A new crop of internet browsers from Brave, DuckDuckGo and others offer stronger privacy protections than what you might be used to.
Mozilla released Firefox 87.0 this morning, the latest version of its open source web browser. Following on the heels of December’s Firefox 85 and February’s Firefox 86, the new version’s most important features—Smart Block and improved referrer trimming—are privacy related.
Firefox has been blocking third-party tracking scripts by default for quite a while now. For the most part, this works pretty seamlessly—but in some cases, missing tracking scripts can interfere with a page’s rendering, either delaying it (as seen in the animated image above, on the left) or permanently breaking it.
Smart Block takes an additional step to improve the rendering on pages that embed third-party trackers—instead of just pulling the script and leaving a “hole” where it used to be, Smart Block replaces it with what Mozilla describes as “stand-in” scripts. These stand-in scripts function just enough like the original trackers to restore the intended page-rendering sequence and results without actually leaking data to third parties.
Google today announced that its Chrome browser is moving to a faster release cycle by shipping a new milestone every four weeks instead of the current six-week cycle (with a bi-weekly security patch). That’s one way to hasten the singularity, I guess, but it’s worth noting that Mozilla also moved to a four-week cycle for Firefox last year.
“As we have improved our testing and release processes for Chrome, and deployed bi-weekly security updates to improve our patch gap, it became clear that we could shorten our release cycle and deliver new features more quickly,” the Chrome team explains in today’s announcement.
Google, however, also acknowledges that not everybody wants to move this quickly — especially in the enterprise. For those users, Google is adding a new Extended Stable option with updates that come every eight weeks. This feature will be available to enterprise admins and Chromium embedders. They will still get security updates on a bi-weekly schedule, but Google notes that “those updates won’t contain new features or all security fixes that the 4 week option will receive.”
The new four-week cycle will start with Chrome 94 in Q3 2021, and at this faster rate, we’ll see Chrome 100 launch into the stable channel by March 29, 2022. I expect there will be cake.
I installed Firefox 86 on my Ubuntu workstation using Snap to be certain I wouldn’t accidentally mess with my working system configuration. [credit: Jim Salter ]
Mozilla released Firefox 86 yesterday, and the browser is now available for download and installation for all major operating systems, including Android. Along with the usual round of bug fixes and under-the-hood updates, the new build offers a couple of high-profile features—multiple Picture-in-Picture video-watching support, and (optional) stricter cookie separation, which Mozilla is branding Total Cookie Protection.
Taking Firefox 86 for a spin
Firefox 86 became the default download at mozilla.org on Tuesday—but as an Ubuntu 20.04 user, I didn’t want to leave the Canonical-managed repositories just to test the new version. This is one scenario in which snaps truly excel—providing you with a containerized version of an application, easily installed but guaranteed not to mess with your “real” operating system.
As it turns out, Firefox’s snap channel didn’t get the message about build 86 being the new default—the
latest/default snap is still on build 85. In order to get the new version, I needed to
snap refresh firefox --channel=latest/candidate.
Mozilla has further beefed up anti-tracking measures in its Firefox browser. In a blog post yesterday it announced that Firefox 86 has an extra layer of anti-cookie tracking built into the enhanced tracking protection (ETP) strict mode — which it’s calling ‘Total Cookie Protection’.
This “major privacy advance”, as it bills it, prevents cross-site tracking by siloing third party cookies per website.
Mozilla likens this to having a separate cookie jar for each site — so, for e.g., Facebook cookies aren’t stored in the same tub as cookies for that sneaker website where you bought your latest kicks and so on.
The new layer of privacy wrapping “provides comprehensive partitioning of cookies and other site data between websites in Firefox”, explains Mozilla.
Along with another anti-tracking feature it announced last month — targeting so called ‘supercookies’ — aka sneaky trackers that store user IDs in “increasingly obscure” parts of the browser (like Flash storage, ETags, and HSTS flags), i.e. where it’s difficult for users to delete or block them — the features combine to “prevent websites from being able to ‘tag’ your browser, thereby eliminating the most pervasive cross-site tracking technique”, per Mozilla.
There’s a “limited exception” for cross-site cookies when they are needed for non-tracking purposes — Mozilla gives the example of popular third-party login providers.
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience,” it adds.
Tracker blocking has long been an arms race against the adtech industry’s determination to keep surveilling web users — and thumbing its nose at the notion of consent to spy on people’s online business — pouring resource into devising fiendish new techniques to try to keep watching what Internet users are doing. But this battle has stepped up in recent years as browser makers have been taking a tougher pro-privacy/anti-tracker stance.
Mozilla, for example, started making tracker blocking the default back in 2018 — going on make ETP the default in Firefox in 2019, blocking cookies from companies identified as trackers by its partner, Disconnect.
While Apple’s Safari browser added an ‘Intelligent Tracking Prevention’ (ITP) feature in 2017 — applying machine learning to identify trackers and segregate the cross-site scripting data to protect users’ browsing history from third party eyes.
Google has also put the cat among the adtech pigeons by announcing a planned phasing out of support for third party cookies in Chrome — which it said would be coming within two years back in January 2020 — although it’s still working on this ‘privacy sandbox’ project, as it calls it (now under the watchful eye of UK antitrust regulators).
Google has been making privacy strengthening noises since 2019, in response to the rest of the browser market responding to concern about online privacy.
In April last year it rolled back a change that had made it harder for sites to access third-party cookies, citing concerns that sites were able to perform essential functions during the pandemic — though this was resumed in July. But it’s fair to say that the adtech giant remains the laggard when it comes to executing on its claimed plan to beef up privacy.
Given Chrome’s marketshare, that leaves most of the world’s web users exposed to more tracking than they otherwise would be by using a different, more privacy-pro-active browser.
And as Mozilla’s latest anti-cookie tracking feature shows the race to outwit adtech’s allergy to privacy (and consent) also isn’t the sort that has a finish line. So being slow to do privacy protection arguably isn’t very different to not offering much privacy protection at all.
To wit: One worrying development — on the non-cookie based tracking front — is detailed in this new paper by a group of privacy researchers who conducted an analysis of CNAME tracking (aka a DNS-based anti-tracking evasion technique) and found that use of the sneaky anti-tracking evasion method had grown by around a fifth in just under two years.
The technique has been raising mainstream concerns about ‘unblockable’ web tracking since around 2019 — when developers spotted the technique being used in the wild by a French newspaper website. Since then use has been rising, per the research.
In a nutshell the CNAME tracking technique cloaks the tracker by injecting it into the first-party context of the visited website — via the content being embedded through a subdomain of the site which is actually an alias for the tracker domain.
“This scheme works thanks to a DNS delegation. Most often it is a DNS CNAME record,” writes one of the paper authors, privacy and security researcher Lukasz Olejnik, in a blog post about the research. “The tracker technically is hosted in a subdomain of the visited website.
“Employment of such a scheme has certain consequences. It kind of fools the fundamental web security and privacy protections — to think that the user is wilfully browsing the tracker website. When a web browser sees such a scheme, some security and privacy protections are relaxed.”
Don’t be fooled by the use of the word ‘relaxed’ — as Olejnik goes on to emphasize that the CNAME tracking technique has “substantial implications for web security and privacy”. Such as browsers being tricked into treating a tracker as legitimate first-party content of the visited website (which, in turn, unlocks “many benefits”, such as access to first-party cookies — which can then be sent on to remote, third-party servers controlled by the trackers so the surveilling entity can have its wicked way with the personal data).
So the risk is that a chunk of the clever engineering work being done to protect privacy by blocking trackers can be sidelined by getting under the anti-trackers’ radar.
The researchers found one (infamous) tracker provider, Criteo, reverting its tracking scripts to the custom CNAME cloak scheme when it detected the Safari web browser in use — as, presumably, a way to circumvent Apple’s ITP.
There are further concerns over CNAME tracking too: The paper details how, as a consequence of current web architecture, the scheme “unlocks a way for broad cookie leaks”, as Olejnik puts it — explaining how the upshot of the technique being deployed can be “many unrelated, legitimate cookies” being sent to the tracker subdomain.
Olejnik documented this concern in a study back in 2014 — but he writes that the problem has now exploded: “As the tip of the iceberg, we found broad data leaks on 7,377 websites. Some data leaks happen on almost every website using the CNAME scheme (analytics cookies commonly leak). This suggests that this scheme is actively dangerous. It is harmful to web security and privacy.”
The researchers found cookies leaking on 95% of the studies websites.
They also report finding leaks of cookies set by other third-party scripts, suggesting leaked cookies would in those instances allow the CNAME tracker to track users across websites.
In some instances they found that leaked information contained private or sensitive information — such as a user’s full name, location, email address and (in an additional security concern) authentication cookie.
The paper goes on to raise a number of web security concerns, such as when CNAME trackers are served over HTTP not HTTPS, which they found happened often, and could facilitate man-in-the-middle attacks.
Defending against the CNAME cloaking scheme will require some major browsers to adopt new tricks, per the researchers — who note that while Firefox (global marketshare circa 4%) does offer a defence against the technique Chrome does not.
Engineers on the WebKit engine that underpins Apple’s Safari browser have also been working on making enhancements to ITP aimed at counteracting CNAME tracking.
The Brave browser also announced changes last fall aimed at combating CNAME cloaking.
“In version 1.25.0, uBlock Origin gained the ability to detect and block CNAME-cloaked requests using Mozilla’s terrific browser.dns API. However, this solution only works in Firefox, as Chromium does not provide the browser.dns API. To some extent, these requests can be blocked using custom DNS servers. However, no browsers have shipped with CNAME-based adblocking protection capabilities available and on by default,” it wrote.
“In Brave 1.17, Brave Shields will now recursively check the canonical name records for any network request that isn’t otherwise blocked using an embedded DNS resolver. If the request has a CNAME record, and the same request under the canonical domain would be blocked, then the request is blocked. This solution is on by default, bringing enhanced privacy protections to millions of users.”
But the browser with the largest marketshare, Chrome, has work to do, per the researchers, who write:
Because Chrome does not support a DNS resolution API for extensions, the [uBlock version 1.25 under Firefox] defense could not be applied to this browser. Consequently, we find that four of the CNAME-based trackers (Oracle Eloqua, Eulerian, Criteo, and Keyade) are blocked by uBlock Origin on Firefox but not on the Chrome version.
Rust, the programming language — not the survival game, now has a new home: the Rust Foundation. AWS, Huawei, Google, Microsoft and Mozilla banded together to launch this new foundation today and put a two-year commitment to a million-dollar budget behind it. This budget will allow the project to “develop services, programs, and events that will support the Rust project maintainers in building the best possible Rust.”
A large open-source project oftens needs some kind of guidance and the new foundation will provide this — and it takes a legal entity to manage various aspects of the community, including the trademark, for example. The new Rust board will feature 5 board directors from the 5 founding members, as well as 5 directors from project leadership.
“Mozilla incubated Rust to build a better Firefox and contribute to a better Internet,” writes Bobby Holley, Mozilla and Rust Foundation Board member, in a statement. “In its new home with the Rust Foundation, Rust will have the room to grow into its own success, while continuing to amplify some of the core values that Mozilla shares with the Rust community.”
All of the corporate sponsors have a vested interest in Rust and are using it to build (and re-build) core aspects of some of their stacks. Google recently said that it will fund a Rust-based project that aims to make the Apache webserver safer, for example, while Microsoft recently formed a Rust team, too, and is using the language to rewrite some core Windows APIs. AWS recently launched Bottlerocket, a new Linux distribution for containers that, for example, features a build system that was largely written in Rust.
The internet is not a private place. Ads try to learn as much about you to sell your information to the highest bidder. Emails know when you open them and which links you click. And some of the biggest internet snoops, like Facebook and Amazon, follow you from site to site as you browse the web.
But it doesn’t have to be like that. We’ve tried and tested six browser extensions that will immediately improve your privacy online by blocking most of the invisible ads and trackers.
These extensions won’t block every kind of snooping, but they will vastly reduce your exposure to most of the efforts to track your internet activity. You might not care that advertisers collect your data to learn your tastes and interests to serve you targeted ads. But you might care that these ad giants can see which medical conditions you’re looking up and what private purchases you’re making.
By blocking these hidden trackers from loading, websites can’t collect as much information about you. Plus by dropping the unnecessary bulk, some websites will load faster. The tradeoff is that some websites might not load properly or refuse to let you in if you don’t let them track you. You can toggle the extensions on and off as needed, or you could ask yourself if the website was that good to begin with and could you not just find what you were looking for somewhere else?
We’re pretty much hardwired to look for that little green lock in our browser to tell us a website was loaded over an HTTPS-encrypted connection. That means the websites you open haven’t been hijacked or modified by an attacker before it loaded and that anything you submit to that website can’t be seen by anyone other than the website. HTTPS Everywhere is a browser extension made by the non-profit internet group the Electronic Frontier Foundation that automatically loads websites over HTTPS where it’s offered, and allows you to block the minority of websites that don’t support HTTPS. The extension is supported by most browsers, including Chrome, Firefox, Edge, and Opera.
Another extension developed by the EFF, Privacy Badger is one of the best all-in-one extensions for blocking invisible third-party trackers on websites. This extension looks at all the components of a web page and learns which ones track you from website to website, and then blocks them from loading in the browser. Privacy Badger also learns as you travel the web, so it gets better over time. And it requires no effort or configuration to work, just install it and leave it to it. The extension is available on most major browsers.
Ads are what keeps the internet free, but often at the expense of your personal information. Ads try to learn as much about you — usually by watching your browsing activity and following you across the web — so that they can target you with ads you’re more likely to click on. Ad blockers stop them in their tracks by blocking ads from loading, but also the tracking code that comes with it.
uBlock Origin is a lightweight, simple but effective, and widely trusted ad blocker used by millions of people, but it also has a ton of granularity and customizability for the more advanced user. (Be careful with impersonators: there are plenty of ad blockers that aren’t as trusted that use a similar name.) And if you feel bad about the sites that rely on ads for revenue (including us!), consider a subscription to the site instead. After all, a free web that relies on ad tracking to make money is what got us into this privacy nightmare to begin with.
PixelBlock & ClearURLs
If you thought hidden trackers in websites were bad, wait until you learn about what’s lurking in your emails. Most emails from brand names come with tiny, often invisible pixels that alerts the sender when you’ve opened them. PixelBlock is a simple extension for Chrome browsers that simply blocks these hidden email open trackers from loading and working. Every time it detects a tracker, it displays a small red eye in your inbox so you know.
Most of these same emails also come with tracking links that alerts the sender which links you click. ClearURLs, available for Chrome, Firefox and Edge, sits in your browser and silently removes the tracking junk from every link in your browser and your inbox. That means ClearURLs needs more access to your browser’s data than most of these extensions, but its makers explain why in the documentation.
Firefox Multi-Account Containers
And an honorary mention for Firefox users, who can take advantage of Multi-Account Containers, built by the browser maker itself to help you isolate your browsing activity. That means you can have one container full of your work tabs in your browser, and another container with all of your personal tabs, saving you from having to use multiple browsers. Containers also keep your private personal browsing separate from your work browsing activity. It also means you can put sites like Facebook or Google in a container, making it far more difficult for them to see which websites you visit and understand your tastes and interests. Containers are easy to use and customizable.
Firefox version 85 will be released in January 2021, and one of its features is increased user privacy via improvements in client-side storage (cache) partitioning. This has been widely and incorrectly reported elsewhere as network partitioning, likely due to confusion around the privacy.partition.network_state flag in Firefox, which allows advanced users to enable or disable cache partitioning as desired.
What is cache partitioning—and why might I want it?
In a nutshell, cache partitioning is the process of keeping separate cache pools for separate websites, based on the site requesting the resources loaded, rather than simply on the site providing the resources.
With a traditional, globally scoped browser cache, you might see behavior like this:
Firefox Send launched in March 2019. At the time, Mozilla described it as a file-sharing tool with a focus on privacy. That privacy is also what is now doing it in. When it paused the service earlier this year, the company said it was investigating reports of abuse, especially from malware groups. At the time, Mozilla said it was looking into how it could improve its abuse reporting capabilities and that it would add a requirement that users have a Firefox Account.
But instead of relaunching it, the organization decided to shutter the service instead.
“Firefox Send was a promising tool for encrypted file sharing,” the organization writes in today’s update. “Send garnered good reach, a loyal audience and real signs of value throughout its life. Unfortunately, some abusive users were beginning to use Send to distribute malware and as part of spear phishing attacks. This summer we took Firefox Send offline to address this challenge. In the intervening period, as we weighed the cost of our overall portfolio and strategic focus, we made the decision not to relaunch the service.”
Mozilla says that Firefox Notes was initially meant to be an experiment for testing new ways to sync encrypted data. “Having served that purpose, we kept the product as a little utility tool for Firefox and Android users,” Mozilla says, but it is now decommissioning it and shutting it down completely in early November.
It’s hard not to look at today’s announcement in the context of the overall challenges that Mozilla is going through. If the organization were in a better financial position — and hadn’t laid off around 25% of its staff this year — it may have kept Notes alive and maybe tried to rework Send. Now, however, it has fewer options to experiment, especially with free services, as it tries to refocus on Firefox and a few other core projects.
Mozilla Corporation is laying off 250 people, about a quarter of its workforce, explaining that the COVID-19 pandemic has significantly lowered revenue. Mozilla previously had about 1,000 employees.
The Firefox maker’s CEO, Mitchell Baker, announced the job cuts yesterday, writing that “economic conditions resulting from the global pandemic have significantly impacted our revenue. As a result, our pre-COVID plan was no longer workable.”
In a memo sent to employees, Baker said the 250 job cuts include “closing our current operations in Taipei, Taiwan.” The layoffs will reduce Mozilla’s workforce in the United States, Canada, Europe, Australia, and New Zealand. Another 60 people will be reassigned to different teams.
Mozilla today announced a major restructuring of its commercial arm, the Mozilla Corporation that will see about 250 employees lose their jobs and the shuttering of the organization’s operations in Taipei, Taiwan. This move comes after the organization already laid off about 70 employees earlier this year. The most recent numbers from 2018 put Mozilla at about 1,000 employees worldwide.
“Pre-COVID, our plan for 2020 was a year of change: building a better internet by accelerating product value in Firefox, increasing innovation, and adjusting our finances to ensure financial stability over the long term,” Baker writes. “We started with immediate cost-saving measures such as pausing our hiring, reducing our wellness stipend and cancelling our All-Hands. But COVID-19 has accelerated the need and magnified the depth for these changes. Our pre-COVID plan is no longer workable. We have talked about the need for change — including the likelihood of layoffs — since the spring. Today these changes become real.”
Layed off employees will receive severance that is at least equivalent to their full base pay through December 31 and will still receive their individual performance bonuses for the first half of the year, as well as part of their company bonus and the standard COBRA health insurance benefits.
Mozilla promises that its smaller organization will be able to act more “quickly and nimbly” and that it will work more closely with partners that share its goal of an open web ecosystem. At the same time, Baker wants Mozilla to remain a “technical powerhouse of the internet activist movement,” yet she also acknowledges that the organization as a whole must also focus on economics and work on creating sustainable business models that still stay true to its mission.
‘We are also restructuring to put a crisper focus on new product development and go to market activities,” writes Baker. “In the long run, I am confident that the new organizational structure will serve our product and market impact goals well, but we will talk in detail about this in a bit.”
On the product side, Mozilla will continue to focus on Firefox, as well as Pocket, its Hubs virtual reality project, its new VPN service, Web Assembly and other privacy and security products. But it is also launching a new Design and UX team, as well as a new applied machine learning team to help bring machine learning to its products.
Comcast is partnering with Mozilla to deploy encrypted DNS lookups on the Firefox browser, the companies announced today. Comcast’s version of DNS over HTTPS (DoH) will be turned on by default for Firefox users on Comcast’s broadband network, but people will be able to switch to other options like Cloudflare and NextDNS. No availability date was announced.
Comcast is the first ISP to join Firefox’s Trusted Recursive Resolver (TRR) program, Mozilla said in today’s announcement. Cloudflare and NextDNS were already in Mozilla’s program, which requires encrypted-DNS providers to meet privacy and transparency criteria and pledge not to block or filter domains by default “unless specifically required by law in the jurisdiction in which the resolver operates.”
“Adding ISPs in the TRR program paves the way for providing customers with the security of trusted DNS resolution, while also offering the benefits of a resolver provided by their ISP such as parental control services and better optimized, localized results,” the announcement said. “Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user.”
The highlight of today’s release is the enhanced password manager. Firefox Lockwise, as it is called these days, will now ask you for your device password when you try to copy and paste credentials from your “Logins and Passwords” page in the browser. After you’ve confirmed your device password, you can see and copy your credentials for five minutes. This should make it a bit harder for others to access password-protected sites on your machine, especially if you’re on a computer you regularly share with others.
Also new to Lockwise are alerts for vulnerable passwords that are identical to those that have been stolen in a known breach (but you would never reuse a password, right?), as well as warnings when a website you use has been breached and your logins and passwords were likely stolen.
In addition, Lockwise’s password generator now works with more sites and will help you find 12 random letters, numbers and symbols for you to use as your password.
With version 76, Firefox now also includes an improved picture-in-picture mode for video sites like YouTube. With this, you can keep watching a video in the corner of your screen while you continue with other tasks (though you can’t browse away from YouTube, for example, while you’re watching in the pop-out window). I wish I could have more control over the size of that picture-in-picture window because it’s pretty large, but that’s just how it is for now. New in version 76 is the ability to double-click on the popped out video to make it fullscreen. A small but welcome new feature.
Update: we clarified that PiP mode itself is not new. Only the double-click to fullscreen is.
If you’re an avid Zoom user, you’ll be happy to hear that Firefox has now made a few changes that allow you to use it in Firefox without the need for any additional downloads, and WebRender, which uses the GPU to render websites faster, is now enabled on even more machines.
Vivaldi, the browser launched by former Opera CEO Jon von Tetzchner, has long positioned itself as a highly customizable alternative to Chrome and Firefox for power users. Today, the team is launching version 3.0 of its desktop browser, with built-in tracker and ad blockers, and it’s bringing its Android browser out of beta.
I’ve long been a fan of Vivaldi, but the company was relatively late to the tracking protection game. Now, it’s doubling down on this, by integrating a blocklist powered by DuckDuckGo’s Tracker Radar.
Like competing browsers, Vivaldi offers three blocking levels that users can easily toggle on and off for individual websites. Those blocking levels are relatively blunt, though, with the options to either block trackers, block trackers and ads or disable blocking. Competitors like Edge offer slightly more nuanced options for blocking trackers, though I would expect Vivaldi to adopt a similar scheme over time.
For the most part, the Vivaldi team always said that it would delegate ad blocking to extensions, though it added the option to block highly intrusive ads in the middle of last year. And while the company still notes that blocking trackers provides enough privacy protection, with today’s update, it now also gives users the option to block virtually all ads without the need to download any extensions (as a Chromium-based browser, Vivaldi supports all Chrome extensions).
Also new in the desktop version is a clock. Yes. A clock. That may sound like a weird feature, given that your desktop of choice surely features a clock, but like all things Vivaldi, you can a) remove it and b) there is actually some usefulness here as you can, for example, set up timers if you’re into Pomodoro or similar productivity techniques. And because it is Vivaldi, you can set all kinds of custom alarms and countdown timers, too.
As for the mobile version, which is now generally available for Android 5 and higher, the most important fact is probably that it exists, given how most users expect to be able to easily sync their bookmarks, passwords and browsing history between mobile and desktop. As with other browsers, you can choose what you want to sync.
Like the desktop version, Vivaldi for Android now also features a tracking and ad blocker. There’s also a built-in screenshot tool and support for Vivaldi notes, which also sync between devices.
The mobile browser isn’t quite as flexible as the desktop version, with its plethora of options, but that’s probably not what you’re looking for in a mobile browser anyway. But having a stable mobile browser that can accompany the desktop version is a big deal for Vivaldi and may give users who were on the sidelines a reason to take another look at it.
Out of the box, there’s no other browser that will give you the kind of flexibility Vivaldi does.
The new address and search bar in Firefox 75. [credit: Samuel Axon ]
Today, Mozilla rolled out Firefox 75, its latest update for the open source Web browser. The big change is a redesign of the address bar, which comes with some tweaks to how searches work when you’re using it.
When you begin using the new search field, you’ll notice that it looks a little different; it’s larger, and it has a larger font to match.
The drop-down that appears when you click in the search bar will show you multiple options for where to search, like Google or Amazon. That same view will show additional keyword suggestions as you type, with the goal being exposing “additional popular keywords that you might not have thought of to narrow your search even further,” according to the blog post announcing the redesign.