You are here

Firefox 69: It’s free, but you're not the product

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

The Mozilla Foundation makes good on its promises this week. The new version of the Firefox browser includes strong protections against tracking.

Critically, it’s now the default setting. After having been tested for a few months, the foxy devs clearly think it’s ready for prime time.

And not a moment too soon—or so say those falling out of love with Google. In this week’s Security Blogwatch, we change horses in midstream.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Basket Case.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Time for Chrexit?

What’s the craic? Paul Thurrott reports—Firefox 69 Arrives with Enhanced Tracking Protection:

As you may recall, Firefox began enabling Enhanced Tracking Protection for new users and new installs of the browser back in June. With today’s release of Firefox 69, that protection is enabled by default for everyone.

Other new features and changes … give users the option to block any video that automatically starts playing (and not just those that automatically play with sound) … support for more passwordless experiences on the web using Windows Hello … battery life and download UI improvements (macOS only), and an ARM64 version of JIT for improved JavaScript performance.

Nice. Emil Protalinski adds—Firefox 69 arrives:

And it asks for permission before turning on Flash … ahead of Flash’s planned death in 2020. … According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider.

In June, Mozilla turned on Enhanced Tracking Protection for new downloads of Firefox. … Third-party tracking cookies from over 2,500 tracking domains are blocked without users having to change anything. For those who already had Firefox, Mozilla planned to roll out Enhanced Tracking Protection by default “in the coming months.” That time has now come.

[It] shows the companies Firefox has blocked and lets you turn off blocking for a specific site. The feature focuses on third-party trackers (the ad industry) while allowing first-party cookies (logins, where you last left off, and so on).

Mozilla also wanted to tackle cryptomining, which uses your CPU to generate cryptocurrency for someone else, and fingerprinting, which builds a digital fingerprint that tracks you across the web. … With Firefox 69, cryptomining is now blocked by default. [It] also blocks fingerprinting as part of the Strict setting, and Mozilla plans to turn it on by default in a later release.

Whither ad-blocking extensions? Thomas Claburn explains—Mozilla says Firefox won't defang ad blockers:

Mozilla said it is not planning to change the ad-and-content blocking capabilities of Firefox to match what Google is doing in Chrome. [Google recognized] that many of its products and services can be abused by unscrupulous developers.

Developers who created extensions … may have to revise their code to keep it working with future versions of Chrome. [But] that may not be practical or possible.

Mozilla offers Firefox developers the Web Extensions API, which is mostly compatible with the Chrome extensions platform. … The question is whether content and ad blocking must get worse for security to get better.

Google's related web technology proposal two weeks ago to build a "privacy sandbox," through a series of new technical specifications that would hinder anti-tracking mechanisms, has been dismissed as disingenuous "privacy gaslighting." … When Google, the world's largest online ad company, says it's fine with ad blocking – even though its financial filings have cited ad blocking as a revenue risk – there's some reason to be skeptical.

From the horse’s mouth, Mozilla’s Marissa Wood would like to stress, “by Default”:

Firefox on desktop and Android will — by default — empower and protect all our users. [It] marks a major step in our multi-year effort to bring stronger, usable privacy protections to everyone.

For today’s release, Enhanced Tracking Protection will automatically be turned on by default for all users worldwide as part of the ‘Standard’ setting in the Firefox browser and will block known “third-party tracking cookies.” … As part of this journey we rigorously tested, refined, and ultimately landed on a new approach to anti-tracking that is core to delivering on our promise.

Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behavior … often without your knowledge or consent. Those profiles … may then be sold and used for purposes you never knew or intended.

Another type of script that you may not want to run in your browser are Fingerprinting scripts. They harvest a snapshot of your computer’s configuration. … The snapshot can then also be used to track you across the web.

Is it worth switching browser? Adam Payne speaks highly of the ’Fox:

I've been using Firefox for years now and there is no way i'm going to use anything else if I can help it.

I do use IE on occasion, you know just for the nostalgia.

I see. And Dw00p agrees:

Firefox has not only become relevant again, it has become the best browser again. Now if they would build in the functionality of uBlock Origin and remove all floating elements like sticky videos.

So Jen Simmons tweets an impassioned plea:

Please, web developers, make your websites work in Firefox! By testing your work in Firefox, too, you are supporting these efforts — casting your vote for the world we want to see.

Although, spire3661 swearily disagrees:

For ******'s sake they have emojis on the setting page.

Its incredibly hard to take them seriously when they act so unprofessionally. Every time I open it it asks me to update. It wont take 'no' for an answer.

Yeah, **** Firefox, they lost the plot a long time ago.

But why are people so set against ads? This Anonymous Coward explains:

I have an ad blocker on iOS. I recently reloaded it, and forgot to add back the ad blocker.

I quickly noticed the problem: The web was unusable. It was unbelievable how much garbage was [being] loaded.

Content creators are morons. They literally ruin their own websites.

I don’t mind ad-supported content, but it has to be reasonable.

Meanwhile, cpurdy got a cmouth: [You’re fired—Ed.]

I call it "FirePig" for a reason.

It's still the best choice out there for a browser, but that isn't saying much.

The moral of the story?

Choose people-first. Choose privacy-first. Reject Google’s opaque shenanigans.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

And finally

Robyn’s Basket Case


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Peter Trimming (cc:by)

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]