Category Archives: Firefox

Firefox, Security

Recent changes to Firefox prevent access to network resources

Leave a comment

By now you’re no doubt familiar with the warnings displayed by web browsers when you navigate to sites that use out of date or incomplete security. Typically, a browser will allow you to continue to the site in question, regardless of the security issue. While it can be argued that allowing the user to ignore security warnings is a bad idea, in many cases this is the only way for users to access some sites.

The classic example of this is when a business creates a self-signed SSL certificate for a web resource that is only accessible internally. Typically this is done when non-secure access to the resource is simply not supported. Creating a self-signed certificate gets around this limitation and costs nothing. Users accessing the resource will see a warning about the self-signed certificate, but can tell their browser to proceed anyway, knowing that there’s no actual danger.

Unfortunately, Mozilla seems to have eliminated the ability for users to bypass these warnings. I recently encountered this when using the current version of Firefox (39.0) to access a router on a local network. I received a cryptic warning:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

In earlier versions of Firefox, I would then be allowed to continue regardless of the security issue. But that’s no longer the case. To access the router, I switched to Google Chrome, which showed the same warning, but allowed me to proceed.

I understand that Mozilla is trying to tighten security, and limit the ways in which uninformed users expose themselves to security risks, but I believe that this is going too far. It’s yet another example of how Mozilla is pushing users away from Firefox, to other web browsers.

Update 2015Jul09: I’m seeing workarounds for this problem, but they typically involve ignoring the security check completely. I only want to be able to bypass the check for specific sites.

Update 2015Aug07: Only certain types of SSL keys are being handled this way in Firefox now. Specifically, Diffie-Hellman keys that are 1024 bits long or shorter. Other self-signed keys still allow for exceptions to be added.

Update 2015Oct16: Chrome also no longer allows access to sites, services, or devices using Diffie-Hellman keys.

Firefox, Patches and updates, Security

Confusing series of Firefox releases

Leave a comment

Last week the FileHippo update checker kept insisting that Firefox 38.0.6 was the latest version. I was – and still am – unable to find any official release notes for that version, but according to one source, 38.0.6 is a special version for specific hardware. In any case, Firefox never updated itself to 38.0.6.

Yesterday I discovered that Firefox 39.0 had been released, apparently on June 30th. According to its release notes, this version includes a variety of fixes and improvements, especially for Macs. HTML5 support is improved, as is networking. Several security vulnerabilities were also addressed.

Meanwhile, in reviewing the official list of Firefox releases, I found notes for version 38.1.0, which was apparently released on July 2nd. It looks like Mozilla staff posted this version in the wrong place, because the 38.1.0 release is for the ‘ESR channel’. Readers of this site are likely more interested (as am I), in the ‘release channel’. According to the Firefox ESR FAQ:

Mozilla Firefox ESR is meant for organizations that manage their client desktops, including schools, businesses and other instituitions that want to offer Firefox. Users who want to get the latest features, performance enhancements and technologies in their browsing experience should download Firefox for personal use [ed: the release channel], as these improvements will only be available to ESR users several development cycles after being made available in Firefox for desktop.

In other words, pay no attention to the 38.1.0 ESR release if you want all the latest improvements. The ESR releases tend to lag behind in features, while typically being more stable.

Firefox, Patches and updates

Firefox 38.0.5

1 Comment

Mozilla continues to shovel more features into Firefox. This week we have Firefox 38.0.5, which adds support for Pocket (a ‘save for later’ service) and Reader mode, which provides simplified views of any web page. Version 38.0.5 also fixes a couple of nasty performance and display bugs that were introduced in recent versions. The 38.0.5 release notes provide additional details. No security issues were addressed in this update.

Mozilla is re-evaluating Firefox’s release notes, even going so far as to ask the community for feedback. Now if we can just get them to do something about the total lack of new version announcements. As usual, there was no proper announcement for this new version, although there was a post on the Mozilla blog that discusses Pocket and Reader.

Update 2015Jun10: I recently encountered an article on a site that displays everything as white text on a black background. I can only read a site like that for a few seconds before my eyes start to go blurry, so I decided to try Firefox’s new Reader mode. The near-unreadable text was transformed into beautiful, uncluttered, easy-on-the-eyes text. So apparently my offhand dismissal of Reader mode was a mistake: it’s actually a very useful feature, especially for those of us past a certain age.

Firefox, Internet, Privacy

The hidden Tracking Protection feature in Firefox

Leave a comment

A hidden feature in recent versions of Firefox blocks technologies – including cookies – that would otherwise be used to track your activities on the web.

Currently, the Tracking Protection feature can only be enabled via Firefox’s hidden about:config interface. To access this interface, enter about:config in the address bar. You’ll see a large warning message. Click the I’ll be careful button to proceed. In the search box, enter privacy.trackingprotection.enabled. The setting should be listed below, along with its current value. Double-click the line of text to toggle it from false to true.

Tracking Protection doesn’t appear to block ALL cookies, just those that are associated with activity tracking. According to Mozilla’s description of the feature, the default list of blocked resources is based on information from the security provider Disconnect.

Unfortunately, there’s not much available to the user for managing the feature. There’s no easy way to list or modify the resources that will be blocked. All the user sees is a new shield icon at the extreme left end of the address bar, which you can click to see a small dialog:

Firefox Tracking Protection
Firefox Tracking Protection

There’s not much information on the dialog, and the only options available are to close the dialog or Disable protection for this site.

There is a way you can see exactly what resources are being blocked: click the Firefox menu button (the ‘hamburger’ at the right end of the toolbar), then click Developer, then Web Console. As you encounter blocked resources, they will appear in the list at the bottom of the screen. For example: “The resource at “http://www.google-analytics.com/analytics.js” was blocked because tracking protection is enabled.” Unfortunately, there’s usually lots of other information in that list as well.

By default, Tracking Protection blocks useful technologies, including at least two used on this site: Google Analytics and Feedjit. Google Analytics provides invaluable information to site managers, including how many people visit the site, when they visit, how long they stay, and so on. Feedjit is the technology powering the Live Traffic Feed in the sidebar; I’m only using it as an interesting experiment, so it’s not a big deal if it misses some users, but it’s not in any way harmful.

In the final analysis, Tracking Protection is really only useful for the truly paranoid. But if you hate the idea of anyone knowing what you’re doing on the web, you should probably be using Firefox’s Private Browsing mode.

Tracking Protection was apparently added by Mozilla in response to the fact that the Do Not Track feature is not being honoured by all trackers. A post over on VentureBeat provides additional perspective.

Hat tip to reader tap tap!

DRM, Firefox

Mozilla’s plans for DRM in Firefox

1 Comment

Mozilla is clearly aware of the negative aspects of Digital Rights Management (DRM). Most people view DRM as needlessly intrusive at best, and an extremely flawed, greed-motivated roadblock at worst.

Knowing all this, Mozilla has been careful to tread lightly when looking at ways to implement DRM in Firefox. The web is moving towards the new HTML5 standard, and HTML5 includes DRM. Mozilla decided to move forward with DRM in Firefox, but will make it easy for users to disable DRM features, and to obtain versions of Firefox that have no DRM features at all.

This seems like a reasonable compromise. Those of us who hate DRM will be able to continue using Firefox without interference from DRM-related technologies.

Firefox, Patches and updates, Security

Firefox 38.0 released

Leave a comment

Another stealth release from our friends at Mozilla, Firefox 38.0 fixes at least thirteen security issues.

Other changes in this release include tab-based preferences, as well as HTML5 enhancements and improvements to developer tools.

If you’re tired of waiting for Mozilla to issue proper release announcements, you can always get your Firefox news from another source, like the CERT alerts blog.

Update 2015May14: Two days later, and Firefox still isn’t updating itself. I’m not sure if there’s a problem with Mozilla’s update process, or if it’s just sluggish. According to Mozilla:

By default, Firefox is set to automatically update itself but you can always do a manual update. Here’s how:
1. Click the menu button, click help (question mark icon) and select About Firefox.
2. The About Firefox window will open and Firefox will begin checking for updates and downloading them automatically.

What I’m finding is that while the About box may be checking for updates, it’s not finding one, or in any case even if it finds one, it’s not downloading anything. It just says ‘Firefox is up to date’.

In any case, since this release contains fixes for security issues, I’m going to install it manually from the main download page. That page correctly identifies that I’m running an older version and offers a link to download the new version.

Update 2015May14: Via the official #firefox IRC channel, I was just informed that once again, a new version of Firefox is causing crashing problems. Version 38.0 has been pulled from release, and we can expect a fixed version 38.0.1 later this week.

Firefox, Patches and updates, Security

Firefox 37.0.1 fixes crashing and security issues in 37.0

Leave a comment

Some of us never really had a chance to try Firefox 37.0, and that’s probably a good thing. Version 37.0 tends to crash when started, and it includes at least one new security vulnerability.

Mozilla pulled Firefox 37.0 from the auto-update queue after learning of these issues, and yesterday released 37.0.1 to resolve them.

Unfortunately, despite the fact that this would have been a really good time for some kind of announcement of what was going on, Mozilla has said exactly nothing about this. The release notes for Firefox 37.0.1 don’t provide any insight, and although the security advisories page has been updated for 37.0.1, it still doesn’t say much.

It does appear that Mozilla’s attempt to enable Opportunistic Encryption in Firefox 37.0 didn’t work out as expected, because the HTTP Alternative Services feature is disabled in Firefox 37.0.1.

Firefox, Patches and updates, Security

Firefox 37 released

Leave a comment

A new version of Firefox was announced yesterday by Mozilla. Yes, you read that correctly: a post on the Mozilla blog announced new versions of Firefox for all platforms. Of course, the announcement doesn’t mention the new version number, and it doesn’t provide any details, it just points to the release notes. Still, it’s progress!

According to the release notes for Firefox 37.0, the new version includes several changes related to security, including ‘improved protection against site impersonation’, and several fixes related to recently-discovered TLS vulnerabilities. WebGL rendering performance on Windows was improved. HTML5 support was also enhanced.

According to the Firefox Security Advisories page, at least 13 security vulnerabilities were fixed in Firefox 37.0.

Update: As of April 1 at 6:53am PST, the version of Firefox I’m currently using (36.0.4) is telling me that ‘Firefox is up to date’. It looks like someone may have forgotten a step when publishing version 37.0. Presumably this will be resolved shortly. If I visit the main Firefox download page, it tells me I’m using an older version of Firefox, and the download link definitely goes to Firefox 37.0.

Update 2015Apr02: According to sources on the official Firefox IRC channel, auto-updates for version 37 have been suspended while the developers look into a crashing problem being reported by some Windows 8 users.