Americas

  • United States

Asia

gregg keizer
Senior Reporter

What’s in the latest Firefox update? 93 improves SmartBlock, debuts sponsored search suggestions

news analysis
Oct 07, 2021116 mins
BrowsersFirefoxMozilla

Firefox version 93 blocks downloads over insecure connections, boosts the browser's anti-tracking prowess and introduces Firefox Suggest.

Mozilla this week updated Firefox to version 93, which now blocks downloads over insecure connections, improves the browser’s anti-tracking prowess and introduces Firefox Suggest, the newest way the company will try to earn revenue.

The organization’s security engineers also patched seven vulnerabilities, four marked “High,” Firefox’s second-most-serious label. The majority of those vulnerabilities were in the “memory safety bugs” bucket, a category that covers a wide swath of memory corruption and memory leak flaws.

Firefox 93 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only launch (or relaunch) the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

Mozilla last upgraded Firefox four weeks ago, on Sept. 7.

Iffy downloads blocked

Starting with Firefox 93, the browser will block, at least temporarily, any download attempts over an insecure connection — one using the now-outdated HTTP protocol — even if those downloads are requested from a page secured with HTTPS. (Downloads are often transmitted from different servers or Internet locations than the page where they’re listed.)

When Firefox recognizes an insecure download starting, it will pause the data transmission and put a message on the screen to alert the user, who can continue the download or delete the file, partial though it might be.

Firefox is playing catch-up here, as Google’s Chrome has had similar protections in place since early 2020, when the browser began automatically blocking the most dangerous file types attempting to download over insecure connections. That blocking was staged over several Chrome versions, but was finalized this year. And unlike Firefox’s new feature, Chrome’s does not allow a user the option to continue such downloads, a safer, if less convenient, approach.

Crippled pages restored by SmartBlock

Firefox 93 also features an enhanced SmartBlock, the tracker-blocking-page-fixing technology that debuted in March (with Firefox 87). Pegged as SmartBlock 3.0, the revision improved support for replacing Google Analytics scripts, Mozilla said, and added support for other bits, including Amazon TAM (Transparent Ad Marketplace).

Because SmartBlock replaces page components that have been identified as trackers with “local, privacy-preserving alternatives” so that the page continues to function — page breakage is the most common side effect of blocking trackers — the more potential or actual blockers it supports, the less likelihood that the page won’t load or operate correctly.

SmartBlock 3.0, like its predecessor, is enabled when the user opens a Private Browsing window or has set Enhanced Tracking Protection to the Strict level.

Mozilla also closed a loophole that some sites exploited to conspire with trackers to avoid privacy protections Firefox established in version 87 that trimmed referring URLs so revealing information couldn’t be sent to the destination site. According to Mozilla, the loophole “remains a major privacy issue.”

Mozilla’s on another money-making expedition

Firefox 93 also debuted a feature Mozilla labeled as “Firefox Suggest,” which was enabled “for a limited number of users in the U.S. only,” according to the company.

Firefox Suggest adds additional links to the suggestions provided by search engines when the user starts typing in the browser’s address bar. Although many of the suggestion categories are standard stuff — gleaned from bookmarks and open tabs, for instance — others will raise eyebrows, including contextual suggestions provided, at least in part, by Mozilla partners. (The partners, so far, include Wikipedia and an outfit called adMarketplace.) Some of those suggestions — Mozilla didn’t say what percentage exactly, or even generally — will be “sponsored,” in that clicking on them will generate money for Mozilla.

(Mozilla’s revenue is derived almost entirely from contracts it makes with search engine makers, notably Google, which pay Mozilla for putting their engine as the Firefox default. For years the company has struggled to diversify how it generates revenue, typically unsuccessfully.)

It’s unclear how much revenue Mozilla will make from these suggestions or what criteria Mozilla and/or the adMarketplace partner will use to select a sponsored suggestion. (Some additional information on Firefox Suggest is available here.) Users can, however, disable the sponsored suggestions, as well as the entire contextual suggestion category, from the Settings pane.

The next version, Firefox 94, will be released Nov 2.

Mozilla on Tuesday refreshed Firefox to version 91, enhancing its cookie-clearing to more thoroughly scrub the browser of trackers, and beginning to make the HTTPS-only setting the default, starting with Private Windows.

The organization’s security engineers also patched 11 vulnerabilities, eight tagged as “High,” Firefox’s second-most-serious label. Two of the flaws were found only in the Linux edition of the browser, while another existed in the Android version only.

Firefox 91 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

Mozilla last upgraded Firefox four weeks ago, on July 13.

Clears third-party cookies

Firefox 91 boosts the browser’s cookie-scrubbing capabilities by enabling what Mozilla called “Enhanced Cookie Clearing” when the user has set the browser’s tracking protection to the “Strict” level.

Simply put, rather than clear only the cookies for a specific domain — say, computerworld.com — Enhanced Cookie Clearing dumps not only the cookies and trackers used by that domain but also all cookie-based trackers that may have appeared on that page from other domains. (Trackers can be appended to all kinds of third-party page components, from photos to Facebook or Google sign-ins.)

“Embedded third-party resources complicate data clearing,” contended a trio of Mozilla employees in a post to the firm’s security blog. Before Enhanced Cookie Clearing, Firefox cleared data only for the domain specified by the user. If you were to clear storage for comfypants.com, Firefox deleted the storage of comfypants.com and left the storage of any sites embedded on it (facebook.com) behind. Keeping the embedded storage of facebook.com meant that it could identify and track you again the next time you visited comfypants.com.

Users must set “Enhanced Tracking Protection” to “Strict” in Firefox’s Settings pane to enable more complete cookie clearing. Any command to delete cookies — for instance, by clicking on the lock icon in the address bar and selecting “Clear cookies and site data…” — will then scrub the browser of third-party cookies, as well as those created by the active website.

HTTPS by default debuts

Firefox, like other browsers, has had HTTPS-first features in place for some time. (Firefox 83, which launched in November 2020, offered HTTPS-first as an option.)

With Firefox 91, Mozilla enabled a HTTPS by default setting for Private Window, the browser’s privacy-specific mode during which the browser doesn’t store cookies and browsing history.

Mozilla claimed that the new feature is a “major improvement in the way the browser handles insecure web page addresses.”

“Whenever you enter an insecure (HTTP) URL in Firefox’s address bar, or you click on an insecure link on a web page, Firefox will now first try to establish a secure, encrypted HTTPS connection to the website,” four Mozilla workers wrote in the post to the organization’s security blog. “In the cases where the website does not support HTTPS, Firefox will automatically fall back and establish a connection using the legacy HTTP protocol instead.”

Although the feature only applies to Privacy Window sessions as of Firefox 91, Mozilla said it would expand the functionality. “We expect that HTTPS by Default will expand beyond Private Windows in the coming months,” the four said without getting specific.

Firefox HTTPS by default Mozilla

Mozilla’s schematic shows how Firefox 91 deals with HTTP connections in a Private Window. The browser’s been able to do this since late last year, but now it’s on by default.

Google is on the same case; it plans to launch a HTTPS-first feature with Chrome 94, currently slated to release Sept. 21. In Chrome, the feature will be optional to start, but Google said it might make the setting “the default for all users in the future.”

Windows single-sign on

Elsewhere in Firefox 91, a new group policy — WindowsSSO — can be set by IT to let the browser retrieve credentials stored by Windows to log onto Microsoft accounts for accessing properties such as online Outlook and the Office 365 portal.

This single-sign on feature can also be enabled from the browser’s Settings pane on Windows. More information about that can be found here.

The next version, Firefox 92, will be released Sept. 7.

Firefox 90

Mozilla on Tuesday bumped Firefox to version 90, launching an enhanced version of its anti-tracking technology that allows exceptions for logging in to sites with the user’s Facebook credentials.

The outfit’s engineers also patched nine vulnerabilities, five tagged as “High,” Firefox’s second-most-serious label. Two of the nine were found only in the Android edition of the browser, but none were marked “Critical,” the most dire flaw category.

Firefox 90 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

(Note: Firefox’s new background update process, which Mozilla showcased in April, has been enabled in version 90 — but only on Windows. As is usual, only a subset of users will have this feature switched on to start.)

Unblocks Facebook log-ins

For June’s jump to version 89, Mozilla delivered an extensively-tweaked user interface (UI) previously known by the code name “Proton.” Mozilla touted the changes as a significant look and feel overhaul, and said it was “designed to win you back” to the open-source browser, which has continued to slump in popularity.

Not surprisingly after a major effort upgrade, the follow-up, Firefox 90, was relatively sparse on new and shiny features meant to tempt users to abandon rivals.

One of the big-ticket items in Firefox 90 — as measured by Mozilla’s own publicity efforts — was a rather minor enhancement of the browser’s anti-tracking defenses. Previously, anti-tracking automatically blocked log-in scripts — those triggered when a user clicks on, say, “Google” or “Facebook” options to register or sign-in to a site.

In Firefox 90, anti-tracking — dubbed SmartBlock — “reacts by quickly unblocking the Facebook login script just in time for the sign-in to proceed smoothly,” according to Thomas Wisniewski and Arthur Edelstein, web compatibility engineer and senior product manager for privacy and security, respectively. In other words, the usual block is temporarily lifted long enough for authentication, at which point the block resumes so that a user is protected while navigating to other websites.

The new behavior occurs when users are within a Private Window.

It seems odd that Mozilla, which prides itself on its privacy stance, and more specifically, with blocking trackers, has decided to initiate the feature with Facebook, whose privacy and tracking reputations are, to put it kindly, lamentable.

Background updates, but only for Windows

Background updates, which Mozilla broached in April, finally arrived in Firefox 90 for Windows users.

Prior to version 90, Firefox updated itself only when the browser was running. Much like rivals, including Chrome and Edge, Firefox looked for pending updates and upgrades when it was launched, then downloaded them in the background. However, the update or upgrade was not actually installed until the browser was restarted. Thus, users who left Firefox open indefinitely or spent weeks between system reboots might well be running an insecure version, even though a patched edition was available and already on their machine.

As of Firefox 90 on Windows, the browser will check for updates every seven hours when it’s not in use.

Mozilla will, as it typically does, roll out this feature in stages, so not everyone will notice it immediately. Users can, however, enable the feature through the about:config pane. Instructions for doing so can be found here.

Not our fault!

Elsewhere in Firefox 90, Mozilla added a diagnostic tool to the Windows version that users can reach by typing about:third-party in the address bar and pressing Enter or Return.

Some software, Mozilla said, load code into browsers, Firefox included. “Sometimes, these applications load harmful modules that cause Firefox crashes, reduced performance, or compatibility issues,” Mozilla contended.

Mozilla seemed most interested in users not blaming Firefox for problems actually caused by these freeloading modules. “You may not notice that a malicious or unexpected module has been loaded and it may cause problems that appear to be Firefox issues,” Mozilla added.

The next version, Firefox 91, will be released Aug 10.

Firefox 89

Mozilla on Tuesday upgraded Firefox to version 89, debuting a new look that the company said is “designed to win you back” to the open-source browser.

The organization’s engineers also patched nine vulnerabilities, two of those labeled “High,” Firefox’s second-most-serious label. Three of the nine were found only in the Android edition of the browser, while another was only in the Windows edition’s code. None were marked “Critical,” the most dire flaw category.

Firefox 89 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

(Note: Firefox’s new background update process, which Mozilla outlined in mid-April and was slated to appear in version 89, has not been enabled in the Stable build issued June 1. At this point, it looks like the change is now slated for Firefox 90.)

Hello, Proton

The big news of Firefox 89 is the new look, a seriously-tweaked user interface (UI) that had gone by the code name of “Proton.” Mozilla touted it as a significant overhaul of the browser’s “face” that users see when they fire up the application.

“We’ve redesigned and modernized the core experience to be cleaner, more inviting, and easier to use,” Mozilla said in 89’s release notes. In a much more detailed explainer on Proton’s changes, M.J. Kelly, a member of Mozilla’s marketing team, said that the refit is the result of studying “how people interact with the browser,” listening to feedback and collecting “ideas from regular people who just want to have an easier experience on the web.”

The most noticeable difference in the Proton UI is the tab bar, where open tabs are displayed. Mozilla went with a “floating” tab bar that is visually disconnected from the rendered page by virtue of two changes: First, the tab bar has moved to atop the browser frame so that the address bar intervenes, and second, there are no visual separators — say, a vertical line — to mark where one tab ends and another begins. Only when a tab is active — it’s been selected by the user — does it pop from the background of the tab bar. The result is a significant departure from traditional browser-tab UIs, such as seen in Google’s Chrome or even Apple’s Safari. (Only Microsoft’s Edge, which relies on a vertical display of tabs at the left side of the browser frame, is as much of a deviation from the usual.)

Firefox 89 UI Mozilla

Firefox 89’s tabs “float” — they’re not connected visually to the content rendered — but the active tab does stand out from the rest.

Some commentators have panned the new tab UI in Firefox; there’s no doubt it will jar many. But once accepted — and that may be instantaneous for some — it seems, “feels” if you wish, more streamlined, more up-to-date, more logical even.

Mozilla also toned down the address field-containing toolbar by getting rid of some of the accumulated-over-years clutter; rearranged and condensed some menus, including the three-horizontal-line main menu at the far right; and removed some notifications and reduced the on-screen size of others, this last in the hope of “less jarring interruptions.”

The other substantial change to Firefox 89 was more of setting a default than creating something from whole cloth. “The popular Total Cookie Protection moves from the optional strict setting to always-on in private browsing,” wrote Mozilla’s Kelly in her June 1 post.

Total Cookie Protection, which Mozilla rolled out in February as part of Firefox 86, confines cookies to the site where they were created, preventing tracking companies from using these cookies to follow a user’s browsing footprints from one site to another, then on to yet others. The anti-tracking technology was available from Firefox 86 on, but only when users set the browser’s Enhanced Tracking Protection (ETP) to the “Strict” option. (ETP is the umbrella label for all of Firefox’s protections.)

With Firefox 89, Mozilla has extended Total Cookie Protection by default to all Private Browsing windows, the don’t-record-browsing-history mode manually-triggered from the main menu (select “New Private Window”).

Mozilla was proud, not necessarily of the one-off of adding Total Cookie Protection, but of all that its privacy mode nullified. “With the addition of Total Cookie Protection, Firefox’s Private Browsing windows have the most advanced privacy protections of any major browser’s private browsing mode,” Arthur Edelstein, senior product manager for Firefox privacy and security, said in a Tuesday post to Mozilla’s security blog.

Elsewhere in the browser, the “Take Screenshot” feature has been added to contextual menus — the ones that appear after right-clicking the mouse or touchpad — for easier access. Take Screenshot can also be added to the toolbar as an icon.

Shane, come back!

Mozilla couldn’t have put it plainer: Firefox 89 was redesigned in the hope of coaxing deserters to return to the browser.

“We’re always excited when a new Firefox launches, and when it comes to this major redesign, we’re even more stoked for you to experience it,” she wrote. “If you left Firefox behind at some point, this modern approach … is designed to win you back and make it your go-to browser.”

Firefox could use a boost.

The browser’s share of the overall market, as measured by U.S. analytics firm Net Applications, has continued to fall. (Although Net Applications announced last year that it was halting its measurements of browser and operating system activity, it has continued to publish data.) At the end of May, Firefox’s share was 6.3%, down a full percentage point from the same time the year before. If that trend continues, Firefox may slip into the 5% range as early as August.

Firefox’s decline in browser share has been Mozilla’s most troublesome problems for years now. Other attempts to reverse the trend, including the 2017 renovation issued as Firefox 57 and dubbed “Quantum,” have failed to arrest the slide in share. Mozilla had been bullish over Quantum — and its then-new Photon UI — as well, with one executive saying, “It’s by far the biggest update we’ve had since we launched Firefox 1.0 in 2004, it’s just flat out better in every way.”

At that point — November 2017 — Firefox’s usage share was 11.4%, only slightly less than twice what it was at the end of May 2021.

The next version of Mozilla’s browser, Firefox 90, will be released June 29.

Firefox 88

Mozilla this week refreshed Firefox by releasing version 88, adding yet another anti-tracking defense, this one set up to stymie abuses of the JavaScript variable window.name.

The company’s developers also patched 13 vulnerabilities, five of them labeled “High,” Firefox’s second-most-serious label. “We presume that with enough effort this could have been exploited to run arbitrary code,” Mozilla noted in three of the five. None were marked “Critical.”

Firefox 88 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

Mozilla upgrades Firefox every four weeks; the last refresh was on March 23.

Leakage around the window.name

Easily the most notable change in Firefox 88 was this one, which Mozilla characterized as “a new protection against privacy leaks” designed so that “trackers are no longer able to abuse the window.name property to track users across websites.”

The window.name JavaScript variable can store any data the site desires, and because it has largely been exempt to browsers’ policies designed to block sites from sharing data, they have been abused by advertisers to track users’ movements around the web. “Tracking companies … have effectively turned it into a communication channel for transporting data between websites,” Mozilla contended. “Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website.”

Firefox 88 now clears the window.name property when the user navigates from one site to another, effectively blocking the abuse. (The browser also applies a pair of rules that will prevent most site breakage by legitimate application of window.name data sharing.)

With this new pro-privacy technique, Mozilla follows Apple, whose Safari already clears window.name. Chromium (and thus Google’s Chrome and Microsoft’s Edge) has not yet implemented something similar, although the open-source project is working on a solution.

And that’s about all

Other than Mozilla’s window.name clampdown, Firefox 88 can boast of only a handful of changes, all of them minor. (That’s how some updates go when a browser releases every 28 days.)

    Mozilla deleted “Take a Screenshot” from the “Page actions” menu in the address bar (that menu is called up by clicking the three-dot icon near the right end of the bar). Instead, “Take Screenshot” now appears in the right-click context-sensitive menu.
  • “PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features,” Mozilla stated in the Firefox 88 release notes. However, some worry that this support — running JavaScript, notorious for being leveraged by cyber criminals, simply by opening a PDF — is a potential security problem. (Here’s an example of unease, one that also includes instructions for manually disabling Firefox 88’s ability to execute JavaScript within PDFs. Elsewhere, one commenter countered the news of this functionality with the terse, “This is [a] mistake [that] everyone will regret later.”

The next version, Firefox 89, will be released June 1. That’s in six weeks, a departure from Mozilla’s usual four-week release interval. Firefox 89’s successor, version 90, will ship June 29, or four weeks later.

Firefox 87

Mozilla on Tuesday updated Firefox to version 87, adding a new privacy feature designed to automatically fix websites impaired by the browser’s aggressive anti-tracking defenses.

The organization’s security engineers also patched eight vulnerabilities, only two of which were labeled as “High,” Firefox’s second-most-serious label. It was the second version of Firefox without a top-ranked “Critical” bug.

Firefox 87 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the refresh process.

Mozilla upgrades Firefox every four weeks; the last refresh was on Feb. 23.

Stand-in scripts mitigate anti-tracking problems

“SmartBlock” is easily the most significant addition to Firefox 87.

“Introducing a policy that outright blocks trackers on the web inevitably risks blocking components that are essential for some websites to function properly,” Thomas Wisniewski, web compatibility engineer, said in a March 22 post to the Mozilla security blog. “This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all.”

Mozilla has been clear about the trade-offs made when anti-tracking defenses are dialed up to 11: The company has regularly warned users that setting Firefox’s Enhanced Tracking Protection to “Strict,” the most aggressive option, “may cause some websites to not display content or work correctly.”

SmartBlock looks to address this downside by sliding dummy scripts into sites to replace those blocked by the tracking defenses. Those scripts, Wisniewski contended “behave just enough like the original ones to make sure that the website works properly.” The stand-in scripts thus let the previously-broken sites load properly — blocked scripts sometimes make websites pause or slow rendering — and function as they would if they’d not been touched.

These doppelgängers, Wisniewski continued, are bundled with Firefox — they’re not loaded from a third-party source, in other words — and, of course, don’t behave exactly like the barred scripts, in that they certainly don’t track the user from site to site across the web.

SmartBlock will be a multi-edition project for Mozilla, according to Wisniewski. Firefox 87, he said, includes stand-ins for “a number of common scripts classified as trackers on the Disconnect Tracking Protection List,” referring to the source Mozilla uses to identify trackers. Those in version 87 “are just the start” with more to be provided “in upcoming versions of Firefox,” Wisniewski concluded.

The new feature is enabled when the user enters Firefox’s Private Browsing mode and when Enhanced Tracking Protection is set to “Strict.”

Stripping referrers

Also new to Firefox 87, Mozilla switched to a default policy that strips out potential tracking information from the referrer, the location at which the browser was just prior to the current site or page.

Absent instructions, a browser will typically tell the destination server where it was last at, in essence where it came from. Firefox 87 now trims this URL from its full path to the domain only, thus removing a large amount of the granularity trackers might provide, say, advertisers about what a user’s browser last rendered.

“Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience,” said Dimi Lee and Christoph Kerschbaumer, software development engineer and Firefox security infrastructure engineering manager, respectively, in a March 23 post to the Mozilla security blog.

Elsewhere in Firefox 87, Mozilla added tick marks to the scrollbar to denote instances of an executed “Find in This Page” command. The marks, however, are very faint and while not distracting are hard to see at anything close to a glance. Firefox also now supports the macOS native screen reader, VoiceOver.

The next version, Firefox 88, will be released April 20.

Firefox 86

Mozilla last week raised the Firefox version count to 86, adding multiple picture-in-picture video viewing and bolstering the browser’s anti-tracking defenses by isolating all cookies in the sites that create them.

Security engineers also patched 12 vulnerabilities, five of which were pegged as “High,” Firefox’s second-most-serious label.

Firefox 86 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can just relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is either up to date or displays the refresh process.

Mozilla upgrades Firefox every four weeks; the last refresh was on Jan. 26.

Picture-in-picture multiplies

Firefox’s picture-in-picture mode debuted early in 2020 in Firefox 72 (some got the feature at the end of 2019, in Firefox 71), letting users deposit a frame on the desktop, video inside, from most — but not all — in-tab videos. The frame could be moved and resized at will, and was independent of the tab.

Firefox 86 offers the same, but in spades: Users can crank out several frames, each showing a different video, each able to be positioned anywhere on the desktop. As long as the originating tab remains open, the video will continue playing.

Applications of this may be tougher to come up with than one might think, but multiple frames would be great for following several networks’ coverage of a major event, say with the audio off on all but one, or for watching — or just keeping track of — several play-off games simultaneously.

Firefox picture in picture Mozilla

Firefox 86 spawns multiple picture-in-picture frames, as long as the originating tabs remain open.

More crackdowns on tracking

The other addition to Firefox 86 that Mozilla trumpeted was what it called “Total Cookie Protection.”

“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” wrote Tim Huang, Johann Hofmann and Arthur Edelstein — senior software engineering, Firefox developer and senior product manager respectively — in a Feb. 23 post to a company blog.


The last upgrade before this — January’s Firefox 85 — locked up so-called “supercookies,” identifiers that actually aren’t cookies but trackers based on sometimes-obscure elements in a browser, such as HSTS flags. Firefox 86 expanded on its predecessor’s efforts by siloing all cookies.

(Note: There are exceptions, notably cross-site cookies not used for tracking purposes, like those “used by popular third-party login providers,” as Mozilla put it.)

Total Cookie Protection Mozilla

To enable Total Cookie Protection, users must change this setting to ‘Strict.’

Together, the previous supercookie isolation and the newer, more inclusive cookie quarantining, said Mozilla, block sites “from being able to ‘tag’ your browser, thereby eliminating the most pervasive cross-site tracking technique.”

The feature wasn’t enabled by default in Firefox 86. Instead, users must steer to Preferences’ “Privacy & Security” section and select the Strict option under “Enhanced Tracking Protection.”

More technical information about Total Cookie Protection can be found on Mozilla Hacks and on the MDN Web Docs site.

Elsewhere, Mozilla said that Firefox 86 cleaned up the design of the browser’s Print interface.

The next version, Firefox 87, will be released March 23.

Firefox 85

Mozilla this week upgraded Firefox to version 85, adding to its overarching emphasis on privacy by isolating supercookies that some sites rely on to track users’ movements on the web.

Engineers also patched 13 vulnerabilities, five of which were marked “High,” Firefox’s second-most-serious label.

Firefox 85 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the refresh process.

Mozilla upgrades Firefox every four weeks; the last refresh was on Dec. 15.

Stomping on supercookies

Other than the fixes for the baker’s dozen of security flaws, the most notable change in Firefox 85 is a behind-the-scenes expansion of Mozilla’s bet on privacy.

“In Firefox 85, we’re introducing a fundamental change in the browser’s network architecture to make all of our users safer: we now partition network connections and caches by the website being visited,” said Steven Englehardt and Arthur Edelstein, senior privacy engineer and senior product manager, privacy and security, in a Jan. 26 post to a Mozilla blog. “Trackers can abuse caches to create supercookies and can use connection identifiers to track users. But by isolating caches and network connections to the website they were created on, we make them useless for cross-site tracking.”

Mozilla aims to stamp out the dodgy practice of storing user identifiers in “increasingly obscure parts of the browser,” as Englehardt and Edelstein put it, including caches and various types of connections and sessions. Tracking entities have gone to great lengths to hide their trackers as browser makers — Mozilla among them — have blocked more obvious avenues, such as traditional cookies, as they appeal to users’ increasing concerns.

Firefox’s approach, which typically goes by the term Network Partitioning, isolates multiple kinds of caches used by the browser to boost perceived performance by, for instance, drawing on an already-viewed image from a local cache — in memory or perhaps on disk — rather than call it again from its Internet-based source. The goal of caching: save time by eliminating downloads and reserve bandwidth for first-time content retrieval.

Rather than share such content among multiple sites, Firefox will instead quarantine that content to the pertinent site. “This partitioning applies to all third-party resources embedded on a website, regardless of whether Firefox considers that resource to have loaded from a tracking domain,” added Englehardt and Edelstein. “Systematic network partitioning makes it harder for trackers to circumvent Firefox’s anti-tracking features.”

Because the time- and bandwidth-saving techniques of sharing cached content have been discarded, network partitioning has an impact on page load times. Englehardt and Edelstein acknowledged a slight increase of up to 1.3%.

Apple’s Safari has had a form of network partitioning in place since 2013, and Google’s Chrome will soon have its own implementation. Chrome 89, slated to ship March 2, will include this anti-tracking technology, although it will be hidden behind a setting in the chrome://flags page.

Few odds, few ends

Along with the new defense against supercookies, Mozilla slipped some other improvements into Firefox 85.

The browser now remembers the location the user last selected for saved bookmarks; also, the bookmarks toolbar can be set to appear only on new page tabs, an option for tidying up the UI.

Firefox 85 also removed all support for Flash Player. “There is no setting to re-enable Flash support,” Mozilla bluntly said.

The next version of Mozilla’s browser, Firefox 86, will be released Feb. 23.

Firefox 84

Mozilla on Tuesday upgraded Firefox to version 84, adding native support for Apple’s new ARM-based Macs and declaring the browser the last to support Adobe’s Flash Player.

Security engineers also patched 14 vulnerabilities, one pegged “Critical,” Firefox’s most-serious label. Six other flaws were marked “High,” the next lower threat level.

Firefox 84 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can just relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the refresh process.

Mozilla upgrades Firefox every four weeks, with the last refresh reaching users on Nov. 17.

Made for M1

Easily at the top of Firefox 84’s change log was its native support for Apple’s home-grown silicon, the M1 system-on-a-chip (SoC) that relies on the same ARM architecture which has long powered the company’s iPhone and iPad.

Firefox, like Chrome and Safari before it, now comes in a native-to-M1 version that does not need to be translated by the Rosetta 2 technology baked into macOS 11, aka Big Sur. (Big Sur uses Rosetta 2 to translate existing Intel-based code into code that runs on the M1 SoC.)

Firefox 84 changes Mozilla

Firefox 84 gets Apple M1 support.

According to Mozilla, the native version of Firefox boasts superior performance on the newest MacBook Air, MacBook Pro and Mac Mini, the models Apple has released with its own SoC. “Native support … brings dramatic performance improvements over the non-native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive,” Mozilla asserted in Firefox 84’s release notes.

The comparison was to November’s Firefox 83, which as an Intel-based application, was translated by Rosetta 2 before running, a process that, at minimum, resulted in a longer launch the first time it was opened.

It was unclear whether Mozilla was packaging both the ARM and Intel versions of Firefox into a single Universal App, or if it was updating the browser with separate binaries.

Last call for Flash

Firefox 84 will also be the last of its kind to support Flash, the plug-in that launched the multimedia web even as it was excoriated by security professionals.

Adobe will disable Flash Player on Jan. 12, 2021, when the software will refuse to run content. Adobe made the announcement of the date on Dec. 8, when it issued the final update to Flash.

Mozilla will sync Firefox with that schedule, more or less. Firefox 85, slated to ship Jan. 26, 2021, will ship without support for Flash of any kind. “There will be no setting to re-enable Flash support,” Mozilla said in a support document, referring to the configuration settings it had long left in Options (Windows) and Preferences (macOS).

Flash Player, if it’s on one’s personal computer, will remain even after Adobe and Firefox halt support. However, Microsoft plans to delete the plug-in from Windows 10 and Windows 8.1 in 2021, on a multiple-step schedule outlined here. Mac users with Flash Player — and they will be in the minority, what with Apple’s anti-Flash attitude — will have to manually uninstall the plug-in. Adobe has provided uninstall instructions here.

The next version of Mozilla’s browser, Firefox 85, will be released Jan. 26.

Firefox 83

Mozilla this week upgraded Firefox to version 83, adding an “HTTPS-Only Mode” that tries to connect to all websites through the more secure HTTPS protocol and, after failing to do so, warning users of with a can’t-miss-it, in-your-face alert.

Company engineers also patched 21 vulnerabilities, four marked “High,” Firefox’s second-most-serious label. Firefox 83 did not include fixes for any bugs marked “Critical.”

Firefox 83 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the refresh process.

Mozilla upgrades Firefox every four weeks, with the last refresh reaching users on Oct. 20.

HTTPS-Only

Easily the most promoted of Firefox 83’s new features, the HTTPS-Only Mode promises to keep the browser’s users more secure, especially when they’re relying on public connections to the Internet that themselves have not been encrypted.

“It is time to let our users choose to always use HTTPS,” wrote Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein and Thyla van der Merwe, four members of Mozilla’s security group, in a Tuesday post to the company’s security blog. “That’s why we have created HTTPS-Only Mode, which ensures that Firefox doesn’t make any insecure connections without your permission.”

When enabled — the mode is off by default — HTTPS-Only attempts to connect to every site using HTTPS rather than the unencrypted HTTP protocol. For example, Firefox will automatically switch to HTTPS when the user clicks a link that includes http:// or when the user types http:// in the address bar.

If the destination site doesn’t support HTTPS, Firefox displays a full-page warning that asks the users whether or not they want to continue and connect using HTTP.

Firefox 83 HTTPS-Only Mozilla

This warning appears when HTTPS-Only Mode is enabled and Firefox 83 is aimed at a site that doesn’t encrypt traffic. Users can decline to continue or move on, knowing the risks.

(In some ways, HTTPS-Only Mode is similar to the HTTPS Everywhere extension — a joint effort by the Electronic Frontier Foundation (EFF) and the Tor Project — although it lacks the add-on’s ability to add user-written rules that teach it to support sites.)

15% faster, says Mozilla

Mozilla also claimed performance increases in Firefox 83, driven by improvements to the browser’s JavaScript engine, SpiderMonkey. According to the company, the browser loads pages up to 15% faster than before, even while memory usage fell up to 8%.

Other changes of note included new keyboard shortcuts for fast forwarding and rewinding video displayed in Firefox’s picture-in-a-picture sub-screen, and new options in the search panel (the box that opens after starting to type a search string into the Firefox address bar). Icons at the bottom of the panel representing several search engines — from Bing and DuckDuckGo to Wikipedia and eBay — as well as other standing in for bookmarks, open tabs and browser history can be selected so that the search takes place within that engine or category.

Also as of this version, Firefox can be run under macOS 11, aka “Big Sur,” on the new MacBook Air, MacBook Pro and Mac Mini personal computers powered by Apple’s ARM-based M1 system-on-a-chip (SoC) silicon. Firefox 83 and later, Mozilla said, support Rosetta 2, the Intel-to-ARM translator included with Big Sur. A natively-compiled version of Firefox for Apple Silicon, Mozilla added, will come “in a future release.”

The next browser, Firefox 84, will be released Dec. 15.

Firefox 81

Mozilla last week refreshed Firefox to version 81, adding a new standard theme for the browser, improving its PDF skills and automatically filing in credit card information.

Engineers also patched six vulnerabilities, half of them labeled “High,” Firefox’s second-most-serious label. Unlike many Firefox upgrades, version 81 did not fix any bugs marked “Critical.”

Firefox 81 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

Mozilla upgrades Firefox every four weeks, the fastest tempo of any of the top four browsers. Mozilla last upgraded the browser on Aug. 25.

UI? You bet

Unlike the last several Firefox updates — versions 77 through 80 — Firefox 81 actually offered users noticeable new features and functionality (some in the in-your-face UI, no less).

Mozilla added a fourth built-in theme for the browser, dubbed “Alpenglow.” The new theme transformed the area around the address bar into a colorful sweep of pinks and purples, a brazen departure from the until-now-standard “Default,” “Dark” and “Light” choices.

Users can change the theme — or download others — by selecting Add-ons from the menu at the upper right.

Also on the UI front, Firefox 81 is supposed to respond to devices’ audio and video control buttons, those built into a keyboard or headset, say, as well as the virtual keys in the Mac’s touch bar. Not surprisingly, caveats abound.

Fill it up

In other UI-related news on Firefox 81, Mozilla reworked the PDF viewer’s look and feel to match the browser’s. (Previously, the viewer’s UI resembled a bolted-on afterthought, more Frankenstein than fit to Firefox.)

Firefox’s PDF viewer now supports AcroForm, aka the Acrobat Forms technology for completing PDF-based forms at the keyboard (as opposed to printing, filling the form by hand, then scanning to send via, for instance, email) by filling out pre-set fields. Computerworld, however, was unable to test the AcroForm capability on macOS; Firefox’s PDF viewer kicked up the error message: The filing of form fields is not supported..

In the U.S. and Canada, Firefox 81 will automatically enter the user’s previous-saved credit card information in forms, such as those on shopping sites as the buyer checks out. (As with AcroForm support, Firefox 81 on macOS did not show Computerworld these credit card changes.) When the feature is enabled — Mozilla, like other software makers, often rolls out new features and functionality to the user base in stages — it can be turned off or on from the Preferences > Privacy & Security > Forms and Autofill. For additional security, users can choose to require further authentication before credit card autofill; the OS’s log-in password will unlock the feature.

On the enterprise side, where Firefox’s influence pales in comparison with Chrome’s or even Microsoft’s new Chrome-wannabe, Edge, Mozilla noted that as of last week’s launch of v.81, corporate users still running Firefox 68 ESR (Extended Support Release) would be force-fed Firefox 78 ESR as its 2020-2021 replacement.

The next upgrade, Firefox 82, will be released Oct. 20.

Firefox 80

For a company whose future depends on attracting more users to its primary product, Mozilla has taken a lackadaisical approach to boosting Firefox’s features and functionality over the last four upgrades.

On Tuesday, Mozilla released Firefox 80, the fourth upgrade in a row to lack compelling new features visible to end users.

At the same time, Mozilla engineers patched 10 security vulnerabilities, including three rated as “high,” the organization’s second-most-serious threat ranking.

Firefox 80 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users receive the latest version when they relaunch the browser. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the in-process refresh.

Mozilla upgrades Firefox every four weeks, a faster tempo than rivals such as Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser July 28.

A scarcity of new shiny

Like June’s Firefox 77 and 78, and July’s Firefox 79, this month’s Firefox 80 adds next to nothing to the browser’s visible feature or functionality lists.

Mozilla itself called out only two new items of note: first, Firefox can now be set as the system-wide default for viewing PDF files, and second, it improves on how screen readers, tools used by vision-impaired, translate the browser’s menus.

Other changes Mozilla took the time to tout ranged from a decrease in the number of animations “such as tab loading to reduce motion for users with migraines and epilepsy,” to an enterprise-appropriate control that turns off a confirmation dialog when employees submit a form from an insecure page.

It’s been months since a Firefox upgrade has had enough visible new to outweigh changes under the hood. For example, Mozilla didn’t bother pitching any user-seen new or improved features or functionality in July’s Firefox 79. The Firefox before that, version 78, could muster only a few minor tweaks to the browser’s privacy dashboard. And Computerworld passed on describing Firefox 77 entirely because it contained so little of interest to end users. (Virtually every Firefox upgrade offers something for website and web app developers.)

That’s not really a trend that Mozilla will want to advertise.

Firefox’s troubles are not mysteries. Its browser share – as measured by California-based Net Applications – fell to 7.3% in July, a mark 1.1 percentage points lower than its share a year earlier. That represented a 12-month decline of 13%. According to Mozilla’s own data, the number of Firefox’s monthly active users (MAU) has fallen 15% since the start of this year.

Financially, Mozilla is in no better shape: Its most recently-reported balance sheet – for the 2018 calendar year – showed a 20% drop in revenue. The year was the first in which the organization spent more than it brought in.

And only two weeks ago, Mozilla laid off 250 people, about a quarter of its workforce, claiming that the coronavirus pandemic had “significantly impacted our revenue.”

With those headwinds, one might expect Mozilla to work overtime to craft engaging features and build atop core existing functionality, such as privacy.

Perhaps Firefox’s rapid release tempo – it accelerated to an every-four-weeks schedule earlier this year – diluted what appeared in each upgrade. The coronavirus pandemic and work-from-home mandates may have affected development, resulting in fewer new bits to include in the browser’s upgrades. And talk of additional layoffs after Mozilla let go 70 employees in January – Mozilla said it had continued to discuss the likelihood of more through the spring – would not have helped morale or made workers particularly productive.

It remains unclear how Mozilla plans to make Firefox more interesting to users and what the strategy will be to grow the browser’s base – or even whether Firefox remains  the heart of Mozilla’s grand design. When Mozilla disclosed its latest layoff round, Mitchell Baker, Mozilla’s CEO, ticked off a list of moves the leaner organization would make. Although Firefox was certainly mentioned, Baker put more emphasis on other strategies, notably new products and services, as a way to grow Mozilla.

The next upgrade, Firefox 81, will be released Sept. 22.

Firefox 79

Mozilla this week upgraded Firefox to version 79, patching 10 vulnerabilities without making any notable changes that users will see.

Of the 10 security bugs, Mozilla marked four as “High,” the browser’s second-most-serious label.

Firefox 79 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users will get the latest version just by relaunching the browser. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or displays the in-process refresh.

Mozilla now upgrades Firefox every four weeks, a shorter cadence than rivals like Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on June 30.

Where’s the new shiny stuff?

With a tight release schedule of rolling out a new version every 28 days, it’s not surprising that some upgrades add little to the browser’s visible features and functionality. Firefox 79 is one such upgrade.

Although Mozilla called out some under-the-hood improvements – WebRender support for more Intel and AMD graphics processors, for one – and several changes of interest to developers, there was nothing to pitch to users.

That’s understandable, of course. But it was also a lost opportunity to offer something new to users in a time when Firefox continues to struggle maintaining its already small share. As of June 30, the most recent measurement by analytics company Net Applications, Firefox accounted for only 7.2% of all browser activity across the world, a mark 2.3 points fewer than 12 months prior. (That meant Firefox lost almost a quarter of its share in the past year.)

Mozilla also addressed a handful of bugs related to its enterprise edition – Firefox ESR (Extended Support Release) – and how IT administrators manage the browser using group policies.

The organization took advantage of the paucity of new features to remind those enterprise customers of the upcoming transition of ESR versions. The final ESR based on last year’s Firefox 68 will be issued Aug. 25, Mozilla said, and all those who hadn’t upgraded to 2020’s ESR, Firefox 78, will be forcibly migrated to the latter starting Sept. 22.

The next Mozilla upgrade, Firefox 80, will be released Aug. 25.

Firefox 78

Editor’s note: This story does not include details about Firefox version 77, which was released June 2. That update offered few changes from version 76.

Mozilla last week upgraded Firefox to version 78, patching a baker’s dozen of security flaws and starting the annual process of retiring last year’s Extended Support Release (ESR) and offering customers the latest enterprise-designed build.

Company engineers patched 13 vulnerabilities, seven labeled “High,” Firefox’s second-most-serious label. Unlike most Firefox refreshes, version 78 did not fix any bugs marked “Critical.”

Firefox 78 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

A day after Firefox 78’s debut, Mozilla updated the browser again to fix “an issue which could cause installed search engines to not be visible when upgrading from a previous release.”

Mozilla upgrades Firefox every four weeks, a much faster tempo than Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on June 2.

More information on the privacy dashboard

Some Firefox updates are more notable than others, especially now that Mozilla is on an accelerated every-four-weeks schedule. Firefox 78 is one of the less notable upgrades.

Among the few visible-to-users changes are additions to the “Protections Dashboard,” the new name for the consolidated display of Firefox’s anti-tracking technologies’ results, known data breaches affecting the user and potential password problems. The dashboard carries on the gradual improvements Mozilla’s made to Firefox’s Enhanced Tracking Protection, which put Firefox in the lead last year in comprehensive quashing of the ad- and site-trackers which trace users’ web movements and actions.

The dashboard is a convenience, a slightly improved variation on what the browser has had for several iterations. New items on it show passwords that fell victim to known breaches as well as steps the user has already taken to mitigate said breaches (which may involve changing passwords, putting two-factor authentication into effect and the like).

Firefox’s Protections Dashboard can be called from the menu at the far right (the three horizontal lines) or by entering about:protections in the address bar.

Firefox 78 dashboard Mozilla

New to the dashboard in Firefox 78 are indicators of user-resolved breaches and the status of the browser’s password management.

Also with Firefox 78, Mozilla began culling OS X 10.9 (Mavericks), 10.10 (Yosemite) and 10.11 (El Capitan) from support, automatically shifting users of those outdated Mac operating systems to the Extended Support Release (ESR).

ESR starts next transition

Firefox ESR, which traces roots to 2012, is the release channel crafted for enterprises that cannot – or will not – upgrade workers’ browsers every four weeks. Instead, approximately once a year, Mozilla issues a new ESR that then is supported until its replacement appears (plus a several-week overlap).

The concept grew from concerns by large organizations over the fast release schedule Firefox adopted nearly a decade ago; IT administrators balked at testing and adopting a new release every few weeks.

ESR would address that by accepting only the separate security updates Mozilla made (and distributed on the same every-four-week schedule used by its standard browser channel). New features would not be introduced to any given ESR version during its year-long run. Instead, users would “catch up” on feature and functionality changes when the next ESR was released.

To give enterprises time to test and roll out the next ERS, Mozilla would use an eight-week overlap during which it would release both the previous ESR (designated “n”) and its replacement (“n+1”).

Enterprises have been using Firefox ESR 68 since the summer of 2019, but its end nears. The next ESR is v. 78. Mozilla will refresh both ESRs on July 28 and Aug. 25; ESRs 68.11 and 78.1 will appear on the first date, ESRs 68.12 and 78.2 on the second. The next release cycle, slated for Sept. 22, will see only ESR 78.3; ESR 68’s support will come to an end that day.

The following table illustrates the changeover from one ESR to the next.

Firefox ESR transition IDG/Gregg Keizer

During an ESR transition, Mozilla issues two builds during a three-release cycle to give IT admins time to test and deploy the next static-for-a-year browser.

The next Mozilla upgrade, Firefox 79, will be released July 28.

Firefox 76

Mozilla shipped Firefox 76 with enhanced password protections that include warnings of sites reportedly victimized by criminals as well as alerts if users rely on passwords known to have been leaked in breaches of other sites or services.

Engineers also patched 11 vulnerabilities, three labeled “Critical,” Firefox’s most-serious label, and another trio marked “High,” the next level down. One of the critical flaws was reported by noted researcher James Forshaw of Google’s Project Zero, and affected only the Windows version of the browser.

“The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape,” Mozilla said in the accompanying advisory.

Firefox 76 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

Mozilla now upgrades Firefox every four weeks, a significantly faster tempo than Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on April 7.

Breach, reuse warnings now flash in password manager

The notable enhancements to Firefox 76 took place within its password manager, dubbed Lockwise, an area of emphasis for Mozilla in the past.

“There’s no doubt that during the last couple of weeks you’ve been signing up for new online services like streaming movies and shows, ordering takeout or getting produce delivered to your home,” Mozilla said in a post to a May 5 company blog. “All of those new accounts need unique, strong passwords to be secure, which you can now generate, manage and protect more easily.”

One change now requires a user to enter a Firefox master password – one that locks all stored passwords – or OS log-in credential to view those saved passwords in plain text. (Previously, the only way to keep nosy neighbors from looking over a shoulder to spy out a password was with a Firefox master password – but that had disadvantages of its own, particularly the browser demanding it once a session in order to access the usernames and passwords for entry into site forms.)

Another new aspect of the integrated manager: An alert appears in the sites’ credentials list when a password has been revealed in a breach. (Mozilla relies on the Have I Been Pwned? site and service for breach information.) The idea here is to prompt users to change those disclosed passwords, both on the appropriate sites and in the browser’s manager.

(Since November 2018, Firefox has displayed in-the-browser notifications when a user steered toward a site that had been breached.)

Firefox now notifies users when they’ve reused a password already on the looks-like-that-one-leaked list, too; again, as a prompt to not do something that stupid. Mozilla doesn’t actually “see” such passwords as they’re entered or receive them in any form of plain text. Instead, Firefox builds an encrypted list of the breached passwords, then checks that against all saved passwords.

Firefox website breach alert Mozilla

Firefox 76’s integrated password manager displays warnings of past breaches that have revealed site credentials stored in the browser. Boosting the prowess of the Firefox password manager has been a priority for Mozilla for more than a year and a half.

Mozilla also tweaked the video picture-in-picture feature that debuted in Firefox 71 (Windows) and 72 (macOS, Linux). Picture-in-picture lets users separate video from a web page and place it within a separate, small window, where it remains viewable whether the active tab is switched or even if Firefox stays open in the background. In Firefox 76, a double-click expands the picture-in-picture frame to full-screen, while a second double-click restores it to its original, smaller size.

The next Mozilla upgrade, Firefox 77, will be released June 2.

Firefox 75

Mozilla on Tuesday released Firefox 75 on schedule, unlike rivals Google and Microsoft, which postponed browser releases by weeks and scratched one version entirely because of the COVID-19 pandemic.

The upgrade’s most visible changes were to Firefox’s address bar, which has been tricked out with several enhancements designed to make for more productive searches.

The company’s developers also patched a half dozen vulnerabilities, three labeled “High,” Firefox’s second-most-serious label. As has regularly been the case, Mozilla addressed multiple memory safety flaws that criminals might have been able to exploit had they known of them.

Firefox 75 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can just relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

This was the second version of Firefox to be released four weeks after its predecessor — Mozilla last upgraded the browser on March 10. In September 2019, the company announced it would accelerate the browser’s release pace by shortening the interval between upgrades from six weeks to five as an interim step, finally to four weeks.

Mozilla: We don’t do delays

It was notable that Firefox 75 appeared on time, as it had been scheduled months earlier. Three weeks ago, first Google, then Microsoft, announced that they had temporarily suspended Chrome and Edge releases, respectively.

Google put off Chrome 81’s March 17 launch, while Microsoft followed suit two days later. Although neither explicitly named the coronavirus and its resulting disruptions as the cause, their “adjusted work schedules” and “current global circumstances” descriptions blamed the pandemic.

A week later, Google said it would release Chrome 81 on April 7 (it did), scrub Chrome 82 from the launch list and debut Chrome 83 three weeks earlier than originally scheduled (on May 19). Microsoft again said its Edge — like Chrome, built on technologies provided by the open-source Chromium project — would mimic Google’s browser’s return.

Mozilla held to its calendar. “We believe we can maintain our 2020 Firefox release schedule as we navigate this global crisis together,” Joe Hildebrand, vice president for Firefox web technology, and Selena Deckelmann, vice president of Firefox desktop, wrote in a joint post to a company blog. And the two took shots at the competition, noting that their teams were familiar with working remotely.

“These strengths are what allow us to continue to make progress where some of our competitors have had to slow down or stop work.”

But Hildebrand and Deckelmann didn’t promise that Mozilla would never deviate from the every-four-week tempo. “We will continue to monitor both internal and external feedback and remain open to making future adjustments,” they said.

Augmenting the address bar

With its 50% faster release cadence – every four weeks rather than every six – users have to expect fewer new features and smaller amounts of new functionality in each upgrade. That’s the case with Firefox 75, which adds to the address bar and that’s about all.

Among the improvements to the bar, one stood out: A click in the address bar now drops down a list of the first eight sites from the new tab page. The click-and-list function works at all times, saving the need to first open a new tab before zipping to a favorite site (as long as the site is one of the first eight).

To change the contents of the list or the order of the sites within it, users must add to or subtract from the thumbnails on the new tab page, or reshuffle those already there.

Firefox 75's address bar Mozilla

A click in Firefox 75’s address bar displays the first eight sites from the new tab page. It’s a slick shortcut.

Other changes to the address bar’s user interface (UI) and user experience (UX) included boldfaced keywords based on the search string being entered – “to narrow your search even further,” Mozilla asserted – and a variable-sized field and font, both which expand when typing a search string and contract to standard size when finished.

Mozilla highlighted several developer- and enterprise-specific changes as well, ranging from the loading attribute on elements to support for client certificates from the macOS certificate store. More information can be found in Firefox 75’s release notes.

The next Mozilla upgrade, Firefox 76, should appear May 5.

Firefox 74

Mozilla on Tuesday shipped Firefox 74. Wait, didn’t we just get a new Firefox a minute or two ago?

It may feel that way. Firefox 74 arrived just four weeks after its predecessor, continuing the faster release cadence promised last year.

The refreshed browser dropped support for the now-obsolete TLS 1.0 and 1.1 cryptographic protocols, blocked all add-on “side-loading” except that allowed by enterprise-managed group policy, and enabled support for a header element designed to safeguard against attacks based on the Meltdown and Spectre hardware-based vulnerabilities first revealed two years ago.

Mozilla’s security engineers also patched a dozen vulnerabilities, half of them labeled “High,” Mozilla’s second-most-serious threat label. As usual, some of the flaws might be used by criminals.

“We presume that with enough effort some of these could have been exploited to run arbitrary code,” the firm wrote of two of the bugs. Two others were discovered and reported by members of Google Project Zero, the search company’s team of researchers who root out unpatched flaws in Google and non-Google software.

Firefox 74 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

This was the first version of Firefox to be released four weeks after its predecessor — Mozilla last upgraded the browser on Feb. 11. In September 2019, the company announced it would pick up the development and release pace by shortening the interval between upgrades from six weeks to first five, then to four.

Say farewell to TLS 1.0, 1.1

As expected, Firefox 74 pulled the plug on the outdated encryption protocols of TLS (Transport Layer Security) 1.0 and 1.1. When users try to connect to a site secured with either TLS version, Firefox now shows a “Secure Connection Failed” error page.

But as when Mozilla delivered Firefox 73, this month’s upgrade included an override button letting users temporarily enable TLS 1.0 and 1.1. That button will remain “for a couple of release cycles,” said Chris Mills, content team manager at the Mozilla Developer Network, in a March 10 post to a company blog. “You won’t be able to rely on it for too long,” Mills also warned. (A “couple of release cycles” might mean through, say, Firefox 76, which will be supplanted by the next version on June 2.)

Note: The deprecation of TLS 1.0/1.1 was the result of a 2018 joint decision by makers of the four biggest browsers (including Apple, Safari; Google, Chrome; and Microsoft, Edge and Internet Explorer).

Sideloading stymied

Firefox 74 also put a stop to sideloading, the term describing how a third-party application installs an associated add-on in Firefox. (One example from times past was the “Web Clipper” add-on that Evernote installed in browsers, including Firefox.) Sideloading has been, if not banned outright, certainly frowned upon by browser makers, who have cited security concerns regarding the practice.

In October 2019, Mozilla said that it would ban sideloading, noting malware opportunities as well as the lack of user control; sideloaded add-ons were installed without user approval and could not be deleted by the normal method of heading to Firefox’s Add-ons Manager portal. At the time, Mozilla targeted Firefox 74 as the version that would drop support for sideloading.

That’s happened.

Users must now take an explicit action to install a sideloaded add-on in Firefox — blocking the hands-off kind of installs sideloading was known for — and can delete them from the Add-Ons Manager. Add-ons that were sideloaded previously won’t be removed by Mozilla (that’s for users to do if they wish), but no new sideloaded browser add-ons will be permitted from Firefox 74 forward.

As is almost always the case with Firefox, this change-up can itself be stymied in the enterprise if IT deploys the appropriate group policies to employees’ copies of the browser.

More information on Firefox 74’s stance on sideloading can be found in this Mozilla post of March 10.

Enhances security, privacy

Mozilla enabled support for the “Cross-Origin Resource Policy” (CORP) header, which can be used by site developers to opt in to protection against cross-origin requests, or those from outside the domain of the website itself.

Using CORP can help safeguard against attacks by the likes of Spectre and Meltdown, the side-channel, hardware-based vulnerabilities that went public in early 2018 and triggered major efforts by browser makers, OS developers and chip company Intel to provide patches.

Firefox 74 also took the time to trumpet the Mozilla-made Facebook Container, an add-on that locks the social network and a user’s interactions with it inside a separate container, or sections of the browser’s memory. Anything done inside the container cannot be tracked outside the container; the result is that Facebook then cannot track one of its users when she goes elsewhere on the web.

firefox74 1 facebook container IDG

When Firefox restarts after upgrading to version 74, the first thing the browser does is pitch the Facebook Container to the user.

Facebook Container is not new: Mozilla launched it almost two years ago. (The latest version now lets users add custom sites to a list so that Facebook’s credentials can be used for logging on to those websites.) Rather, once Firefox 74 has been installed — or Firefox was upgraded to version 74 — Mozilla uses the opportunity to pitch the add-on.

Firefox Container can also be installed from here.

The next version, Firefox 75, is to launch on April 7.

Firefox 73

Mozilla this week released Firefox 73, a minor upgrade whose most notable addition was a new default setting for page zooming.

Software engineers working on the open-source browser also patched six vulnerabilities, half of them labeled “High,” Mozilla’s second-most-serious threat rating. As usual, some of the flaws might be used by criminals.

“We presume that with enough effort some of these could have been exploited to run arbitrary code,” the firm wrote of two of the bugs.

Firefox 73 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

Mozilla last upgraded the browser on Jan. 7, or five weeks ago.

From this point forward, Mozilla will refresh the browser every four weeks. Firefox 74 will end a gradual reduction to the intervals between upgrades: Mozilla announced the release speed-up in September, when it said the original six-week span would be shortened to five weeks, then to four.

Zoom-zoom

Firefox’s faster release tempo comes at a price: the distinct possibility that each upgrade will boast fewer new features, fewer improvements and enhancements. Firefox 73 is proof, as Mozilla was able to highlight just two changes evident to end users.

The first was a new user-set global default for the page zoom level. Rather than monkey with zoom for each site individually – to, for instance, zoom in to make text more readable for older eyes – users can set a default level higher or lower than 100% as the new baseline.

To change the default zoom (which remains at 100% if the user declines to modify it), users must open Preferences (on macOS) or Options (Windows), then under the “General” tab locate “Language and Appearance.” Select the desired default zoom from the box under “Zoom.”

That number – 110%, for instance – becomes the new baseline for all sites. Users can still manually increase or decrease zoom with keystroke combinations or from the menu.

firefox 73 default zoom Mozilla

Firefox 73’s new zoom default lets users set a baseline to, for example, zoom in to 120% on every site. For anyone who is constantly zooming, this saves tons of time.

The other addition trumpeted by Mozilla in Firefox 73’s release notes was labeled “readability backplate” and designed to collaborate with Windows’ high contrast mode. The latter is a setting that replaces the original colors of, say, a website’s text and background, with high contrast combinations for easier reading by people with vision issues.

Previously, Firefox has simply disabled background images when the user enabled high contrast mode. In Firefox 73, the readability backplate “places a block of background color between the text and background image,” Mozilla said. “Now, websites in High Contrast Mode are more readable without disabling background images.”

Days are numbered for TSL 1.0 and TSL 1.1

Mozilla, like other browser makers, is knee-deep in putting an end to the outdated encryption protocols of TLS (Transport Layer Security) 1.0 and 1.1.

More than a year ago, in October 2018, Mozilla announced that the two standards, TLS 1.0 and TLS 1.1, would lose Firefox support in March 2020. That’s next to now.

In a Feb. 6 post, Thyla van der Merwe, the cryptography engineering manager at Mozilla, promised that the upcoming Firefox 74 would give the boot to the pair. “Expect Firefox 74 to offer TLS 1.2 as its minimum version for secure connections when it ships on 10 March 2020,” she wrote.

Although van der Merwe said that Firefox would retain an override button (which has been appearing on warnings when users try to reach a website encrypted by TSL 1.0 or TSL 1.1), she noted that with telemetry trends being what they were, “It’s unlikely that the button will stick around for long.”

The next version, Firefox 74, will release on March 10.

Firefox 72

Mozilla on Tuesday launched Firefox 72, which expanded picture-in-picture video mode to macOS and by default blocked “fingerprinting,” an advanced tracking method practiced by some sites and advertisers.

The open-source developers also patched 11 vulnerabilities, five labeled “High,” Mozilla’s second-most-serious threat rating. As usual, some of the flaws might be used by criminals. “We presume that with enough effort … it could be exploited to run arbitrary code,” the firm wrote of the CVE-2019-17017 vulnerability.

Firefox 72 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.

Mozilla now refreshes Firefox every five weeks; it last upgraded the browser on Dec. 3.

(In September 2019, Mozilla said it would reduce the intervals between upgrades. The earlier six-week stretch was shortened to five weeks between Firefox 71 and 72. Starting with March’s Firefox 74, the interval will drop to four weeks.)

PiP-pin for McIntosh?

A month ago, Mozilla introduced Picture-in-Picture (PiP) with Firefox 71, touting the new feature’s ability to display video in a separate, small window while the user continues to surf elsewhere or even works outside the browser. Then, PiP was limited to Firefox running on Windows.

Firefox 72 expanded PiP to macOS – and if Mozilla’s December pledge was honored, Linux as well – and the feature works just as in Windows. Videos that will run in PiP were marked with a small, blue-backed “Picture-in-Picture” message when the mouse cursor hovers over the image. Clicking on that puts a frame on the desktop, video inside, and the frame can be moved and resized at will.

Firefox PiP on macOS Mozilla

Mozilla expanded Picture-in-Picture (PiP) to macOS and Linux with this week’s Firefox 72.

Firefox’s implementation of PiP is significantly smoother than Chrome’s – which requires a pair of right-clicks – in the videos where it’s available.

Scratch sites’ begging to blast you with notices

Another new aspect of Firefox 72 that Mozilla highlighted is its dampening down of the distraction from sites asking users to allow future notifications.

Those irritating pop-ups rarely result in users acquiescing to the request, Mozilla asserted. According to the company’s research, 48% of those prompts are “actively denied by the user” and a whopping 99% go unaccepted. In other words, they’re a vast waste of both websites’ and users’ time.

Firefox 72 blocks the notifications from reaching the screen – and obscuring part of the underlying page – and instead adds a small comic-style speech bubble, one that briefly jiggles for attention no less, to the address bar. Users can click on the bubble to pull up the usual notification pop-up – perhaps to dismiss it entirely and lose the bubble – or just ignore it. (It jiggles just once.)

Users can, of course, check the long-available box marked “Block new requests asking to allow notifications” in Options (Windows) or Preferences (macOS) to avoid all such irritants. (To reach that, from the “Privacy & Security” section, choose “Permissions,” then click the “Settings” button beside “Notifications.”)

Fingering fingerprinters

Mozilla also trumpeted another addition to Firefox’s anti-tracking skillset that it baked into version 72.

“The latest Firefox browser protects you against fingerprinting by blocking third-party requests to companies that are known to participate in fingerprinting,” Mozilla said here.

Like cookie-based tracking, fingerprinting is used by sites and advertisers to follow users as they wander around the web, most infamously to continue to offer a product that an individual looked at previously. It’s akin to a salesperson following a customer not only around the store, dunning them to buy this or that, but leaving the store with them, tracking them across town and even all the way home.

Fingerprinting relies on piecing together clues – ranging from the browser version and device platform to installed fonts and extensions – to create a profile, hopefully one unique enough to distinguish from others’. Unlike cookie-based tracking, fingerprinting can continue to follow a user even after the browser’s been cleared or its privacy mode has been used to, supposedly, surf anonymously.

Firefox 72 has the fingerprinters portion of Enhanced Tracking Protection (ETP), Mozilla’s name for its collection of anti-tracking technologies, turned on by default. Even if the user has switched off ETP by disabling the other tracker types, the “Fingerprinters” option will be engaged.

Mozilla turned to its partner, Disconnect – which already provided the tracker list that served as the foundation of ETP – as the source of the fingerprints. “Disconnect maintains a list of companies that participate in cross-site tracking, as well a list as those that fingerprint users. Firefox blocks all parties that meet both criteria,” Steven Englehardt, a Mozilla senior privacy engineer, said in a Jan. 7 post to a company blog.

“Expect to hear more updates from us as we continue to strengthen the protections provided by ETP,” Englehardt added, without going into specifics.

The next version, Firefox 73, should launch Feb. 11.

Firefox 71

Mozilla this week released Firefox 71, touting a picture-in-picture video mode and new ways to preview a VPN (virtual private networking) service that will be offered to customers next year.

Security engineers included patches for 11 vulnerabilities, six marked “High,” the second-most-serious threat rating. None were tagged “Critical.” Some of these flaws might be exploitable by cyber criminals, Mozilla said. “This could have caused heap corruption and a potentially exploitable crash,” the firm noted of one vulnerability, labeled CVE-2019-11745.

Firefox 71 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or describes the refresh process.

Mozilla refreshes Firefox every six to eight weeks; it last upgraded the browser Oct. 22.

PiP PiP, and all that

Mozilla trumpeted a new Picture-in-Picture (PiP) mode within Firefox 71. “Picture-in-Picture allows a video to be contained in a separate and small window, and still be viewable whether you switch from tab-to-tab or outside the Firefox browser,” wrote Marissa Wood, vice president of product, in a Dec. 3 post to a company blog._

Although PiP was available only in Windows’ version of Firefox 71, the feature will be baked into the next upgrades for macOS and Linux, Mozilla said. Currently, Firefox 72 has been pegged with a Jan. 7 release date.

(If that January ship date for Firefox 72 seems earlier than it should, it is. In September 2019, Mozilla announced it would speed up Firefox releases by reducing the interval between upgrades. Starting with Firefox 74, set to debut March 10, the interval will drop to just four weeks. Mozilla will shorten the interval in steps; the six-week stretch between Firefox 70 and 71 will be reduced to five weeks between 71 and 72, and between 72 and 73.)

Not every video will play in PiP; those that do will display a small blue-backed “Picture-in-Picture” when the mouse cursor is hovered over the image. Clicking on that message deposits a frame on the desktop, video inside. The frame can be moved and resized at will.

Firefox pip Firefox

Firefox 71 debuts Picture-in-Picture (PiP), letting users pull video off a tab so that viewing can continue even when working in another tab or application.

And as Wood mentioned, the video is independent of the tab from which it spawned; that tab does not need to remain active and, in fact, the user can step outside the browser to another application’s window and the video will continue.

Firefox is somewhat late to the PiP party. Apple’s Safari now has PiP – as of the October upgrade, macOS Catalina – and Google’s browser has had it since Chrome 70 (an October 2018 upgrade). But Firefox’s implementation is significantly easier to use than Chrome’s, which required two right-clicks to initiate in Windows (and Computerworld was never able to successful call up PiP in Chrome on macOS).

Testing, testing of services

Other than PiP, Mozilla’s other Firefox 71 area of attention is further testing of its “Firefox Private Network” (FPN), the browser extension the company released in September. FPN accesses a VPN-like service that encrypts browser-to-site-and-back traffic and was free to Firefox Account holders in the test phase that kicked off then. Website security vendor Cloudflare provided the proxy server for FPV.

That September offer, however, has been shuttered.

Instead, a second testing phase launched alongside the debut of Firefox 71. Like the first, this “limited-time free service” relies on the FPN add-on to encrypt to-and-from-browser transmissions but comes with a major restriction: Usage tops out at 12 hours each month.

After signing up for the free deal, users are given a dozen passes, each good for an hour of encrypted traffic. “To claim a pass, simply turn Private Network on,” the beta’s explanatory page stated. “Use Firefox as usual, and your browsing will be encrypted and sent through a proxy service provided by our trusted partner Cloudflare. Passes expire after one hour, even if you turn Private Network off. You’ll receive 12 new passes at the beginning of each month.”

Mozilla suggested that users switch on FPV (and so use one of the month’s 12 passes) when relying on a public network, such as at a coffee shop or an airport.

As an alternative, Firefox users can request an invitation to a full VPN service, which for $4.99 month encrypts traffic to and from up to five devices. Mozilla called this a “paid beta.” The VPN service uses servers around the globe controlled by Mullvad, a Swedish VPN that sells its services for €5 per month. Initially, the Firefox offer only applies to users running Windows 10, although Mozilla said, “other platforms coming soon.”

Mozilla has struggled to create non-search related revenue streams – in 2018, the vast bulk of its income came from deals that put various search engines as the Firefox default – and this effort is the second time the organization has tapped a paid VPN as one solution.

Elsewhere in Firefox 71, Mozilla added a “kiosk” mode for businesses and the browser now notifies users when Enhanced Tracking Protection (ETP) blocks cryptominers.

Firefox 70

Mozilla on Tuesday upgraded Firefox to version 70, enhancing its anti-tracking technology with new blockers that automatically stymie social media trackers and compiling reports so users can see what spying the browser has stopped.

Security engineers at Mozilla also included patches for 13 vulnerabilities, one marked “Critical” and three marked “High,” the organization’s two top threat ratings. The critical flaw was described as “memory safety bugs,” a label that’s present in virtually every Firefox upgrade’s patch list. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code,” Mozilla wrote in the accompanying security advisory.

Firefox 70 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or describes the refresh process.

Mozilla updates Firefox every six to eight weeks; it last upgraded the browser on Sept. 3.

Stops trackers from Twitter, Facebook, LinkedIn

Mozilla amped up its assault on trackers, the bits and pieces in websites and on pages that collectively allow advertisers — primarily but not exclusively them — to watch where users go on the web in an effort to piece together profiles, which in turn are used to deliver advertisements that, theoretically at least, should be more appealing and likely to trigger a purchase.

On the heels of Firefox 69, which switched on Enhanced Tracking Protection (ETP) for all users, Mozilla this version added trackers from several social media giants — Facebook, Twitter and the jobs-related LinkedIn (owned by Microsoft) — to the browser’s block list.

“Social networks place trackers on other websites to follow what you do, see, and watch online,” Mozilla wrote. “This allows social media companies to collect data about your browsing history and improve their ad targeting.”

Users can set social media blockers at two strength levels — Standard (the default) and Strict — just as they can blockers for other classes of trackers.

Privacy report card

Firefox 70 also introduced a basic privacy report that describes the number of times the browser blocked a tracker — broken down by cross-site, social media, fingerprinter and cryptominer categories — over the past week with totals segregated by day.

The report also displays the number of email addresses monitored for inclusion in publicly-known data breaches, the number of those breaches and how many passwords were leaked in those hacks. (The data comes from Firefox Monitor, which Mozilla introduced a year ago.)

To access the report, click the shield-like icon in the address bar — it’s at the far left of the bar — then select “Show Report” from the drop-down menu. Or type about:protections in the address bar and hit Enter to bring up the report.

firefox70 privacy report IDG

The new privacy report card breaks down the trackers Firefox has blocked over the past week. But it also keeps tabs on the total tally since Sept. 3, when Mozilla switched ETS on for everyone.

Mozilla has ulterior motives in pushing the report. The more impressed users are by the report’s totals — particularly the number of blocked trackers, cookies and content both — the more likely they are to stick with Firefox and recommend it to others.

Firefox has held on for the last two months in the fight over user share, but it’s still in the sub-9% cellar. Mozilla has banked on its privacy work, notably ETP, to bring in new users (or bring back deserters), so the only surprise is that it waited until now to debut a report lauding its accomplishments.

Lock ’em up, Danno!

During the summer, Mozilla started showing off a built-in Lockwise password manager in an under-baked preliminary version of Firefox 70. In that same preview, Mozilla demonstrated how Lockwise worked alongside its already-available Firefox Monitor, a service that provides warnings to users when their saved passwords have been revealed by a data hack.

The release version of Firefox 70 puts the two — the Lockwise password manager and the Monitor password revelation tool — in the hands of all users. And almost the way Mozilla outlined it earlier.

While Lockwise will crank out a password for the user when she creates a new account on a site, it’s not possible to ask the manager to craft one of those very strong passwords for an existing, stored account. That’s a pity, because that feature comes in handy in a third-party password manager when its user is told — because of a data breach, for instance — to change a password. And make it strong while they’re at it.

Other parts of Lockwise, notably those that come courtesy of the marriage between Lockwise and Firefox Monitor, are there, said Mozilla, but not testable because Computerworld couldn’t come up with an account revealed by a breach. The collaboration as described sounds slick: Exposed accounts are to be marked on the Lockwise page with both an icon in the list on the left and with a more prominent note in the main section on the right. (A Mozilla video shows how it’s supposed to look and work.)

One bit that was planned for the merger between Lockwise and Monitor — the ability to sort accounts so that revealed-by-hack usernames and passwords would be at the top of the list — didn’t make the cut with Firefox 70, as it was absent in the version pushed to users Oct. 22.

Elsewhere in Firefox 70, Mozilla claimed that it significantly reduced the browser’s power consumption on macOS (and published a technical thicket of a piece explaining that).

The next version, Firefox 71 — and the last of the year — should launch Dec. 3.

Firefox 69

Mozilla on Tuesday released Firefox 69 with the browser’s anti-tracking technology switched on by default for all users.

The organization’s security engineers also patched 20 vulnerabilities, one tagged “Critical” and 11 marked “High,” the organization’s two top threat ratings. The single critical flaw only affected Windows, Mozilla said in its patching commentary.

Firefox 69 can be downloaded from Mozilla’s site for Windows, macOS and Linux. Because it updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.

Mozilla updates Firefox every six to eight weeks; it last upgraded the browser on July 9.

You get ETP and you get ETP and …

Mozilla first turned on Enhanced Tracking Protection (ETP) in June, but at the time limited the setting to new-to-Firefox users. However, existing customers could flip the ETP switch themselves using the Preferences screen.

With Firefox 69, Mozilla has enabled ETP for all users. By default, “Content Blocking” — the feature’s name in Firefox’s Preferences — is set to “Strict,” the strongest protection available. Users can reset that to “Standard” or “Custom,” or even turn off everything by clearing all choices in the latter.

Mozilla said that prior to Firefox 69’s debut, more than 20% of all Firefox users had ETP engaged, signaling that a significant number of existing users had manually enabled ETP in the past three months. “With today’s release, we expect to provide protection for 100% of our users by default,” wrote Marissa Wood, vice president of product at Mozilla, in a Sept. 3 post to a company blog.

ETP has taken a crooked road to release. Tracing its linage to 2015’s “Tracking Protection,” Mozilla got serious about the concept two years ago, when it broke the technology out of the private-browsing bubble. In October 2018, it named the feature ETP and set Firefox 65, slated to release in January 2019, as the on-by-default target. Problems persisted, however — in several instances Mozilla said the technology was breaking too many sites — and delays were inserted for more testing. Finally, Mozilla used a “soft opening” for ETP in June, limiting the automatic on-by-default to new users as a final quality control check.

Wood spelled out additional information about ETP in her Tuesday post.

screen shot 2019 09 03 at 5.32.33 pm Mozilla

All Firefox users now have the browser’s anti-tracking feature switched on, set to the strongest protection. Changes can be made in the Preferences pane.

Block this, block that

Also in Firefox 69, Mozilla’s developers enhanced the choices for autoplay, the habit by sites to immediately start playing video on the computer screen and blasting audio from its speakers.

Firefox has automatically blocked autoplay of audio since March and version 66. Video with accompanying audio was also stopped from playing. But if a video provider muted the audio, Firefox let the former play. With Firefox 69, users can select “Block Audio and Video” to stop such video from automatically playing.

That setting is at Preferences > Privacy & Security > Permissions > Autoplay > Settings > Default for all websites.

This version of Firefox also took the next step in Mozilla’s kill-Flash process.

The browser lost the “Always Activate” option for Flash, meaning that every request to run the player software must be user approved. From this point forward, the only settings are “Ask to Activate,” the default, and “Never Activate.”

This move was previously announced by Mozilla (check out the “Plugin Roadmap for Firefox” here) and should be the last step before all Flash support is yanked from non-enterprise copies. (The Extended Support Release, or ESR, will continue to support Flash until the end of 2020.)

The next version of the browser, Firefox 70, should release Oct. 22.

Firefox 68

Mozilla on Tuesday released Firefox 68 for Windows, macOS and Linux, packing more insights into the browser’s add-ons and adding a slew of new group policies that enterprise IT administrators can use to better manage the browser.

Mozilla’s security engineers also patched 21 vulnerabilities, two labeled “Critical” and four marked “High,” the organization’s top two threat ratings. “We presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported in one advisory.

Firefox 68 can be downloaded from Mozilla’s site. Because it updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.

Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser was May 21.

Mozilla now recommends add-ons

Among the few noticeable changes to Firefox as of version 68, Mozilla trumpeted those affecting the browser’s add-ons — “extensions” in its terminology — that historically were one of its biggest weapons.

“We curated a list of recommended extensions that have been thoroughly reviewed for security, usability and usefulness,” wrote Marissa Wood, vice president of product at Mozilla, in a post to the firm’s blog.

Earlier this year, Mozilla announced it would try to make add-ons more secure, saying it was launching an effort to “secure the extension ecosystem to better fulfill our brand promise of security and privacy for Firefox users.”

Firefox 68 recommended add-ons Mozilla

Within Firefox 68, Mozilla will recommend add-ons it believes the user will like, based on telemetry sent from the browser.

There’s no reason to doubt Mozilla’s sincerity, but the outfit must also be wondering how to restore Firefox’s reputation related to add-ons. When it shifted technologies, and demanded extension developers rewrite their work, that reputation suffered as some add-ons vanished. It didn’t help that Chrome continued to gain not only user share by leaps and bounds, but also grew the count of its browser extensions.

Banging the drum with recommendations is one way to again trumpet Firefox through add-ons.

Recommended add-ons are tagged with a special badge in the official add-on mart and are posted below the already-installed extensions in Firefox’s add-on manager. “Some of these recommendations are personalized,” claimed a note in the manager after upgrading to version 68. “They are based on other extensions you’ve installed, profile preferences, and usage statistics.”

Mozilla knows the above from the telemetry Firefox transmits from users to the company’s servers.

In documentation about the feature, Mozilla made clear that there’s no pay-for-play involved in the add-on recommendations. “Extension developers cannot pay for placement in the recommendation program, and Firefox does not receive any compensation as a result of this process,” Mozilla stated.

Also new to add-ons in Firefox 68: a way to report suspiciously malicious extensions, those that alter settings without permission or fly a false flag by claiming to be something they aren’t. In the add-on manager, users can now select “Report” from the same menu where they’ve long found “Disable” and “Remove.”

More enterprise policies

Another area of Firefox 68 that Mozilla emphasized involves group policies for IT managers. Enhancements to policies — and thus the browser’s suitability to enterprise use — were linked to the simultaneous release of Firefox ESR (Extended Support Release) 68, the version which stresses stability over sexy new features.

Unlike the standard Firefox, ESR receives only security updates during its tenure. (Prior to this week, the current ESR was based on Firefox 60, which debuted in early May 2018.) Every 14 months, Mozilla replaces the existing ESR with the then-current Firefox, then maintains both the old and new ESR versions during a multi-month overlap. Firefox ESR 60’s support overlap with ESR 68 began July 9, when the latter launched, and will end Oct. 22, when that date’s security patches will not be provided for the former.

“Today we’re adding a number of new enterprise policies for IT leads who want to customize Firefox for their employees,” said Mozilla’s Wood.

Among the new policies are ones that will allow administrators to remove the new tab page (NewTabPage) — perhaps to replace it with the business’s own intranet — and set and lock the downloads destination (DownloadDirectory) to comply with company guidelines of depositing files in the cloud, say.

A list of all policies supported by Firefox is available here, on GitHub; searches using 68 will find those new to this ESR. (The Firefox ESR 68-only policies are also listed at the top of this GitHub page.)

The next version of the browser, Firefox 69, should release Sept. 3.

Firefox 67

Mozilla this week shipped Firefox 67 for Windows, macOS and Linux with performance improvements that — when added to improvements that over the past year — make the browser 80% faster, according to the company.

Other changes to Firefox that surfaced in version 66 ranged from customized private browsing sessions — such as letting a user enable add-ons while in so-called “porn mode” — to running multiple builds at the same time, a Firefox first.

Security engineers also patched 21 vulnerabilities, two of them labeled “Critical,” Mozilla’s most serious threat rating. “We presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported. More than half the bugs — 11 all told — were ranked as “High,” one step below Critical.

Firefox 67, which can be downloaded from Mozilla’s site, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.

Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 66, was March 19.

Faster, says Mozilla

Doubling down, really for the first time, on performance since the November 2017 launch of a revamped Firefox — one slapped with the nameplate “Quantum,” which never caught on — Mozilla touted new in-code prioritizations for the faster painting of pages.

“Firefox is better at performing tasks at the optimal time,” Marissa Wood, the recently appointed vice president of product, wrote in a post to a company blog, referring to the post-change version 67.

Wood cited several modifications that spurred Firefox’s speed, notably pushing the least-used features down the list so that they would be available only after a page has been drawn. “This includes prioritiz[ing] scripts for things you need first while delaying others to help make the main scripts for Instagram, Amazon and Google searches execute 40-80% faster,” Wood said. Elsewhere in the browser, idle tabs will now be suspended when available memory falls under 400MB; the contents of those tabs are reloaded if or when a user clicks back in.

Browser makers have long competed on speed. For a long while, however, incremental improvements have been hard to demonstrate, especially to desktop users typically riding a high-bandwidth wave, where vagaries in the connection may be more damaging to speed than any coding decision.

More recently, some browser developers have struck out all online ads — as does Brave, for instance — then trumpeted the obvious page-painting speed increases. Naturally, a page will display faster when less content is drawn; the same result could be achieved by barring all non-ad content.

It’s unclear whether Mozilla’s speed pitch will make a difference in its usage but there was little reason not to try; only last month did Firefox climb back to double digits in user share after lingering at 9% for nearly a year.

Also, more privacy

The other angle Wood touted on Firefox 67 is one of Mozilla’s cornerstones. “Privacy has always been core to Mozilla’s mission,” she acknowledged. After ticking off several past accomplishments in the arena, Wood highlighted additions that include options for blocking “digital fingerprinting” — an umbrella term for a slew of more-than-cookies tracking techniques to follow users as they browse — and unauthorized crypto-mining. 
 The new settings will add to those already in place since the enhanced anti-tracking initiative kicked off last fall with Firefox 62. They’re tucked under the “Custom” portion of “Content Blocking” within the “Privacy & Security” pane of Preferences (macOS) or Options (Windows).

Firefox 67 options Mozilla

New options to block unauthorized crypto-currency mining and sneaky fingerprinting for following you around the Web, have been added to Firefox 67.

(Note: Not everyone will see the “Cryptominers” and “Fingerprinters” options immediately; Mozilla typically rolls out such improvements in stages to reduce problems if bugs surface. Computerworld found that only half its copies of Firefox offered the new options.)

Also under the Privacy label, Firefox 67 gives more control to users operating in Private Browsing, the mode that doesn’t record sites visited or save cookies for easier return visits. “Based on user feedback, we’re giving more controls for you to get the most out of [your] Private Browsing experience,” Wood said.

That amounted to options for enabling add-ons while using the mode and saving passwords while in Private Browsing. Traditionally, extensions have been barred as possible data leakers — not just in Firefox but in rivals’ own privacy modes — and as for passwords, well, saving those used in the mode makes as little sense as saving sites seen.

Those changes seem contrary to the concept of a privacy mode, but as they’re opt-in, they can be disregarded if desired. Mozilla justified their appearance with the line, “To bust a myth, private browsing doesn’t make you completely invisible on the internet.”

Elsewhere in Firefox 67, the version is the first to allow side-by-side installs of the browser. Playing to the pre-release crowd — those who would want to run, for instance, both Developer Edition and Beta for site testing purposes, or the stable release along with Beta to see what’s coming — the enhancement was broached back in January and promised for this edition.

The next version of the browser, Firefox 68, should release July 9.

Firefox 66

Mozilla this week released Firefox 66, which by default now blocks all audio and video auto-play.

Other additions and enhancements to Firefox 66 included promised smoother scrolling, search within multiple tabs and clearer warnings of possible security problems on a website about to be rendered on the screen.

Engineers also patched 21 vulnerabilities, five of them labeled “Critical,” Mozilla’s highest threat ranking. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported.

Off with auto-play

The change to switch auto-play off by default was expected: More than a month ago, Mozilla announced that “with the release of Firefox 66 for desktop and Firefox for Android, Firefox will block audible audio and video by default.”

To view video and listen to audio, users can click on the displayed play button, Mozilla said. They can also pull up site-specific controls which will allow some destinations to begin playing as soon as the browser pulls up a page. Muted auto-play video will also continue to be allowed; sound-free video is currently supported by all the major browsers that block auto-play media.

Firefox 66 audio auto-play preferences Mozilla

Firefox 66 users can set audio auto-play preferences on a per-site basis by clicking on the encircled “i” in the address bar.

Mozilla has been playing catch-up here to the likes of Google, which led in stymying audio auto-play. As long ago as 2013, Chrome blocked audio that blasted from opened tabs. Last year, it added stricter controls over auto-play, though it declined to block every site’s audio.

Firefox 66 does much the same. “Subsequent videos will play automatically, just as the site intended … ((on)) all streaming sites including Netflix, Hulu and YouTube,” Nick Nguyen, Mozilla’s vice president of product strategy, wrote in a March 19 post to a company blog.

Like many Firefox features, the auto-play blocking will be rolled out in stages, Mozilla said. Its plan: Offer it to 50% of users by March 21, all by March 26.

Unblocked for now: auto-play JavaScript Web Audio content, which is typically relegated to older web apps and online games. In early February, Mozilla said it was “working on blocking auto-play for Web Audio content” and was hoping to add blocking for that this year. Google added automatic blocking of auto-play Web Audio content in Chrome 66, but almost immediately backed off after users and developers complained that the change broke too many games and apps. Google restored the auto-play blockade with Chrome 71, which shipped in December 2018.

The staged roll-out was designed so that if Firefox 66 runs into the same kind of headwinds, Mozilla can quickly call a stop.

Streamline searches and security alerts

Firefox 66 added a search function to the tab overflow menu — that’s under the downward-facing arrow at the far right when there are numerous open tabs — that automatically inserts a percentage sign (%) in the address/search bar. Any searches then show pertinent open tabs in the drop-down list.

Improvements were also made to the baked-in warnings that appear when the browser believes there’s a problem with the site-to-be-seen’s digital certificate. Legitimate certificates prove the site is what it claims it is. “If something isn’t right, you’ll get a security warning,” Nguyen said. “We’ve updated these warnings to be simple and straightforward safe.” Last week, Mozilla posted “Before” and “After” examples here.

The next upgrade, Firefox 67, should reach users on May 14, according to the browser’s current release calendar.

Firefox 65

Mozilla today released Firefox 65 for Windows, macOS and Linux and called out new user controls for setting the desired level of anti-ad tracking by the browser.

Developers also patched seven vulnerabilities, three tagged as “Critical,” Mozilla’s highest threat ranking. “This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash,” Mozilla said, referring to a “use-after-free” bug in the browser.

Firefox 65, which can be downloaded from Mozilla’s site, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.

Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 64, was Dec. 11.

Anti-ad tracking stays off by default

Mozilla’s most ambitious initiative for Firefox last year was the introduction of “Enhanced Tracking Protection,” its name for blocking cross-site tracking, the page-embedded trackers that sites or ad networks use to follow users around the web. The October debut of the feature was touted by Mozilla as a more surgical version of the broader content blocking that had broken some websites and caused confusion.

Enhanced Tracking Protection was off by default in Firefox 63, but Mozilla said that it would be switched on as of early 2019, implying that meant with Firefox 65.

Nope.

“Before we roll this feature out by default, we plan to run a few more experiments and users can expect to hear more from us about it,” Nick Nguyen, Mozilla’s vice president of product strategy, wrote in a Jan. 29 post to a company blog.

Instead, Firefox 65 sports a revamped settings section dubbed “Content Blocking.” Nguyen said the redesigned settings were prompted by additional testing.

Firefox content blocking Firefox

Mozilla recast the Enhanced Tracking Protection settings in Firefox 64 as “Content Blocking” and gave users more information about what was what. The anti-ad tracking has yet to be turned on by default, though.

The section is more visible and included more information about the impact of switching tracking protection on. To do that, users have to select Options (Windows) or Preferences (macOS) from the menu under the three horizontal bars at the upper right, click “Privacy & Security” in the sidebar at the left, and then under the section labeled “Content Blocking,” select the radio button marked “Strict.”

A “Custom” radio button is also available for users who want to, say, block ad trackers but not cookies, or vice versa.

More information about Content Blocking can be found on the support website dedicated to Firefox.

Redesigned Task Manager

Firefox 65’s other prominent addition is to the Task Manager page, displayed after entering about:performance in the address bar. The manager reports on memory and energy (read, battery) usage for each tab and add-on, then offers a quick way for users to close a gluttonous tab or disable a misbehaving extension.

The Windows version of Firefox 64 also now supports AV1 video compression, a royalty-free standard backed by a group — Alliance for Open Media (AOMedia) — whose members include Mozilla, Amazon, Apple, Facebook, Google, Intel, Microsoft, Netflix and others. David Bryant, a Mozilla Fellow who leads the organization’s Emerging Technologies team, spelled out AC1 and Firefox’s support in a separate post on Medium.com.

“We think someone’s ability to participate in online video shouldn’t be dependent on the size of their checkbook,” Bryant said.

The next upgrade, Firefox 66, should reach users on March 19, according to the browser’s release calendar.

Firefox 64

Mozilla released Firefox 64 for Windows, macOS and Linux with an embedded recommendation system that spotlights features and suggests specific add-ons based on how users work the browser and where they steer it on the web.

Engineers also patched 11 vulnerabilities in Firefox. Two were marked “Critical,” Mozilla’s highest threat ranking. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla said in the advisory posted to the web.

Firefox 64, which can be downloaded here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.

Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 63, was Oct. 23, or seven weeks ago.

It’s CFR, not CPR

Firefox 64 introduces what Mozilla calls “Contextual Feature Recommender,” aka CFR, a feature currently available only to U.S. users running the browser in standard mode (not in Private Browsing mode). “CFR is a system that proactively recommends Firefox features and add-ons based on how you use the web,” said Nick Nguyen, Mozilla’s vice president of product strategy, in a Dec. 11 post to a company blog.

Essentially, CFR points out potentially-useful features and add-ons to Firefox users. At root, it’s a way for Mozilla to make the case that its browser is more personalized and more productive than rivals such as Google’s Chrome, which sports a market share seven times Firefox’s and offers significantly more add-ons.

Nguyen cited examples such as tab pinning — a feature that permanently places some sites’ tabs on the tab bar — that Mozilla might recommend a user. He also named three add-ons CFR could prescribe for those who spent substantial time on Facebook and YouTube, or who frequently called on Google Translate to interpret foreign-language websites.

Nguyen also swore that CFR sends no data to Mozilla, an important note in light of the organization’s stance on user privacy. “The entire process happens locally in your copy of Firefox,” Nguyen said.

All about tabs in the end

Firefox 64 also added some twists to tab management that let users grab, then perform an action on multiple tabs simultaneously. Users can now, for instance, select a stretch of tabs by pressing Shift as they click on the first and last tabs in the span.

A more flexible maneuver is available, too: Pressing Ctrl (Windows) or Command (macOS) while clicking allows users to select non-contiguous tabs. Once selected, the several tabs can be moved, bookmarked, pinned or deleted as a block.

Chrome already has this tab-handling capability, but others, including Apple’s Safari and Microsoft’s Edge, do not.

Firefox 64 now shows how much “energy impact” each tab represents when the user types about:performance in the address bar to bring up the browser’s task manager. The page is in the midst of a revamp, and Mozilla engineers have said that memory consumption — another important metric for browsers — will be added in the next iteration.

Elsewhere in the browser, Firefox 64 dropped support for all Symantec-issued SSL (Secure Socket Layer) certificates. The move, which was triggered by a consensus among browser makers that Symantec and its partners had improperly issued certificates, violating the rule set by the CA/Browser Forum, a standards groups whose members include browser developers and certificate authorities.

Firefox’s final step in its “distrust” process was originally supposed to take effect with version 63. But Mozilla delayed the ban, saying in October that too many sites had not switched to a different certificate supplier at the time. Instead, Mozilla gave Firefox 64 the honors.

The next upgrade, Firefox 65, should reach users on Jan. 29 according to the browser’s release calendar.

Firefox 63

Mozilla released Firefox 63 for Windows, macOS and Linux, boosting its anti-ad tracking defense by offering an option that blocks cookies from third-party trackers.

Engineers also patched 14 vulnerabilities in Firefox. Just two of them were marked “Critical,” Mozilla’s highest threat ranking; three others were tagged “High,” the next rank down.

Firefox 63, which can be downloaded here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.

Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 62, was Sept. 5, or just shy of seven weeks ago.

Enhanced Tracking Protection

Firefox 63 upped anti-tracking, dubbing the improved defense a component of “Enhanced Tracking Protection,” a new name for a Mozilla effort pursued over several iterations of the browser.

An older label — “Tracking Protection” — was given to the feature in Firefox 57, last year’s huge overhaul named “Quantum,” which let users block tracking cookies in all sessions, not just the private browsing mode in which Tracking Protection debuted in 2015.

Firefox Enhanced Tracking Protection Mozilla

Firefox 63’s Enhanced Tracking Protection lets users turn off blocking on a site-by-site basis by clicking on the new shield icon in the address bar.

Tracking Protection did what its title implied: It blocked a range of content, not just advertisements but also in-page trackers that sites or ad networks implant to follow users around the Web. The problem, though, is that when Tracking Protection was switched on, it broke things. “The reality is that Firefox’s original Tracking Protection functionality can cause websites to break, which confuses users,” said Peter Dolanjski, project lead for Firefox, in an Oct. 23 post.

Enhanced Tracking Protection is much the same: It blocks tracking cookies and the access to in-browser those cookies need to operate, blocking most common cross-site tracking. But it does so in less draconian fashion. “The feature more surgically targets the problem of cross-site tracking without the breakage and wide-scale ad blocking which occurred with our initial Tracking Protection implementation,” contended Dolanjski.

According to Mozilla, the Enhanced feature should break or disrupt fewer sites. And for those it does, there’s a way for the user to back away from the blocking. “You might see some odd behavior on websites, so if something doesn’t look or work right, you can always disable the protection on a per-site basis by clicking on the Shield icon in the address bar, and then clicking ‘Disable Blocking For This Site,'” wrote Nick Nguyen, the firm’s vice president of product strategy, in a post to a company blog.

Enhanced Tracking Protection is off by default in Firefox 63. To switch it on, users must select Options (Windows) or Preferences (macOS) from the menu under the three horizontal bars at the upper right. Click “Privacy & Security” in the sidebar at the left, then check the box marked “Third-Party Cookies” under the phrase “Choose what to block.” The radio button marked “Trackers (recommended) should be pre-selected. If not, select it.

Previously, Mozilla had said that anti-tracking would be in place and on for everyone by Firefox 65, currently scheduled to ship Jan. 29, 2019. That still seems to be the plan. “We’ll continue to test this feature and hope to release it by default early 2019,” said Nguyen.

Firefox 63’s other prominent addition is to search with something Mozilla named “Search shortcuts,” which appear on the browser’s new tab page.

A pair of icons, one marked “Google” the other “Amazon,” shift the cursor to Firefox’s address bar (Mozilla refers to that as the “Awesome bar” at times) with the long-available @google or @amazon search keyword already in place. Anything typed in the address bar after the keyword then becomes the search string on the designated site.

The advantage? The user need not wait for the google.com or amazon.com page to load before searching.

Not everyone with Firefox 63 will see the shortcuts immediately. (Computerworld staffers using Firefox, for example, were sans the search icons in their browsers’ new tab pages.) As it often does, Mozilla is enabling the feature in stages.

The Amazon shortcut is also a money maker for Mozilla, as purchases made by users via such searches will generate revenue to the developer through the e-seller’s affiliate program. “In the spirit of full transparency … we anticipate that some of these search queries may fall under the agreements with Google and Amazon, and bring business value to the company,” said Maria Popova, senior product manager for Firefox, in an Oct. 17 post. “Not only are users benefiting from a new utility, they are also helping Mozilla’s financial sustainability.”

The next edition, Firefox 64, should reach users Dec. 11, according to the browser’s release calendar.

Firefox 62

Last month’s upgrade to Firefox — Mozilla issued version 62 on Sept. 5 — featured relatively few changes or enhancements. Among the new: An expansion to four rows of sites available on the new tab page, and an automatic sandboxing of the AutoConfig file for enterprise use. (AutoConfig can be used by IT administrators to lock settings that cannot be accessed by group policies in Windows or the policies.json file in macOS and Linux.)

When Firefox 62 debuted, Mozilla reminded users that it intended to drop support for all Symantec-issued SSL (Secure Socket Layer) certificates with the next upgrade, this week’s Firefox 63. Instead, Mozilla balked at the move.

On Oct. 10, it declared it would delay the “distrust” of the certificates, citing a too-large number of websites that had yet to switch to different certificate supplier. “We believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users,” wrote Wayne Thayer, Mozilla’s Certificate Authority program manager, in a blog post.

The Symantec distrust will now take effect with Firefox 64 in December, Thayer added.

Firefox 61

Mozilla on Tuesday delivered Firefox 61 for Windows, macOS and Linux, claiming that the browser’s page-painting speed has been improved and that switching tabs is faster than before.

The developer’s engineers also patched 18 vulnerabilities in Firefox, a third of them marked “Critical,” the highest threat ranking in a four-step system.

Firefox 61, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.

Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 60, was May 9, or just shy of seven weeks ago.

Perform or else

With Firefox 61, Mozilla returned to trumpeting performance, one of the primary touts used when it rolled out the revamped — and newly named — Firefox Quantum in November.

At the top of the list were, well, lists: “Retained display lists.”

Those are actual lists the browser composes of the elements needed to display a page, then sorted in a back-to-front fashion for proper painting of each component. Before Firefox 61, the browser built a new display list from scratch each time a page required updating. “This is great for simplicity: we don’t have to worry about figuring out which bits changed or went away. Unfortunately, the process can take a really long time,” Matt Woodrow, a senior staff software engineer, said in a Monday post to a Mozilla blog.

The re-creation of display lists impacts page-painting performance, particularly with video, which is best viewed with updates 60 times per second. “This has always been a performance problem, but as websites have become more complex and more users have access to higher resolution monitors, the problem has been magnified,” Woodrow contended.

Instead, Firefox now retains the parts of the display list that haven’t changed from the just-prior compilation, building a new display list “only for the parts of the page that changed since we last painted and then merge the new list with the old,” according to Woodrow. The results: Page painting times fell by an average of 33% and there was an almost 40% decrease in dropped frames blamed on list making. Almost as important, freeing the browser from rebuilding the list means the application — and the horsepower behind it in the device’s silicon — can be applied to other tasks.

Warm up those tabs

In the Windows and Linux versions of Firefox 61, Mozilla debuted a feature it called “tab warming,” that promises faster tab-to-tab switching.

As a user slides the mouse pointer toward and over a tab, Firefox detects the movement. The browser then preemptively renders the layers for the tab’s (or tabs’) display(s) and uploads those layers to the page compositor, “when we’re pretty sure you’re likely to switch to that tab,” said Mike Conley, a Firefox developer, in a post to his personal blog.

Switching tabs using key combinations — on a Mac, it’s Control-Tab — will not receive the same preemptive loading.

Conley downplayed the feature. “For many cases, I don’t actually think tab warming will be very noticeable; in my experience, we’re able to render and upload the layers2 for most sites quickly enough for the difference to be negligible,” he wrote in that same post.

Don’t forget security

Mozilla fixed 18 different security flaws in the Firefox 61 update — patches are a part of almost every upgrade — six of which were tagged “Critical,” the company’s most-serious ranking.

Also on the security front, Firefox 61 set support for the latest draft of TLS 1.3 as on-by-default. TLS 1.3 is an Internet-standard cryptographic protocol for encrypting the traffic between browser and site server; it was officially approved earlier this year.

Browser support for TLS 1.3, at least in an on-by-default setting, has been shaky. Last year, Chrome turned it on, but later back off when site and service incompatibilities popped up. Google’s browser has yet to switch TLS 1.3 support on as the default.

Firefox 60

Mozilla this week released Firefox 60 for Windows, macOS and Linux, enabling a previously-only-tested policy engine so IT admins can manage the browser within the enterprise.

Firefox, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.

Mozilla usually updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 59, was March 13, or eight weeks ago.

Quantum Enterprise goes live

In March, Mozilla asked for corporate volunteers to help it test a new policy engine that it would add to Firefox Quantum — the secondary name the developer slapped on its browser in late 2017 after a major redesign and recoding — so IT could administer the application through Group Policy on Windows.

As planned, Mozilla enabled the policy engine in Firefox 60, making it possible for the first time to manage the browser. “Firefox now supports a long-requested feature  — the ability for IT professionals to easily configure the browser using Windows Group Policy or a cross-platform JSON file,” crowed Ryan Pollock, who leads Firefox product marketing, in a post to a company blog Wednesday.

Windows Group Policy is the de facto standard for software administration in the enterprise and is well-known to IT. Shops also running macOS or Linux — or those few that rely only on those operating systems — can instead add a .json (JavaScript Object Notation) file to Firefox’s installation folder/directory. Mozilla has provided Group Policy templates and documented the construction of .json files on GitHub or its own support site. A listing of all the policies currently supported are also posted on GitHub.

Organizations can deploy either the standard Firefox, which Pollack referred to as “Rapid Release” in a nod to its every-six-week update cadence, or the long-available Extended Support Release (ESR). The latter remains feature-stable for about a year, receiving only security fixes during that time. At the end of a year, a new ESR build is produced from the then-latest Firefox.

Pollack touted Firefox’s speed, something Mozilla has hung much of its Quantum marketing around, the Mozilla Foundation’s emphasis on user privacy, and, of course, the new management skills in his pitch to corporations. Left unsaid was Mozilla’s historical neglect of the enterprise: It kicked off ESR in 2012, but then took six years to add basic management through Group Policy.

The move also signals that Mozilla is actively after customers anywhere it can find them. Although Quantum collected praise from many reviewers when it launched last year, the overhaul has not returned the browser to growth, as tracked by independent metrics companies. U.S.-based vendor Net Applications, for example, has recorded an 11% decrease in Firefox’s user share since Quantum’s November debut.

Tokens replace passwords

Firefox 60 also added support for the WebAuthn API (application programming interface), which is enabled by default.

A W3 (World Wide Web Consortium) standard — albeit not finalized — WebAuthentication (truncated to WebAuthn) provides two-factor authentication for website log-ins using hardware keys that generate FIDO U2F tokens. Those keys, typically USB devices, are sold under names such as U2F Zero, ePass and Yubikey at prices ranging from $9 to $50.

Although Firefox 60 is the first browser to support WebAuthn, Google was a major driver of FIDO U2F; its Chrome has supported the keys since version 38 in 2014.

“WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts,” Nick Nguyen, Mozilla’s vice president of product strategy, wrote in a company blog post Wednesday. “It supports various authenticators, such as physical security keys today, and in the future mobile phones, or biometric mechanisms such as face recognition or fingerprints.”

So, while Firefox 60 does not do away with log-on passwords, by supporting WebAuthn — and assuming site developers adopt the standard — Firefox in the future may do so with next-generation hardware keys.

Mozilla also patched 26 security vulnerabilities in Firefox 60, two of which were marked “Critical,” the company’s most serious threat ranking.

The next edition, Firefox 61, should reach users June 26, according to the browser’s release calendar.

Firefox 59

Mozilla on Tuesday released Firefox 59 for Windows, macOS and Linux, continuing the trend of pushing performance improvements begun late last year.

Firefox, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or details the updating process.

Mozilla usually updates Firefox every six to eight weeks; the last time it upgraded the browser, to version 58, was Jan. 23, or seven weeks ago.

Pages load faster after cache changes

Firefox 59 stayed on Mozilla’s 2017 theme train — more speed — that debuted with November’s launch of the first named edition, tagged as “Quantum,” with claims of faster load times for the content on the browser’s Home page. That content ranges from a series of frequently-visited websites and recommendations from the user-driven Pocket URL saver to examples of pages the user recently bookmarked.

Mozilla also switched on something called “Race Cache with Network” (RCWN), technology that alters the standard method of caching pages to memory that have been rendered previously. Caching, one of the most basic techniques to speed up the display of web pages in a browser, normally saves those pages to computer memory or the local disk drive.

RCWN, however, adds a network cache — in other words, off-site storage of the page — to the mix, then pits that against a local cache in a race to see which source delivers first. (Many ISPs, or Internet service providers, cache the most popular websites on multiple servers, placed throughout its area of service, to reduce the time it takes for customers to grab content.)

“When we detect that disk I/O may be slow, we send a network request in parallel, and we use the first response that comes back,” wrote Valentin Gosu, a Mozilla engineer, in a 2017 post to a developers’ discussion thread. “For users with slow-spinning disks and a low-latency network, the result would be faster [page] loads.”

Finally, the “Off-Main-Thread painting” that Mozilla added to Firefox 58 for Windows in January has made it to macOS this iteration. Off-Main-Thread shifts some of the page rendering work — executing the graphics draw commands and thus generating the pixels to be put on the display — to a processor thread all its own. By reducing the main thread’s workload, it’s more likely that Firefox will be able to compose pages in time to keep high frame rate jobs from skipping frames.

More new tab page customization options

Firefox 59 also introduced additional customization choices for the Home page, which doubles as the new tab page (what appears when creating a new tab through, say, pressing Ctrl-T in Windows or Command-T in macOS). The “Top Sites” thumbnails of the most-frequently visited URLs can now be dragged and dropped to rearrange the small images.

Firefox 59 Mozilla

Firefox 59, which began reaching users March 13, includes new settings to customize the Home page, which also acts as the new tab page for the browser. Users can strike the Pocket recommendations, for example, and double the number of site favorites which display as thumbnails.

Other elements in the new tab page may also be personalized to show more than a single line of top sites, or to eliminate, for example, the Pocket or Highlight sections entirely.

Elsewhere, Firefox’s preferences now include opt-in settings that will block all future requests to turn on in-browser notifications, switch on the device’s camera or microphone, or enable location detection. While all of those features have been, and are, used in reasonable fashion by legitimate websites, less courteous — or simply scammy — URLs have poisoned the well by demanding those permissions without good reason.

Trusted sites can be allowed access or individual websites blocked through a combination blacklist/whitelist.

Testing starts for Quantum Enterprise

As Mozilla delivered Firefox 59, it also began taking requests from company IT administrators to participate in an invitation-only beta of Firefox Quantum for Enterprise.

While the enterprise browser will be identical to that issued to everyone else, Mozilla intends to provide a policy engine, one compatible with Windows Group Policy — the de facto standard for software administration — with the browser. That will be a first for the open-source developer.

“Firefox 60 will include a policy engine that increases customization possibilities and integration into existing management systems,” Mozilla said in January when it announced the plan.

Although the initial release will support a “limited number” of policies, Mozilla said it would expand that list based on enterprise user feedback. That feedback is what the company is after now, in fact: The beta is intended to gather impressions and make changes before May, when Firefox 60 and the policy engine, are slated to ship.

Administrators can sign up for the beta here.

For more information on the policy engine, admins should steer for the introductory instructions on this page.

Mozilla also patched 18 security vulnerabilities in the just-released version, two of which were marked “Critical,” the company’s most serious threat ranking.

The next edition, Firefox 60, should reach users May 9, according to the browser’s release calendar.

Firefox 58

Mozilla last week released Firefox 58 for Windows, macOS and Linux, building on the break-from-the-past Quantum edition of November by boosting page load speeds with changes to how the browser handles JavaScript.

Firefox, which can be downloaded from here, updates in the background, so most users need only relaunch the browser to get the latest version. To manually update, click the help icon — the question mark within a circle — after pulling up the menu under the three horizontal bars at the upper right. Choose “About Firefox.” The ensuing page shows that the browser is either up to date or details the updating process.

Mozilla usually updates Firefox every six to eight weeks, although the interval tends to lengthen around the end of each year; the last time it upgraded the browser, to version 57, aka “Quantum,” was Nov. 14, or 10 weeks ago.

New JavaScript cache

Firefox 58 continued Quantum’s theme of 2017 — a need for speed — with changes to the browser’s storage and retrieval of JavaScript code. Dubbed “JavaScript Startup Bytecode Cache” (JSBC), the enhancements trade memory for faster page load times.

“The JSBC aims at improving the startup of web pages by saving the bytecode of used [JavaScript] functions in the network cache,” Nicolas Pierron, a compiler engineer at Mozilla, wrote in a December post to a company blog. To reach a reasonable balance — one that increases speed with the best return from the additional memory used by the cache — JSBC only kicks into gear at the fourth visit to a website. On sites that frequently load JavaScript, JSBC cut load times by as much as 12% (on Facebook), although most test results, said Pierron, were in single digits (Amazon: 5%; Wikipedia: (8%).

The downside: More memory is consumed by dedicating it to storing the JavaScript. Pierron did not spell out the memory cost of implementing JSBC, however.

More multi-threading

Firefox 58 also introduced another speed-centric change, this one consistent with Mozilla’s work to separate into different CPU processes the steps used to compose a web page. Characterizing the change as one that “more efficiently paints your screen, using a dedicated CPU thread,” particularly to improve JavaScript frame rate, Mozilla labeled it as “Off-Main-Thread painting.” The effort is for Windows only, Mozilla noted.

Previously, the bulk of the page composition was done on a single processor thread, but Off-Main-Thread shifts some of the work — executing the graphics draw commands and thus generating the pixels to be put on the display — to a thread all its own. By reducing the main thread’s workload, it’s more likely that Firefox will be able to compose pages in time to keep high frame rate chores from skipping frames.

Like JSBC, Off-Main-Thread takes aim at JavaScript, because it’s often JavaScript code that is producing the content with high frame rates. On Windows, Mozilla claimed a 30% boost to frame rate on a benchmark that stressed the processor with JavaScript.

Better Tracking Protection

Mozilla also spent time in its standard on-release blog post to hype an older feature, Tracking Protection. With Firefox 57 (Quantum), Mozilla opened the opt-in to all sessions, not just the private browsing mode in which Tracking Protection debuted two years ago.

Tracking Protection does just what the label implies: When enabled, it blocks a wide range of content, not just advertisements but also in-page trackers that sites or ad networks implant to follow users from one site to another.

Historically, Mozilla has touted Tracking Protection as a win for individuals’ online privacy, a message in line with the company’s broader theme that its products, Firefox in particular, are designed as privacy-first. Now, however, Mozilla has bent that pitch to align with its overall need-for-speed mantra.

“In addition to protecting their privacy, users actually have a better, faster experience with the web when pages load without trackers,” argued Nick Nguyen, Mozilla’s top Firefox executive, in a post to a company blog last week. On average, page load times were cut in half compared to Firefox with Tracking Protection disabled, Nguyen said.

Many content blockers — ranging from those that specialize in stymying ads to those that remove everything but a page’s text — make the same claim, of course. By stripping a page of some of its content, it will load faster.

Mozilla patched 32 security vulnerabilities in the just-released version, only one of them marked “Critical,” the firm’s highest ranking.

The next edition, Firefox 59, should reach users March 12, according to the browser’s release calendar.