mozilla

Mozilla Nederland LogoDe Nederlandse
Mozilla-gemeenschap

Yunier José Sosa Vázquez: Visualizando lo invisible

Mozilla planet - fr, 29/01/2016 - 14:46

Esta es una traducción del artículo original publicado en el blog The Mozilla Blog. Escrito por Jascha Kaykas-Wolff .

Hoy en día, la privacidad y las amenazas como el seguimiento invisible de terceros en la Web en línea parecen ser muy abstractas. Muchos de nosotros no somos conscientes de lo que está pasando con nuestros datos en línea o nos sentimos impotentes porque no sabemos qué hacer. Cada vez más, Internet se está convirtiendo en una casa de cristal gigante donde tu información personal está expuesta a terceros que la recogen y utilizan para sus propios fines.

Recientemente hemos lanzado Navegación privada con la protección de seguimiento en Firefox – una característica que se centra en proporcionar a cualquier persona que utilice Firefox una elección significativa frente a terceros en la Web que podrían recolectar sus datos sin su conocimiento o control. Esta es una característica que se ocupa de la necesidad de un mayor control sobre la privacidad en línea, pero también está conectada a un debate permanente e importante en torno a la preservación de un ecosistema Web sano, abierto y sostenible y los problemas y las posibles soluciones a la pregunta sobre los contenidos bloqueados.

La casa de cristal

A principios de este mes nos dedicamos a un evento de tres días sobre la privacidad en línea en Hamburgo, Alemania. Hoy en día, nos gustaría compartir algunas impresiones del evento y también un experimento que filmamos en la famosa calle Reeperbahn.

¿Nuestro experimento?

Nos dispusimos a ver si podíamos explicar algo que no es fácilmente visible, la privacidad en línea, de una manera muy tangible. Hemos construido un apartamento totalmente equipado con todo lo necesario para disfrutar de un corto viaje a la perla del norte de Alemania. Hicimos el apartamento a disposición de los diferentes viajeros que llegan a pasar la noche. Una vez que se conectaron a Wi-Fi de la vivienda, se eliminaron todas las paredes, dejando al descubierto los viajeros a los espectadores y la conmoción externa causados ​​cuando su información privada resultó ser pública.

Las respuestas de los viajeros ante lo que les sucede resultan impactantes.

En video: mira lo que sucede con nuestros datos

Dicho esto, nos ayudamos con algunos actores para realzar con más dramatismo una referencia no tan sutil de lo que le puede pasar a sus datos cuando usted no está prestando atención. ¡Bienvenido a la casa de cristal!

Desde Mozilla Hispano instamos a todos los lectores a que sepan que son usuarios que deben de informarse para poder reflexionar sobre lo que ocurre cuando ingresan a la Web. Tomar el control requiere de tener herramientas e información, y para lograr ésto los usuarios deben de volverse autogestivos, sujetos conscientes de la realidad que viven dentro del entorno que circundan para poder tomar cartas en el asunto.

Mientras que los resultados del experimento pretenden educar y generar conciencia, también capturamos pensamientos y sentimientos de los participantes después de la intervención. Estas son algunas de las reacciones más conmovedoras:

 Lars Reppesgaard (Autor, "El Imperio Google"), Svenja Teichmann (crowdmedia), Federico Richter (Presidente de la Fundación de Protección de Datos de Alemania) y Winston Bowden (Sr. Gerente de Marketing de Producto de Firefox)

De izquierda a derecha: Lars Reppesgaard (Autor, “El Imperio Google”), Svenja Teichmann (crowdmedia), Federico Richter (Presidente de la Fundación de Protección de Datos de Alemania) y Winston Bowden (Sr. Gerente de Marketing de Producto de Firefox)

Discutiendo el Estado de control de datos en la Web hoy

En los dos días que le siguieron a la intervención, en la misma casa de vidrio, expertos en privacidad y tecnología alemana, el grupo Digital Media Women de Hamburgo, la comunidad Mozilla y personas interesadas en el tema de la privacidad en línea se reunieron para discutir el “Estado de los datos y control en la Web”.

Empezamos con una mesa redonda. Moderada por Svenja Teichmann, fundador y director general de crowdmedia (actualmente Sequel) y expertos en protección de datos alemanes. La protección de la privacidad en línea y preguntas como “¿Qué es privado hoy en día?” fueron los temas que se debatieron mientras que los transeúntes podían mirar a través de las paredes de cristal.

Federico Richter señaló la incertidumbre del usuario: “En la web no nos damos cuenta de qué nos está viendo. Y muchas personas no pueden proteger su privacidad en línea, ya que no tienen características fáciles de usar”– Lars Reppesgaard no está completamente en contra del rastreo por Internet pero piensa que los usuarios deben tener una opción. “Si desea que la tecnología lo ayude, es necesario que la misma recoja algunos datos a veces. Pero para la mayoría de los usuarios no es obvio cuando y por quién se realiza éste seguimiento”. Sobre la nueva función de seguimiento de protección en la navegación privada en Firefox, Winston Bowden enfatizó:

“No somos un enemigo de la publicidad en línea. Es una fuente legítima de ingresos y garantiza el contenido altamente emocionante en la Web. Pero si el seguimiento de los usuarios es sin que ellos lo sepan o aún, cuando estén en contra, este tipo de rastreo no va a funcionar. La web abierta y libre es un activo valioso, que debemos proteger. Los usuarios tienen que tener el control de sus datos”.

Educación y Participación

Por último, los miembros de la comunidad Mozilla alemanes se unieron al evento para informar y educar a la gente sobre cómo Firefox puede ayudar a los usuarios a obtener el control sobre su experiencia en línea. Explicaron el fondo y la génesis de la Protección contra rastreo, pero también mostraron herramientas como Lightbeam y hablaron de Smart On Privacy y sobre Web Literacy, con la intención de ofrecer puntos de referencia para tener un mayor conocimiento de cómo funciona la Web.

Hamburg_Community-600x400

Gracias a todos los que trabajaron detrás de las escenas y/o vinieron a Hamburgo e hicieron lo posible para que este evento funcionara. Apreciamos su ayuda en pos de educar y abogar para que la gente sepa acerca de su elección y control sobre la privacidad en línea.

Por último, si te interesa el tema puedes compartir este artículo en tus redes sociales para que todos estén al tanto de lo que pasa. Así podrás unirte al mes de la privacidad.

Fuente: Mozilla Hispano

Categorieën: Mozilla-nl planet

Mozilla Firefox 45.0 beta 1 - Komputer Świat

Nieuws verzameld via Google - fr, 29/01/2016 - 12:46

Komputer Świat

Mozilla Firefox 45.0 beta 1
Komputer Świat
Mozilla Firefox 45 to czterdziesta piąta odsłona jednej z najpopularniejszych przeglądarek stron iinternetowych, działająca na komputerach pod kontrolą systemów operacyjnych z rodziny Windows, Mac OS X i Linux. Mozilla Firefox swoją popularność zdobył ...

Google Nieuws
Categorieën: Mozilla-nl planet

Με αξιώσεις έρχεται ο Mozilla Firefox 44 - pestaola

Nieuws verzameld via Google - fr, 29/01/2016 - 09:50

pestaola

Με αξιώσεις έρχεται ο Mozilla Firefox 44
pestaola
H 44η έκδοση του Mozilla Firefox είναι διαθέσιμη και υπόσχεται να διορθώσει πολλά κενά και bugs που ταλαιπωρούσαν την προηγούμενη έκδοση. Ούτε λίγο, ούτε πολύ, η Mozilla σημειώνει ότι ο Firefox 44 φέρνει διορθώσεις σε 12 διαφορετικά bugs, που είχαν ...
Mozilla Firefox 44: Διαθέσιμη η τελική έκδοση με σύστημα ειδοποιήσεωνtechgear.gr
Κυκλοφόρησε ο νέος Firefox 44 και διαθέτει σύστημα ειδοποιήσεων!Newsit

alle 10 nieuwsartikelen »Google Nieuws
Categorieën: Mozilla-nl planet

Daniel Glazman: Google, BlueGriffon.org and blacklists

Mozilla planet - fr, 29/01/2016 - 09:36

Several painful things happened to bluegriffon.org yesterday... In chronological order:

  1. during my morning, two users reported that their browser did not let them reach the downloads section of bluegriffon.org without a security warning. I could not see it myself from here, whatever the browser or the platform.
  2. during the evening, I could see the warning using Chrome on OS X
  3. apparently, and if I believe the "Search Console", Google thought two files in my web repository of releases are infected. I launched a complete verification of the whole web site and ran all the software releases through three anti-virus systems (Sophos, Avast and AVG) and an anti-adware system. Nothing at all to report. No infection, no malware, no adware, nothing.
  4. since this was my only option, I deleted the two reported files from my server. Just for the record, the timestamps were unchanged, and I even verified the files were precisely the ones I uploaded in january and april 2012. Yes, 2012... Yesterday, without being touched/modified in any manner during the last four years, they were erroneously reported infected.
  5. this morning, Firefox also reports a security warning on most large sections of BlueGriffon.org and its Downloads section. I guess Firefox is also using the Google blacklist. Just for the record, both Spamhaus and CBL have nothing to say about bluegriffon.org...
  6. the Google Search Console now reports my site is ok but Firefox still reports it unsecure, ahem.

I need to draw a few conclusions here:

  • Google does not tell you how the reported files are unsecure, which is really lame. The online tool they provide to "analyze" a web site did not help at all.
  • Since all my antivir/antiadware declared all files in my repo clean, I had absolutely no option but to delete the files that are now missing from my repo
  • two reported files in bluegriffon.org/freshmeat/1.4/ and bluegriffon.org/freshmeat/1.5.1/ led to blacklisting of all of bluegriffon.org/freshmeat and that's hundreds of files... Hey guys, we are and you are programmers, right? Sure you can do better than that?
  • during more than one day, customers fled from bluegriffon.org because of these security warnings, security warnings I consider as fake reports. Since no public antimalware app could find anything to say about my files, I am suspecting a fake report of human origin. How such a report can reach the blacklist when files are reported safe by four up-to-date antimalware apps and w/o infection information reported to the webmaster is far beyond my understanding.
  • blacklists are a tool that can be harmful to businesses if they're not well managed.

Update: oh I and forgot one thing: during the evening, Earthlink.net blacklisted one of the Mail Transport Agents of Dreamhost. Not, my email address, that whole SMTP gateway at Dreamhost... So all my emails to one of my customers bounced and I can't even let her know some crucial information. I suppose thousands at Dreamhost are impacted. I reported the issue to both Earthlink and DH, of course.

Categorieën: Mozilla-nl planet

Karl Dubost: [worklog] APZ bugs, Some webcompat bugs and HTTP Refresh

Mozilla planet - fr, 29/01/2016 - 09:15

Monday, January 25, 2016. It's morning in Japan. The office room temperature is around 3°C (37.4F). I just put on the Aladdin. The sleep was short or more exactly interrupted a couple of times. Let's go through emails after two weeks away.

My tune for WebCompat for this first quarter 2016 is Jurassic 5 - Quality Control.

MFA (Multi Factor Authentication)

Multi Factor Authentication in the computing industry is sold as something easier and more secure. I still have to be convinced about the easier part.

WebCompat Bugs
  • Bugzilla Activity
  • Github Activity
  • In Bug 1239922, Google Docs is sending HiRes icons only to WebKit devices because of a mediaqueries @media screen and (-webkit-min-device-pixel-ratio:2) {} in the CSS. One difference is that the images are set through content outside of the mediaquery on a pseudo-element, but inside directly on the element itself. It is currently a non-standard feature as explained by Daniel Holbert. We contacted them. A discussion has been started and the magical Daniel dived a bit more in the issue. Read it.
  • Google Search seems to have ditched the opensearch link in the HTML head. As a result, users have more difficult to add the search for specific locales. Contacted.
  • Google Custom Search is not sending the same search results links to Firefox Desktop and iOS9 on one side than Firefox Android. Firefox Android receives http://cse.google.com/url? instead of http://www.google.com/url?. This is unfortunate because http://cse.google.com/url? is a 404.
  • DeKlab is sending some resources (a template for Dojo) with a bogus BOM. Firefox is stricter than Chrome on this and rejects the document, which in return breaks the application. Being stricter is cool and the site should be contacted, but at the same time, the pressure of it working in Chrome makes it harder to convince devs.
  • When creating a set of images for srcset, make absolutely sure that your images are actually on the server.
  • Some bugs are harder to test than others. redbox.com is not accessible from Japan. Maybe it's working from USA. If someone can test for us.
  • When mixing em and px in a design you always risk that the fonts and rounding of values will not be exactly the same in all browsers.
  • There is an interesting bug with Font being truncated on twitter differently on linux and other platforms and this depending on the fonts. Boris Zbarsky suspect that twitter plays somehow with the font. I started to dig to extract more information.
  • Strange issue on a 360 video not playing in IceWeasel. This seems related specifically to the Debian version.
  • Some of the bugs we had with Japanese Web sites are being fixed, silently as usual. Once we reached out, not always the person will tell us back, hey we deployed a fix.
  • A developer is working on a Web site and he feels the need because of a performance, feature issue to create a script to block a specific user-agent string. Time passes. We analyze. Find the contact information given on the site. Try to contact and don't get any answers. We try to contact again this time on twitter. And the person replies that he is not working anymore there so can't fix the user agent sniffing. Apart of the frustration that it creates, you can see how user agent sniffing strategy is broken, it doesn't take evolution of implementations and human changes in consideration. User agent sniffing may work but it is a very high maintenance choice with consequences on a long term. It's not a zero cost.
APZ Bugs

There's a list of scrolling bugs which affects Firefox. The issue is documented on MDN.

These effects work well in browsers where the scrolling is done synchronously on the browser's main thread. However, most browsers now support some sort of asynchronous scrolling in order to provide a consistent 60 frames per second experience to the user. In the asynchronous scrolling model, the visual scroll position is updated in the compositor thread and is visible to the user before the scroll event is updated in the DOM and fired on the main thread. This means that the effects implemented will lag a little bit behind what the user sees the scroll position to be. This can cause the effect to be laggy, janky, or jittery — in short, something we want to avoid.

So if you know someone (or a friend of a friend) who is able to fix or put us in contact with one of these APZ bugs site owners, please tell us in the bugs comments or on IRC (#webcompat on irc.mozilla.org). I did a first pass at bugs triage for contacting the site.

Some of these bugs are not mature yet in terms of outreach status. With Addons/e10s and APZ, it might happen more often that the Web Compat team is contacted for reaching out the sites which have quirks, specific code hindering Firefox, etc. But to reach out a Web site requires first a couple of steps and understanding. I need to write something about this. Added to my TODO list.

Addons e10s

Difficult to make progress in some cases, because the developers have completely disappeared. I wonder in some cases if it would not just be better to complete remove it from the addons list. It would both give the chance to someone else to propose something if needed by users (nature doesn't like void) or/and the main developer to wake up and wonder why the addon is not downloadable anymore.

Webcompat Life

We had a https://wiki.mozilla.org/Compatibility/Mobile/2016-01-26. We discuss about APZ, WebCompat wiki, Firefox OS Tier3 and WebkitCSS bugs status.

Pile of mails
  • Around 1000 emails after 2 weeks, this is not too bad. I dealt in priority with those where my email address is directly in the To: field (dynamic mailbox), then the ones where I'm in needinfo in Bugzilla, then finally the ones which are addressed to specific mailing-lists I have work to do. The rest, rapid scann of the topics (Good email topics are important. Remember!) and marking as read all the ones that I don't have any interests. I'm almost done in one day with all these emails.
HTTP Refresh TODO
  • explain what is necessary to consider a bug "ready for outreach".
  • check the webkitcss bugs we had in Bugzilla and WebCompat.com
  • check if the bugs still open about Firefox OS are happening on Firefox Android
  • testing Google search properties and see if we can find a version which is working better on Firefox Android than the current default version sent by Google. Maybe testing with Chrome UA and Iphone UA.

Otsukare!

Categorieën: Mozilla-nl planet

Andy McKay: Why I closed your bug

Mozilla planet - fr, 29/01/2016 - 09:00

Because I'm mean. Well not really, but I understand how it can feel that way.

Web sites at Mozilla have a unique advantage in that they are open source. That is great for development and contributions. Although the number of contributions tends to be lower than for Firefox and other projects [1].

Just like Firefox anyone can file a bug and anyone can send in a patch. Which is truly awesome and for the last 10+ years AMO has had some excellent contributors as well as paid staff help it out. Except for a few basic problems:

  • There are always new features, new edge cases, new problems to be solved.

  • Each new feature spawns new bugs.

  • Each new feature interacts with other features to become more and more complex.

  • The number of bugs on the site grows to overwhelming proportions given time.

  • The maintenance burden grows and grows until no new features can be added without getting more resources.

This is probably a familiar cycle to many. In open source projects you can fork and take your project off in a different direction. In the case of AMO though you really can't in that there's only one such site for Firefox.

And there in we get to the dilemma. At Mozilla we've gone through various phases of support for AMO from paid contributors: from lots of developers, to none, to one, to lots of developers.

The one continual theme in all of them, the number of features and bugs just keeps growing and to get more done we need more and more people.

So let's return to that bug you've filed asking for something on AMO. We'll think quite unsurprisingly of things like:

  • Will it add complexity or remove it?

  • What are the long term maintenance and security issues?

  • Will it be used?

...that shouldn't be too much of a surprise. But that might mean that we won't take that bug, or pull request, and then you'll think we are mean.

In the past I've seen bugs triaged to be "P5 Enhancement" (or maybe even "good first bug" or "patches welcome"), this is just a cop out. Basically we don't want to work on this so we are going to ignore it, we know that you don't really want to work on the feature either and it sits in limbo. I'd rather be up front and close it.

The only way we can make a site like AMO maintainable is by keeping the complexity and feature set down. After all, there's a lot of work to be done around add-ons, the more we can keep the complex things simple, the more we can do.

[1] Citation needed.

Categorieën: Mozilla-nl planet

Ehsan Akhgari: Building Firefox With clang-cl: A Status Update

Mozilla planet - fr, 29/01/2016 - 05:46

Last June, I wrote about enabling building Firefox with clang-cl.  We didn’t get these builds up on the infrastructure and things regressed on both the Mozilla and LLVM side, and we got to a state where clang-cl either wouldn’t compile Firefox any more, or the resulting build would be severely broken.  It took us months but earlier today we finally managed to finally get a full x86-64 Firefox build with clang-cl!  The build works for basic browsing (except that it crashes on yahoo.com for reasons we haven’t diagnosed yet) and just for extra fun, I ran all of our service worker tests (which I happen to run many times a day on other platforms) and they all passed.

This time, we got to an impressive milestone.  Previously, we were building Firefox with the help of clang-cl’s fallback mode (which falls back to MSVC when clang fails to build a file for whatever reason) but this time we have a build of Firefox that is fully produced with clang, without even using the MSVC compiler once.  And that includes all of our C++ tests too.  (Note that we still use the rest of the Microsoft toolchain, such as the linker, resource compiler, etc. to produce the ultimate binaries; I’m only focusing on C and C++ compilation in this post.)

We should now try to keep these builds working.  I believe that this is a big opportunity for Firefox to be able to leverage the modern toolchain that we have been enjoying on other platforms on Windows, where we have most of our users.  An open source compilation toolchain has long been needed on Windows, and clang-cl is the first open source replacement that is designed to be a drop-in replacement for MSVC, and that makes it an ideal target for Firefox.  Also, Microsoft’s recent integration of clang as a front-end for the MSVC code generator promises the prospects of switching to clang/C2 in the future as our default compiler on Windows (assuming that the performance of our clang-cl builds don’t end up being on par with the MSVC PGO compiler.)

My next priority for this project would be to stand up Windows static analysis builds on TreeHerder.  That requires getting our clang-plugin to work on Windows, fixing the issues that it may find (since that would be the first time we would be running our static analyses on Windows!), and trying to get them up and running on TaskCluster.  That way we would be able to leverage our static analysis on Windows as the first fruit of this effort, and also keep these builds working in the future.  Since clang-cl is still being heavily developed, we will be preparing periodic updates to the compiler, potentially fixing the issues that may have been uncovered in either Firefox or LLVM and therefore we will keep up with the development in both projects.

Some of the future things that I think we should look into, sorted by priority:

  • Get DXR to work on Windows.  Once we port our static analysis clang plugin to Windows, the next logical step would be to get the DXR indexer clang plugin to work on Windows, so that we can get a DXR that works for Windows specific code too.
  • Look into getting these builds to pass our test suites.  So far we are at a stage where clang-cl can understand all of our C and C++ code on Windows, but the generated code is still not completely correct.  Right now we’re at such an early stage that one can find crashes etc within minutes of browsing.  But we need to get all of our tests to pass in these builds in order to get a rock-solid browser built with clang-cl.  This will also help the clang-cl project, since we have been reporting clang-cl bugs that the Firefox code has continually uncovered, and on occasions also fixes to those bugs.  Although the rate of the LLVM side issues has decreased dramatically as the compiler has matured, I expect to find LLVM bugs occasionally, and hope to continue to work with the LLVM project to resolve them.
  • Get the clang-based sanitizers to work on Windows, to extend their coverage to Windows.  This includes things such as AddressSanitizer, ThreadSanitizer, LeakSanitizer, etc.  The security team has been asking for AddressSanitizer for a long time.  We could definitely benefit from the Windows specific coverage of all of these tools.  Obviously the first step is to get a solid build that works.  We have previously attempted to use AddressSanitizer on Windows but we have run into a lot of AddressSanitizer specific issues that we had to fix on both sides.  These efforts have been halted for a while since we have been focusing on getting the basic compilation to work again.
  • Start to do hybrid builds, where we randomly pick either clang-cl or MSVC o build each individual file.  This is required to improve clang-cl’s ABI compatibility.  The reason that is important is that compiler bugs in a lot of cases represent themselves as hard to explain artifacts in the functionality, anything from a random crash somewhere where everything should be working fine, to parts of the rendering going black for unclear reasons.  A cost effective way to diagnose such issues is getting us to a point where we can mix and match object files produced by either compilers to get a correct build, and then bisect between the compilers to find the translation unit that is being miscompiled, and then keep bisecting to find the function (and sometimes the exact part of the code) that is being miscompiled.  This is basically impractical without a good story for ABI compatibility in clang-cl.  We have recently hit a few of these issues.
  • Improving support for debug information generation in LLVM to a point that we can use Breakpad to generate crash stacks for crash-stats.  This should enable us to advertise these builds to a small community of dogfooders.
  • Start to look at a performance comparison between clang-cl and MSVC builds.  This plus the bisection infrastructure I touched on above should generate a wealth of information on performance issues in clang-cl, and then we can fix them with the help of the LLVM community.  Also, in case the numbers aren’t too far apart, maybe even ship one Firefox Nightly for Windows built with clang-cl, as a milestone!  :-)

Longer term, we can look into issues such as helping to add support for full debug information support, with the goal of making it possible to use Visual Studio on Windows with these builds.  Right now, we basically debug at the assembly level.  Although facilitating this will probably help speed up development too, so perhaps we should start on it earlier.   There is also LLDB on Windows which should in theory be able to consume the DWRAF debug information that clang-cl can generate similar to how it does on Linux, so that is worth looking into as well. I’m sure there are other things that I’m not currently thinking of that we can do as well.

Last but not least, this has been a collaboration between quite a few people, on the Mozilla side, Jeff Muizelaar, David Major, Nathan Froyd, Mike Hommey, Raymond Forbes and myself, and on the LLVM side many members of the Google compiler and Chromium teams: Reid Kleckner, David Majnemer, Hans Wennborg, Richard Smith, Nico Weber, Timur Iskhodzhanov, and the rest of the LLVM community who made clang-cl possible.  I’m sure I’m forgetting some important names.  I would like to appreciate all of these people’s help and effort.

Categorieën: Mozilla-nl planet

Air Mozilla: Privacy Lab - Privacy for Startups - January 2016

Mozilla planet - fr, 29/01/2016 - 03:00

Privacy Lab - Privacy for Startups - January 2016 Privacy for Startups: Practical Guidance for Founders, Engineers, Marketing, and those who support them Startups often espouse mottos that make traditional Fortune 500 companies cringe....

Categorieën: Mozilla-nl planet

Tanvi Vyas: No More Passwords over HTTP, Please!

Mozilla planet - to, 28/01/2016 - 23:14

Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP.

Username and password pairs control access to users’ personal data. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough.

Firefox Developer Edition 46+ shows a lock with a red strikethrough on non-secure pages that have a password field, while Firefox Release does include that additional iconography

How does Firefox determine if a password field is secure or not?

Firefox determines if a password field is secure by examining the page it is embedded in. The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker. The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:

      • Change the form action so the password submits to an attacker controlled server instead of the intended destination. Then seamlessly redirect to the intended destination, while sending along the stolen password.
      • Use javascript to grab the contents of the password field before submission and send it to the attacker’s server.
      • Use javascript to log the user’s keystrokes and send them to the attacker’s server.

Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.

Firefox has been alerting developers of this issue via the Developer Tools Web Console since Firefox 26.

Why isn’t submitting over HTTPS enough? Why does the page have to be HTTPS?

We get this question a lot, so I thought I would call it out specifically. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. As described above, active attackers can MITM an HTTP connection between the server and the user’s computer to change the contents of the webpage. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user’s username and password. The attacker then sends the updated HTML to the user. When the user enters their username and password, it will get sent to both the attacker and the site.

What if the credentials for my site really aren’t that sensitive?

Sometimes sites require username and passwords, but don’t actually store data that is very sensitive. For example, a news site may save which news articles a user wants to go back and read, but not save any other data about a user. Most users don’t consider this highly sensitive information. Web developers of the news site may be less motivated to secure their site and their user credentials. Unfortunately, password reuse is a big problem. Users use the same password across multiple sites (news sites, social networks, email providers, banks). Hence, even if access to the username and password to your site doesn’t seem like a huge risk to you, it is a great risk to users who have used the same username and password to login to their bank accounts. Attackers are getting smarter; they steal username/password pairs from one site, and then try reusing them on more lucrative sites.

How can I remove this warning from my site?

Put your login forms on HTTPS pages.

Of course, the most straightforward way to do this is to move your whole website to HTTPS. If you aren’t able to do this today, create a separate HTTPS page that is just used for logins. Whenever a user wants to login to your site, they will visit the HTTPS login page. If your login form submits to an HTTPS endpoint, parts of your domain may already be set up to use HTTPS.

In order to host content over HTTPS, you need a TLS Certificate from a Certificate Authority. Let’s Encrypt is a Certificate Authority that can issue you free certificates. You can reference these pages for some guidance on configuring your servers.

What can I do if I don’t control the webpage?

We know that users of Firefox Developer Edition don’t only use Developer Edition to work on their own websites. They also use it to browse the net. Developers who see this warning on a page they don’t control can still take a couple of actions. You can try to add “https://” to the beginning of the url in the address bar and see if you are able to login over a secure connection to help protect your data. You can also try and reach out to the website administrator and alert them of the privacy and security vulnerability on their site.

Do you have examples of real life attacks that occurred because of stolen passwords?

There are ample examples of password reuse leading to large scale compromise. There are fewer well-known examples of passwords being stolen by performing MITM attacks on login forms, but the basic techniques of javascript injection have been used at scale by Internet Service Providers and governments.

Why does my browser sometimes show this warning when I don’t see a password field on the page?

Sometimes password fields are in a hidden <div> on a page, that does not show up without user interaction. We have a bug open to detect when a password field is visible on the page.

Will this feature become available to Firefox Beta and Release Users?

Right now, the focus for this feature is on developers, since they’re the ones that ultimately need to fix the sites that are exposing users’ passwords. In general, though, since we are working on deprecating non-secure HTTP in the long run, you should expect to see more and more explicit indications of when things are not secure. For example, in all current versions of Firefox, the Developer Tools Network Monitor shows the lock with a red strikethrough for all non-secure HTTP connections.

How do I enable this warning in other versions of Firefox?

Users of Firefox version 44+ (on any branch) can enable or disable this feature by following these steps:

      1. Open a new window or tab in Firefox.
      2. Type about:config and press enter.
      3. You will get to a page that asks you to promise to be careful. Promise you will be.
      4. The value of the security.insecure_password.ui.enabled preference determines whether or not Firefox warns you about non-secure login pages. You can enable the feature and be warned about non-secure login pages by setting this value to true. You can disable the feature by setting the value to false.
Thank you!

A special thanks to Paolo Amadini and Aislinn Grigas for their implementation and user experience work on this feature!

Categorieën: Mozilla-nl planet

Mozilla announces initiative focused on data privacy - SDTimes.com

Nieuws verzameld via Google - to, 28/01/2016 - 22:01

Mozilla announces initiative focused on data privacy
SDTimes.com
Today is Data Privacy Day, but Mozilla wants you to celebrate good data practices every day. The company has announced a new initiative designed to help companies and projects earn trust, stay lean, and be smart about collecting and using data.

Google Nieuws
Categorieën: Mozilla-nl planet

Support.Mozilla.Org: What’s up with SUMO – 28th January

Mozilla planet - to, 28/01/2016 - 22:00

Hello, SUMO Nation!

Starting from this week, we’re moving things around a bit (to keep them fresh and give you more time to digest and reply. The Friday posts are moving to Thursday, and Fridays will be open for guest posts (including yours) – if you’re interested in writing a post for this blog, let me know in the comments.

Welcome, new contributors!
If you just joined us, don’t hesitate – come over and say “hi” in the forums! Contributors of the week

We salute you!

Don’t forget that if you are new to SUMO and someone helped you get started in a nice way you can nominate them for the Buddy of the Month! Most recent SUMO Community meeting The next SUMO Community meeting…
  • is happening on Monday the 1st of February – join us!
  • Reminder: if you want to add a discussion topic to the upcoming meeting agenda:
    • Start a thread in the Community Forums, so that everyone in the community can see what will be discussed and voice their opinion here before Monday (this will make it easier to have an efficient meeting).
    • Please do so as soon as you can before the meeting, so that people have time to read, think, and reply (and also add it to the agenda).
    • If you can, please attend the meeting in person (or via IRC), so we can follow up on your discussion topic during the meeting with your feedback.
Developers Community Social Support Forum
  • Today (was/is/will still be for a few hours) a SUMO Day, connected to the release week for Version 44. Keep answering those questions, heroes of the helpful web!
Knowledge Base Localization Firefox
  • for Android
    • It’s the Firefox 44 Release Week! Forum talk about the release.
    • Draft release notes are here.
    • This is a staged rollout using Google Play, addressing the crash rate discussions
    • IMPORTANT: Android OS versions 3.0 – 3.2.6 (Honeycomb) won’t be supported in a future release of Firefox for Android; when this happens the app will not be visible on the Google Play Store for users of these OS versions. When we have a more definite time frame for this we will publish another post.
  • for iOS
    • 2.0 is still under wraps – thank you for your patience!

That’s it for today, dear SUMOnians! We still have Friday to enjoy, so see you around SUMO and not only… tomorrow!

Categorieën: Mozilla-nl planet

Mozilla patches 11 issues with Firefox, three rated critical - SC Magazine

Nieuws verzameld via Google - to, 28/01/2016 - 19:46

SC Magazine

Mozilla patches 11 issues with Firefox, three rated critical
SC Magazine
The first critical issue posted by Mozilla is an integer overflow during metadata parsing in Mozilla's use of the libstagefright library that could be exploited if triggered by a malicious MP4 formatted video file that would allow arbitrary code ...

Categorieën: Mozilla-nl planet

Air Mozilla: Web QA Weekly Meeting, 28 Jan 2016

Mozilla planet - to, 28/01/2016 - 18:00

Web QA Weekly Meeting This is our weekly gathering of Mozilla'a Web QA team filled with discussion on our current and future projects, ideas, demos, and fun facts.

Categorieën: Mozilla-nl planet

Air Mozilla: Reps weekly, 28 Jan 2016

Mozilla planet - to, 28/01/2016 - 17:00

Reps weekly This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.

Categorieën: Mozilla-nl planet

Mark Surman: Inspired by our grassroots leaders

Mozilla planet - to, 28/01/2016 - 16:32

Last weekend, I had the good fortune to attend our grassroots Leadership Summit in Singapore: a hands on learning and planning event for leaders in Mozilla’s core contributor community.

FullSizeRender

We’ve been doing these sorts of learning / planning / doing events with our broader community of allies for years now: they are at the core of the Mozilla Leadership Network we’re rolling out this year. It was inspiring to see the participation team and core contributor community dive in and use a similar approach.

I left Singapore feeling inspired and hopeful — both for the web and for participation at Mozilla. Here is an email I sent to everyone who participated in the Summit explaining why:

As I flew over the Pacific on Monday night, I felt an incredible sense of inspiration and hope for the future of the web — and the future of Mozilla. I have all of you to thank for that. So, thank you.

This past weekend’s Leadership Summit in Singapore marked a real milestone: it was Mozilla’s first real attempt at an event consciously designed to help our core contributor community (that’s you!) develop important skills like planning and dig into critical projects in areas like connected devices and campus outreach all at the same time. This may not seem like a big deal. But it is.

For Mozilla to succeed, *all of us* need to get better at what we do. We need to reach and strive. The parts of the Summit focused on personality types, planning and building good open source communities were all meant to serve as fuel for this: giving us a chance to hone skills we need.

Actually getting better comes by using these skills to *do* things. The campus campaign and connected devices tracks at the Summit were designed to make this possible: to get us all working on concrete projects while applying the skills we were learning in other sessions. The idea was to get important work done while also getting better. We did that. You did that.

Of course, it’s the work and the impact we have in the world that matter most. We urgently need to explore what the web — and our values — can mean in the coming era of the internet of things. The projects you designed in the connected devices track are a good step in this direction. We also need to grow our community and get more young people involved in our work. The plans you made for local campus campaigns focused on privacy will help us do this. This is important work. And, by doing it the way we did it, we’ve collectively teed it up to succeed.

I’m saying all this partly out of admiration and gratitude.  But I’m also trying to highlight the underlying importance of what happened this past weekend: we started using a new approach to participation and leadership development. It’s an approach that I’d like to see us use even more both with our core participation leaders (again, that’s you!) and with our Mozilla Leadership Network (our broader network of friends and allies). By participating so fully and enthusiastically in Singapore, you helped us take a big step towards developing this approach.

As I said in my opening talk: this is a critical time for the web and for Mozilla. We need to simultaneously figure out what technologies and products will bring our values into the future and we need to show the public and governments just how important those values are. We can only succeed by getting better at working together — and by growing our community around the world. This past weekend, you all made a very important step in this direction. Again, thank you.

I’m looking forward to all the work and exploration we have ahead. Onwards!

As I said in my message, the Singapore Leadership Summit is a milestone. We’ve been working to recast and rebuild our participation team for about a year now. This past weekend I saw that investment paying off: we have a team teed up to grow and support our contributor community from around the world. Nicely done! Good things ahead.

The post Inspired by our grassroots leaders appeared first on Mark Surman.

Categorieën: Mozilla-nl planet

Nathan Froyd: for-purpose instead of non-profit

Mozilla planet - to, 28/01/2016 - 15:16

I began talking with a guy in his midforties who ran an investment fund and told me about his latest capital raise. We hit it off while discussing the differences between start-ups on the East and West Coasts, and I enjoyed learning about how he evaluated new investment opportunities. Although I’d left that space a while ago, I still knew it well enough to carry a solid conversation and felt as if we were speaking the same language. Then he asked what I did.

“I run a nonprofit organization called Pencils of Promise.”

“Oh,” he replied, somewhat taken aback. “And you do that full-time?”

More than full-time, I thought, feeling a bit judged. “Yeah, I do. I used to work at Bain, but left to work on the organization full-time.”

“Wow, good for you,” he said in the same tone you’d use to address a small child, then immediately looked over my shoulder for someone new to approach…

On my subway ride home that night I began to reflect on the many times that this scenario had happened since I’d started Pencils of Promise. Conversations began on an equal footing, but the word nonprofit could stop a discussion in its tracks and strip our work of its value and true meaning. That one word could shift the conversational dynamic so that the other person was suddenly speaking down to me. As mad as I was at this guy, it suddenly hit me. I was to blame for his lackluster response. With one word, nonprofit, I had described my company as something that stood in stark opposition to the one metric that his company was being most evluated by. I had used a negative word, non, to detail our work when that inaccurately described what we did. Our primary driver was not the avoidance of profits, but the abundance of social impact…

That night I decided to start using a new phrase that more appropriately labeled the motivation behind our work. By changing the words you use to describe something, you can change how other perceive it. For too long we had allowed society to judge us with shackling expectations that weren’t supportive of scale. I knew that the only way to win the respect of our for-profit peers would be to wed our values and idealism to business acumen. Rather than thinking of ourselves as nonprofit, we would begin to refer to our work as for-purpose.

From The Promise of a Pencil by Adam Braun.

Categorieën: Mozilla-nl planet

Mozilla dicht kritieke lekken in Firefox 44 - Techzine

Nieuws verzameld via Google - to, 28/01/2016 - 13:59

Techzine

Mozilla dicht kritieke lekken in Firefox 44
Techzine
Mozilla heeft kritieke lekken gedicht in Firefox 44, de browser was gevoelig voor geheugenmanipulatie en het webadres in de adresbalk kon worden aangepast, zodat gebruikers niet door hebben dat ze stiekem op een hele andere website zitten. De update ...

Categorieën: Mozilla-nl planet

Mozilla Firefox 44 update fixes critical vulnerabilities - ZDNet

Nieuws verzameld via Google - to, 28/01/2016 - 08:58

ZDNet

Mozilla Firefox 44 update fixes critical vulnerabilities
ZDNet
Made up of three separate bugs, the first problem is caused by a memory safety issue in the ANGLE graphics library, a wild pointer flaw which occurs through the handling of .zip files, and an integer overflow during metadata parsing in Mozilla's use of ...
Mozilla Patches Critical Vulnerabilities in Firefox 44Threatpost
Mozilla Firefox 44 Now Comes With Intrusive Push Notifications That Appear ...Tech Times
Mozilla launches Firefox 44 with pop-up notificationsInquirer
The Register -Latin Post -Android Community
alle 59 nieuwsartikelen »
Categorieën: Mozilla-nl planet

Mozillaはペルソナを終了する - InfoQ Japan

Nieuws verzameld via Google - to, 28/01/2016 - 08:42

Mozillaはペルソナを終了する
InfoQ Japan
Mozillaのアイデンティティチームがペルソナをコミュニティ主導に移行した時、私たちは2014年中はリソースの運用とセキュリティを約束して、2015年はその約束を更新しました。使用率が低いため、私たちはプロジェクトの専用から実行しているリソースを移動して、私たちが実行し ...

Google Nieuws
Categorieën: Mozilla-nl planet

The Mozilla Blog: It’s International Data Privacy Day: Help us Build a Better Internet

Mozilla planet - to, 28/01/2016 - 05:15

Update your Software and Share the Lean Data Practices

Today is International Data Privacy Day. What can we all do to help ourselves and each other improve privacy on the Web? We have something for everyone:

  • Users can greatly improve their own data privacy by simply updating their software.
  • Companies can increase user trust in their products and user privacy by implementing Lean Data Practices that increase transparency and offer user control.

By taking action on these two simple ideas, we can create a better Web together.

Why is updating important?

Updating your software is a basic but crucial step you can take to help increase your privacy and security online. Outdated software is one of the easiest ways for hackers to access your data online because it’s prone to vulnerabilities and security holes that can be exploited and that may have been patched in the updated versions. Updating can make your friends and family more secure because a computer that has been hacked can be used to hack others. Not updating software is like driving with a broken tail light – it might not seem immediately urgent, but it compromises your safety and that of people around you.

For our part, we’ve tried to make updating Firefox as easy as possible by automatically sending users updates by default so they don’t have to worry about it. Updates for other software may not come automatically, but they are equally important.

Once you complete your updates share the “I Updated” badge using #DPD2016 and #PrivacyAware and encourage your friends and family to update, too!

Why should companies implement Lean Data Practices?

Today we’re also launching a new way for companies and projects to earn user trust through a simple framework that helps companies think about the decisions they make daily about data. We call these Lean Data Practices and the three central questions that help companies work through are how can you stay lean, build in security and engage your users. The more companies and projects that implement these concepts, the more we as an industry can earn user trust. You can read more in this blog post from Mozilla’s Associate General Counsel Jishnu Menon.

As a nonprofit with a mission to promote openness, innovation and opportunity on the Web Mozilla is dedicated to putting users in control of their online experiences. That’s why we think about online privacy and security every day and have privacy principles that show how we build it into everything we do. All of us – users and businesses alike – can contribute to a healthy, safe and trusted Web. The more we focus on ways to reach that goal, the easier it is to innovate and keep the Web open and accessible to all. Happy International Data Privacy Day!

Categorieën: Mozilla-nl planet

Pages