At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.
Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.
We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.
By now you’re no doubt familiar with the warnings displayed by web browsers when you navigate to sites that use out of date or incomplete security. Typically, a browser will allow you to continue to the site in question, regardless of the security issue. While it can be argued that allowing the user to ignore security warnings is a bad idea, in many cases this is the only way for users to access some sites.
The classic example of this is when a business creates a self-signed SSL certificate for a web resource that is only accessible internally. Typically this is done when non-secure access to the resource is simply not supported. Creating a self-signed certificate gets around this limitation and costs nothing. Users accessing the resource will see a warning about the self-signed certificate, but can tell their browser to proceed anyway, knowing that there’s no actual danger.
Unfortunately, Mozilla seems to have eliminated the ability for users to bypass these warnings. I recently encountered this when using the current version of Firefox (39.0) to access a router on a local network. I received a cryptic warning:
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
In earlier versions of Firefox, I would then be allowed to continue regardless of the security issue. But that’s no longer the case. To access the router, I switched to Google Chrome, which showed the same warning, but allowed me to proceed.
I understand that Mozilla is trying to tighten security, and limit the ways in which uninformed users expose themselves to security risks, but I believe that this is going too far. It’s yet another example of how Mozilla is pushing users away from Firefox, to other web browsers.
Update 2015Jul09: I’m seeing workarounds for this problem, but they typically involve ignoring the security check completely. I only want to be able to bypass the check for specific sites.
Update 2015Aug07: Only certain types of SSL keys are being handled this way in Firefox now. Specifically, Diffie-Hellman keys that are 1024 bits long or shorter. Other self-signed keys still allow for exceptions to be added.
Update 2015Oct16: Chrome also no longer allows access to sites, services, or devices using Diffie-Hellman keys.
Last week the FileHippo update checker kept insisting that Firefox 38.0.6 was the latest version. I was – and still am – unable to find any official release notes for that version, but according to one source, 38.0.6 is a special version for specific hardware. In any case, Firefox never updated itself to 38.0.6.
Yesterday I discovered that Firefox 39.0 had been released, apparently on June 30th. According to its release notes, this version includes a variety of fixes and improvements, especially for Macs. HTML5 support is improved, as is networking. Several security vulnerabilities were also addressed.
Meanwhile, in reviewing the official list of Firefox releases, I found notes for version 38.1.0, which was apparently released on July 2nd. It looks like Mozilla staff posted this version in the wrong place, because the 38.1.0 release is for the ‘ESR channel’. Readers of this site are likely more interested (as am I), in the ‘release channel’. According to the Firefox ESR FAQ:
Mozilla Firefox ESR is meant for organizations that manage their client desktops, including schools, businesses and other instituitions that want to offer Firefox. Users who want to get the latest features, performance enhancements and technologies in their browsing experience should download Firefox for personal use [ed: the release channel], as these improvements will only be available to ESR users several development cycles after being made available in Firefox for desktop.
In other words, pay no attention to the 38.1.0 ESR release if you want all the latest improvements. The ESR releases tend to lag behind in features, while typically being more stable.
Mozilla continues to shovel more features into Firefox. This week we have Firefox 38.0.5, which adds support for Pocket (a ‘save for later’ service) and Reader mode, which provides simplified views of any web page. Version 38.0.5 also fixes a couple of nasty performance and display bugs that were introduced in recent versions. The 38.0.5 release notes provide additional details. No security issues were addressed in this update.
Mozilla is re-evaluating Firefox’s release notes, even going so far as to ask the community for feedback. Now if we can just get them to do something about the total lack of new version announcements. As usual, there was no proper announcement for this new version, although there was a post on the Mozilla blog that discusses Pocket and Reader.
Update 2015Jun10: I recently encountered an article on a site that displays everything as white text on a black background. I can only read a site like that for a few seconds before my eyes start to go blurry, so I decided to try Firefox’s new Reader mode. The near-unreadable text was transformed into beautiful, uncluttered, easy-on-the-eyes text. So apparently my offhand dismissal of Reader mode was a mistake: it’s actually a very useful feature, especially for those of us past a certain age.
A hidden feature in recent versions of Firefox blocks technologies – including cookies – that would otherwise be used to track your activities on the web.
Currently, the Tracking Protection feature can only be enabled via Firefox’s hidden about:config interface. To access this interface, enter about:config in the address bar. You’ll see a large warning message. Click the I’ll be careful button to proceed. In the search box, enter privacy.trackingprotection.enabled. The setting should be listed below, along with its current value. Double-click the line of text to toggle it from false to true.
Tracking Protection doesn’t appear to block ALL cookies, just those that are associated with activity tracking. According to Mozilla’s description of the feature, the default list of blocked resources is based on information from the security provider Disconnect.
Unfortunately, there’s not much available to the user for managing the feature. There’s no easy way to list or modify the resources that will be blocked. All the user sees is a new shield icon at the extreme left end of the address bar, which you can click to see a small dialog:
There’s not much information on the dialog, and the only options available are to close the dialog or Disable protection for this site.
There is a way you can see exactly what resources are being blocked: click the Firefox menu button (the ‘hamburger’ at the right end of the toolbar), then click Developer, then Web Console. As you encounter blocked resources, they will appear in the list at the bottom of the screen. For example: “The resource at “http://www.google-analytics.com/analytics.js” was blocked because tracking protection is enabled.” Unfortunately, there’s usually lots of other information in that list as well.
By default, Tracking Protection blocks useful technologies, including at least two used on this site: Google Analytics and Feedjit. Google Analytics provides invaluable information to site managers, including how many people visit the site, when they visit, how long they stay, and so on. Feedjit is the technology powering the Live Traffic Feed in the sidebar; I’m only using it as an interesting experiment, so it’s not a big deal if it misses some users, but it’s not in any way harmful.
In the final analysis, Tracking Protection is really only useful for the truly paranoid. But if you hate the idea of anyone knowing what you’re doing on the web, you should probably be using Firefox’s Private Browsing mode.
Tracking Protection was apparently added by Mozilla in response to the fact that the Do Not Track feature is not being honoured by all trackers. A post over on VentureBeat provides additional perspective.
There were some serious problems with Firefox 38.0, and the developers pulled it from distribution almost immediately after its release.
Mozilla moved quickly to resolve these issues, and yesterday released Firefox 38.0.1, which fixes most of the problems in 38.0. One problem apparently remains unresolved: “Responsive images do not update when the enclosing viewport changes.”
Mozilla is clearly aware of the negative aspects of Digital Rights Management (DRM). Most people view DRM as needlessly intrusive at best, and an extremely flawed, greed-motivated roadblock at worst.
Knowing all this, Mozilla has been careful to tread lightly when looking at ways to implement DRM in Firefox. The web is moving towards the new HTML5 standard, and HTML5 includes DRM. Mozilla decided to move forward with DRM in Firefox, but will make it easy for users to disable DRM features, and to obtain versions of Firefox that have no DRM features at all.
This seems like a reasonable compromise. Those of us who hate DRM will be able to continue using Firefox without interference from DRM-related technologies.
Other changes in this release include tab-based preferences, as well as HTML5 enhancements and improvements to developer tools.
If you’re tired of waiting for Mozilla to issue proper release announcements, you can always get your Firefox news from another source, like the CERT alerts blog.
Update 2015May14: Two days later, and Firefox still isn’t updating itself. I’m not sure if there’s a problem with Mozilla’s update process, or if it’s just sluggish. According to Mozilla:
By default, Firefox is set to automatically update itself but you can always do a manual update. Here’s how:
1. Click the menu button, click help (question mark icon) and select About Firefox.
2. The About Firefox window will open and Firefox will begin checking for updates and downloading them automatically.
What I’m finding is that while the About box may be checking for updates, it’s not finding one, or in any case even if it finds one, it’s not downloading anything. It just says ‘Firefox is up to date’.
In any case, since this release contains fixes for security issues, I’m going to install it manually from the main download page. That page correctly identifies that I’m running an older version and offers a link to download the new version.
Update 2015May14: Via the official #firefox IRC channel, I was just informed that once again, a new version of Firefox is causing crashing problems. Version 38.0 has been pulled from release, and we can expect a fixed version 38.0.1 later this week.
The latest version of Firefox includes a fix for at least one security vulnerability. Stability issues affecting specific display hardware were also resolved, as was an issue involving the display of Google Maps.
There was no announcement for Firefox 37.0.2 on the Mozilla blog. The release notes for version 37.0.2 provide additional details.
Some of us never really had a chance to try Firefox 37.0, and that’s probably a good thing. Version 37.0 tends to crash when started, and it includes at least one new security vulnerability.
Mozilla pulled Firefox 37.0 from the auto-update queue after learning of these issues, and yesterday released 37.0.1 to resolve them.