the next 24-48 hours. Users can also manually update by going to the Firefox Help Menu and selecting About Firefox and follow the prompts to update. Alternatively users can also down and manually install the update via getfirefox.com site. The next planned release for Firefox is Firefox 38/Firefox 38 ESR on May 12, 2015.

More about Extension Signing

Back in February we mentioned Extension Signing Coming Later in 2015. Recently the Mozilla Add-ons Blog posted a follow up The Case for Extension Signing. There is a lot of interesting information in this article, including this very shocking statistic which puts into prospective just how badly broken the current Mozilla Firefox add-on system is:
The Web experienced by tech-savvy developers, however, is not the Web experienced by most people. While only fourteen add-ons hosted on our addons.mozilla.org site have more than a million users, and only two of those have more than 3 million, many tens of millions of users have non-hosted add-ons that were installed without their informed consent. Users run the risk of picking up unwanted extra add-ons and other software every time they download software over the Internet. Even updates of software that many users find indispensable or software from download sites run by trusted news organizations come bundled with these unwanted extras. Their Internet experience is being shaped by these third party add-ons in ways they did not choose and that benefit third parties and not the user. Most of these unwanted add-ons are advertising related in some way, tracking user actions and altering content. These add-ons are not created with user security in mind and can break fundamental browser security. These violate another of Mozilla’s basic principles: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.
Many of the complaints I see at Go Firefox! are about these unwanted advertising/tracking add-ons (extensions/toolbars). The users can't understand how these add-ons get installed. In almost every case it was something else they were installing which secretly added the add-on. Most of these software developers bury the option (usually under Custom Install) to install or not install the add-on. Then they try to protect themselves by disclosing (usually buried) in their End User License Agreement (EULA) or their Terms of Service about this optional (in that you need to choose NOT to install it) extension. Worse yet though are the updates for Anti-Virus programs, content plugins such as Flash and Java almost always are trying to sneak some type of add-on into Firefox. In the case of Adobe Flash, the option to opt-out is in plain site, but many users just keep clicking 'next' and not paying attention to the prompts. This is not the first time Mozilla has tried to get a handle on the installation of unwanted add-ons. Almost three and half years ago in November 2011 with Firefox 8, Mozilla had introduced a couple add-on control features. One of these features was to ensure that an add-on installed outside of Firefox, would only be enabled if the user choose to do so. The user would get a pop-up message the next time they started Firefox following the installation of the add-on asking if they wished to authorize this add-on. It looks like that mechanism is still there, but I guessing like so many other safe-guard systems Mozilla as added over the years, it has been circumvented by these malicious developers.
Many developers have asked why we can’t make this a runtime option or preference. There is nowhere we could store that choice on the user’s machine that these greyware apps couldn’t change and plausibly claim they were acting on behalf of the user’s “choice” not to opt-out of the light grey checkbox on page 43 of their EULA. This is not a concern about hypotheticals, we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons.
While the Extension Signing may put a developers who don’t host their add-ons on AMO, I think it is one of the better options. Some extension developers have asked about getting their own (code-signing) certificates.
The other common question is why developers can’t have their own certificates and sign their own add-ons. This would require Mozilla to function as a Certificate Authority which is currently not in our expertise. It also means we would not be able to run security scans on the add-on code. The only thing preventing a malicious add-on in that case would be the strength of our contracts requiring non-malicious code and our ability to bring legal action should those contracts be breached. This approach would favor established companies in jurisdictions where we have offices and would be extremely unfair to individual developers, especially those outside those regions. We feel the community would be better off if we put our resources into the review and scanning process that can treat everyone equally rather than setting up a certificate issuing infrastructure.
Two problems I see with this scenario right off the bat. First a code-signing certificate runs about $200 USD per year per extension. For many of these extension developers it is a side project. They saw something that could be changed with Firefox they felt would be beneficial to the users. Developers are already burdened with the costs of the space as well as the bandwidth for hosting their extension(s). Most developers don't charge for their extensions, simply they ask for a donation. So to add another $200 per year (again per extension) would make it too costly for these developers to self-host their extensions (though I not sure of their reasoning for not hosting through AMO). Second and more importantly, Mozilla (unlike Microsoft and Google) is a non-profit organization. I could foresee Mozilla taking "legal actions" as a major burden on their finances which could result in them having to cut or even stop funding on other projects.