This year Let's Encrypt announced that it's issued a billion certificates, and it's been estimated they've made certs for almost 30% of web domains. But Friday they posted that "The DST Root X3 root certificate that we relied on to get us off the ground is going to expire — on September 1, 2021. Fortunately, we're ready to stand on our own, and rely solely on our own root certificate."

"However, this does introduce some compatibility woes." Some software that hasn't been updated since 2016 (approximately when our root was accepted to many root programs) still doesn't trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let's Encrypt.

Android has a long-standing and well known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there's an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that's not worth the effort. The result is bad for the people who buy these devices: many are stuck on operating systems that are years out of date.

Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.
Let's Encrypt engineer Jacob Hoffman-Andrews explains that "In the time between now and September 29 we plan to start serving certificates with the 'alternate' link relation 186 to allow Automatic Certificate Management Environment (ACME) clients to programmatically select a chain they prefer." But Friday's blog post explains that won't solve everything: There will be site owners that receive complaints from users and we are empathetic to that being not ideal. We're working hard to alert site owners so you can plan and prepare. We encourage site owners to deploy a temporary fix (switching to the alternate certificate chain) to keep your site working while you evaluate what you need for a long-term solution: whether you need to run a banner asking your Android users on older OSes to install Firefox, stop supporting older Android versions, drop back to HTTP for older Android versions, or switch to a CA that is installed on those older versions.
Gizmodo notes that Firefox will be unaffected "since it relies on its own certificate store that includes Let's Encrypt's root, though that wouldn't keep applications from breaking or ensure functionality beyond your browser." They describe Let's Encrypt as "the Mozilla-partnered nonprofit," and offers this succinct summary of the problem.

"One of the world's top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021."

An anonymous reader quotes a report from The Register: The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies. The browser security model makes a distinction between first-party domains -- those being visited -- and third-party domains -- from the suppliers of things like image assets or tracking code, to the visited site. Many of the online privacy abuses over the years have come from third-party resources like scripts and cookies, which is why third-party cookies are now blocked by default in Brave, Firefox, Safari, and Tor Browser.

In a blog post on Tuesday, Anton Lazarev, research engineer at Brave Software, and senior privacy researcher Peter Snyder, explain that online tracking scripts may use canonical name DNS records, known as CNAMEs, to make associated third-party tracking domains look like they're part of the first-party websites actually being visited. They point to the site https://mathon.fr/ as an example, noting that without CNAME uncloaking, Brave blocks six requests for tracking scripts served by ad companies like Google, Facebook, Criteo, Sirdan, and Trustpilot. But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain 16ao.mathon.fr. When Brave 1.17 ships next month (currently available as a developer build), it will be able to uncloak the CNAME deception and block the Eulerian script. Other browser vendors are planning related defenses. "Mozilla has been working on a fix in Firefox since last November," notes The Register. "And in August, Apple's Safari WebKit team proposed a way to prevent CNAME cloaking from being used to bypass the seven-day cookie lifetime imposed by WebKit's Intelligent Tracking Protection system."

Microsoft has released a Windows update that removes Adobe's Flash Player before it reaches end of support on December 31, 2020. ZDNet reports: Update KB4577586 is part of Microsoft's effort to follow through with plans it announced along with Adobe, Apple, Facebook, Google, and Mozilla in 2017 to end support for Flash by December 2020. The Flash-removing update is available for all supported versions of Windows 10 and Windows Server, as well as Windows 8.1.

This new update removes Flash Player from Windows devices and cannot be uninstalled, Microsoft says in a new support note. However, it isn't rolling out via Windows Server Update Service (WSUS) just yet, and the update needs to be downloaded and installed from the Microsoft Update Catalog. It will become available to WSUS in early 2021, but admins can import it to WSUS manually today. Microsoft is releasing the Flash-removing update ahead of the end of support so that enterprise customers can test the impact on business applications when Flash is removed from a Windows PC or server. But the company says it will continue to deliver Flash security updates until support ends.

Microsoft has also detailed two methods that users and admins can follow to continue using Flash Player after the update is installed. Users can reset a device to an earlier system restore point. However, users need to explicitly enable this feature and a system restore point must have been created on the Windows device before the update is applied. The other option is to reinstall Windows without applying the update.

"No one asked Microsoft to port its Edge browser to Linux," writes Steven J. Vaughan-Nichols at ZDNet, adding "Indeed, very few people asked for Edge on Windows.

"But, here it is. So, how good — or not — is it..?" The new release comes ready to run on Ubuntu, Debian, Fedora, and openSUSE Linux distributions... Since I've been benchmarking web browsers since Mosaic rolled off the bit assembly line, I benchmarked the first Edge browser and Chrome 86 and Firefox 81 on my main Linux production PC.... First up: JetStream 2.0, which is made up of 64 smaller tests. This JavaScript and WebAssembly benchmark suite focuses on advanced web applications. It rewards browsers that start up quickly, execute code quickly, and run smoothly. Higher scores are better on this benchmark.

JetStream's top-scorer — drumroll please — was Edge with 136.971. But, right behind it within the margin of error, was Chrome with a score of 132.413. This isn't too surprising. They are, after all, built on the same platform. Back in the back was Firefox with 102.131. Next up: Kraken 1.1. This benchmark, which is based on the long-obsolete SunSpider, measures JavaScript performance. To this basic JavaScript testing, it added typical use-case scenarios. Mozilla, Firefox's parent organization, created Kraken. With this benchmark, the lower the score, the better the result. To no great surprise, Firefox took first place here with 810.1 milliseconds (ms). Following it was Chrome with 904.5ms and then Edge with 958.8ms.

The latest version of WebXPRT is today's best browser benchmark. It's produced by the benchmark professionals at Principled Technology. This company's executives were the founders of the Ziff Davis Benchmark Operation, the gold-standard of PC benchmarking. WebXPRT uses scenarios created to mirror everyday tasks. These include Photo Enhancement, Organize Album, Stock Option Pricing, Local Notes, Sales Graphs, and DNA Sequencing. Here, the higher the score, the better the browser. On this benchmark, Firefox shines. It was an easy winner with a score of 272. Chrome edges out Edge 233 to 230.
The article concludes that "Oddly, Edge, which turned in a poor performance when I recently benchmarked it on Windows, did well on Linux. Who'd have guessed...? Edge is a good, fast browser on Linux. If you're a Windows user coming over to Linux or you're doing development work aimed at Edge, then by all means try Edge on Linux. It works and it works well."

Yet Vaughan-Nichols admits he's still not going to switch to Edge. "Chrome is more than fast enough for my purposes and I don't want my information tied into the Microsoft ecosystem. For better or worse, mine's already locked into the Googleverse and I can live with that."

The Python programming language "is a big hit for machine learning," read a headline this week at ZDNet, adding "But now it needs to change."

Python is the top language according to IEEE Spectrum's electrical engineering audience, yet you can't run Python in a browser and you can't easily run it on a smartphone. Plus no one builds games in Python these days. To build browser applications, developers tend to go for JavaScript, Microsoft's type-safety take on it, TypeScript, Google-made Go, or even old but trusty PHP. On mobile, why would application developers use Python when there's Java, Java-compatible Kotlin, Apple's Swift, or Google's Dart? Python doesn't even support compilation to the WebAssembly runtime, a web application standard supported by Mozilla, Microsoft, Google, Apple, Intel, Fastly, RedHat and others.

These are just some of the limitations raised by Armin Ronacher, a developer with a long history in Python who 10 years ago created the popular Flask Python microframework to solve problems he had when writing web applications in Python. Austria-based Ronacher is the director of engineering at US startup Sentry — an open-source project and tech company used by engineering and product teams at GitHub, Atlassian, Reddit and others to monitor user app crashes due to glitches on the frontend, backend or in the mobile app itself... Despite Python's success as a language, Ronacher reckons it's at risk of losing its appeal as a general-purpose programming language and being relegated to a specific domain, such as Wolfram's Mathematica, which has also found a niche in data science and machine learning...

Peter Wang, co-founder and CEO of Anaconda, maker of the popular Anaconda Python distribution for data science, cringes at Python's limitations for building desktop and mobile applications. "It's an embarrassing admission, but it's incredibly awkward to use Python to build and distribute any applications that have actual graphical user interfaces," he tells ZDNet. "On desktops, Python is never the first-class language of the operating system, and it must resort to third-party frameworks like Qt or wxPython." Packaging and redistribution of Python desktop applications are also really difficult, he says.

An anonymous reader shares a report: Site Isolation is a modern browser security feature that works by separating each web page and web iframes in their own operating system process in order to prevent sites from tampering or stealing with each other's data. The feature was first deployed with Google Chrome in mid-2018, with the release of Chrome 67. Although initially, Site Isolation was meant to be deployed as a general improvement to Chrome's security posture, the feature came just in time to serve as a protective measure against the Spectre vulnerability impacting modern CPUs. Seeing the feature's success, Mozilla also announced plans to support it with the Firefox browser in February 2019, as part of an internal project codenamed Fission.

For both Google and Mozilla, implementing Site Isolation was a time-consuming operation, requiring engineers to re-write large chunks of their browsers' internal architecture. The process took about two years for both Google and Mozilla. While Site Isolation is now a stable feature inside Chrome, this work is now nearing its completion inside Firefox. According to an update to the Project Fission wiki page, Site Isolation can now be enabled inside versions of Firefox Nightly, the Firefox version where new features are tested.

Mozilla has responded to the U.S. Department of Justice's antitrust lawsuit against Google, but rather than commending the DOJ's action, the Firefox browser maker has voiced concerns that its commercial partnership could make it "collateral damage" in the fight against Google's alleged monopolistic practices. From a report: The DOJ, with support from 11 U.S. states, confirmed yesterday that it is suing Google for allegedly violating anti-competition laws by crowding out rivals in the internet search and advertising markets. "Small and independent companies such as Mozilla thrive by innovating, disrupting, and providing users with industry-leading features and services in areas like search," Mozilla chief legal officer Amy Keating wrote in a blog post. "The ultimate outcomes of an antitrust lawsuit should not cause collateral damage to the very organizations -- like Mozilla -- best positioned to drive competition and protect the interests of consumers on the web."

Mozilla has a long and complicated history with Google. In recent years, Mozilla has launched countless privacy campaigns against the internet giant's various online properties, and just last month it introduced a new browser add-on to crowdsource research into YouTube's opaque recommendation algorithm. On the other hand, Mozilla relies heavily on royalties from a search engine partnership with Google. The duo recently extended their deal to make Google the default search engine inside Firefox in the U.S. and other markets, which will reportedly secure Mozilla up to $450 million over the next three years.

Engadget reports: One big benefit of iOS 14 is that you can set non-Apple-made apps as your default, including for email and web browsing. Hot on the heels of you being able to set Chrome and Gmail as your clients of choice, Firefox is enabling you to make its browser the default on iPhones and iPads. Naturally, you'll need to have both the latest version of the operating system and the apps, and then just make the switch inside settings.
Meanwhile, Bleeping Computer profiles some of the new features in this week's release of Firefox 81, including:

• The ability to control videos via your headset and keyboard even if you're not using Firefox at the time

• A new credit card autofill feature for Firefox users in the U.S. and Canada

• A new theme called AlpenGlow

• Firefox can now be set as the default system PDF viewer

"Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same Wi-Fi network and force users to access malicious sites, such as phishing pages," reports ZDNet: The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...

The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.

Software engineer Cal Paterson writes: Mozilla recently announced that they would be dismissing 250 people. That's a quarter of their workforce so there are some deep cuts to their work too. The victims include: the MDN docs (those are the web standards docs everyone likes better than w3schools), the Rust compiler and even some cuts to Firefox development. Like most people I want to see Mozilla do well but those three projects comprise pretty much what I think of as the whole point of Mozilla, so this news is a a big let down. The stated reason for the cuts is falling income. Mozilla largely relies on "royalties" for funding. In return for payment, Mozilla allows big technology companies to choose the default search engine in Firefox - the technology companies are ultimately paying to increase the number of searches Firefox users make with them. Mozilla haven't been particularly transparent about why these royalties are being reduced, except to blame the coronavirus. I'm sure the coronavirus is not a great help but I suspect the bigger problem is that Firefox's market share is now a tiny fraction of its previous size and so the royalties will be smaller too - fewer users, so fewer searches and therefore less money for Mozilla.

The real problem is not the royalty cuts, though. Mozilla has already received more than enough money to set themselves up for financial independence. Mozilla received up to half a billion dollars a year (each year!) for many years. The real problem is that Mozilla didn't use that money to achieve financial independence and instead just spent it each year, doing the organisational equivalent of living hand-to-mouth. Despite their slightly contrived legal structure as a non-profit that owns a for-profit, Mozilla are an NGO just like any other. In this article I want to apply the traditional measures that are applied to other NGOs to Mozilla in order to show what's wrong. These three measures are: overheads, ethics and results.

tola writes: Following a round of layoffs at Mozilla, their WebThings IoT platform is being spun out as an independent open source project by former employees, with a new commercial sponsor. WebThings is an open platform for monitoring and controlling devices over the web, built on W3C Web of Things standards. It includes WebThings Gateway which is a software distribution for smart home gateways focused on privacy, security and interoperability and the WebThings Framework which is a collection of re-usable software components to help developers build their own web things. The project will be renamed from "Mozilla WebThings" to "WebThings" and will move to a new home at https://webthings.io/ Users will be able to opt-in to receive software updates from the new community run update servers and be offered the opportunity to transition to a replacement remote tunnelling service before Mozilla servers are shut down at the end of the year.

ZDNet reports: Oracle has released version 15 of Java, the language created 25 years ago by James Gosling at Sun Microsystems, which Oracle snapped up in 2009 for about $7.4bn to gain what it said was the "most important software Oracle has ever acquired". Java 15, or Oracle Java Development Kit (JDK) 15, brings the Edwards-Curve digital signature algorithm, hidden classes, and former preview features that have been finalized, including text blocks, and the Z Garbage Collector, while the sealed-classes feature arrives and pattern matching and records emerge as a second preview...

In July, Java fell out of RedMonk's top two positions for the first time since 2012 and now resides behind JavaScript and Python in terms of popularity. Tiobe in September ranked Java in second position, behind C and ahead of Python.... But Java is still hugely popular and widely used in the enterprise, according to Oracle, which notes it is used by over 69% of full-time developers worldwide... It counts Arm, Amazon, IBM, Intel, NTT Data, Red Hat, SAP and Tencent among its list of notable contributors to JDK 15. Oracle also gave a special mention to Microsoft and cloud system monitoring service DataDog for fixes...

As part of Java's 25th anniversary, Oracle commissioned analyst firm Omdia to assess its six-month release strategy for Java and whether it would be enough to keep millions of Java developers away from memory-safe alternatives such as Kotlin, the language Google has endorsed for Android development, and Rust, a system programming language that was created at Mozilla. "In Omdia's opinion, the work Oracle began a few years ago in moving to a six-month update cycle and introducing a new level of modularity, puts the vendor in good stead with its constituency of approximately 12 million developers," Oracle said in its report on Omdia's analysis.

"However, Oracle and the Java programming language need an ongoing series of innovative, must-have, and 'delightful' features that make the language even more user friendly and cloud capable. These will keep existing Java developers happy while steering potential Java developers away from newer languages like Rust and Kotlin."

Mozilla is shutting down two of its legacy products, Firefox Send and Firefox Notes, the company announced today. From a report: "Both services are being decommissioned and will no longer be a part of our product family," a Mozilla spokesperson told ZDNet this week. Of the two, the most beloved was Firefox Send, a free file-sharing service, and one of the few that supported sharing files in encrypted formats. Launched in March 2019, the service gained a dedicated fanbase but Send was taken offline earlier this summer after ZDNet reported on its constant abuse by malware groups. At the time, Mozilla said that Send's shutdown was temporary and promised to find a way to curb the service's abuse in malware operations. But weeks later, things changed after Mozilla leadership laid off more than 250 employees as part of an effort to re-focus its business on commercial products.

YouTube's video recommendation system has been repeatedly accused by critics of sending people down rabbit holes of disinformation and extremism. Now Mozilla, the nonprofit that makes the Firefox browser, wants YouTube's users to help it research how the controversial algorithms work. From a report: Mozilla on Thursday announced a project that asks people to download a software tool that gives Mozilla's researchers information on what video recommendations people are receiving on the Google-owned platform. YouTube's algorithms recommend videos in the "What's next" column along the right side of the screen, inside the video player after the content has ended, or on the site's homepage. Each recommendation is tailored to the person watching, taking into account things like their watch history, list of channel subscriptions or location. The recommendations can be benign, like another live performance from the band you're watching. But critics say YouTube's recommendations can also lead viewers to fringe content, like medical misinformation or conspiracy theories.

How-To Geek has discovered three of the world's most popular web browsers contain Easter Eggs: It seems like every browser has a hidden game these days. Chrome has a dinosaur game, Edge has surfing, and Firefox has . . . unicorn pong? Yep, you read that right — here's how to play it.

First, open Firefox. Click the hamburger menu (the three horizontal lines) at the upper right, and then click "Customize." On the "Customize Firefox" tab, you'll see a list of interface elements to configure the toolbar. Click and drag all the toolbar items except "Flexible Space" into the "Overflow Menu" on the right.

Click the Unicorn button that appears at the bottom of the window....
There's screenshots in the article illustrating all of the steps — and the result.

ZDNet reports: The International Organization for Standardization's (ISO) C++ group, Working Group 21 (WG21), has agreed upon the finalized version of 'C++20', the first major update to the 35 year-old programming language since C++17 from 2017... The 2020 release of C++ is huge by historical standards. Herb Sutter, a Microsoft engineer and long-time chair of WG21 C++ ISO committee, said it "will be C++'s largest release since C++11", meaning it's bigger than any of the past three releases, which happen every three years. It's also the first version that has been standardized....

Two of the most important features coming to C++20 are "modules" and "coroutines". Modules, which was led by Google's Richard Smith, stands in for header files and helps isolate the effects of macros while supporting larger builds. As Sutter noted recently, C++20 marks the "first time in about 35 years that C++ has added a new feature where users can define a named encapsulation boundary...."

Coroutines represents a generalization of a function. "Regular functions always start at the beginning and exit at the end, whereas coroutines can also suspend the execution to be resumed later at the point where they were left off," C++ contributors explain in a proposal for coroutines.
"We expect it to be formally published toward the end of 2020," Sutter said said in an announcement.

Interestingly, the year C++ was first released in 1985, Microsoft used it to build Windows 1.0, ZDNet points out. "These days Microsoft is exploring Mozilla-developed Rust to replace legacy Windows code written in C and C++ because of Rust's memory safety qualities."

Forbes reports: Firefox is exploring subscriptions and other "value exchange" services to ease its financial dependence on rival Google, according to the browser's lead developer.

Firefox maker, Mozilla, is in the uneasy position of being financially dependent on its search deal with Google, which accounts for the majority of the organization's revenue. Although Mozilla only last month renewed the search deal, ensuring Google remains the default search engine for Firefox in the U.S. and other territories, the company is keen to explore other ways of raising revenue, including charging users for services.

Mozilla's partnership with Google is an uncomfortable alliance, not only because the companies distribute rival browsers, but because their values are markedly different. While Google generates the vast bulk of its revenue from online advertising, Firefox's developers expend much of their effort creating tools that thwart advertisers, including the automatic blocking of third-party tracking tools and social-media trackers. "At Mozilla, we tend to believe things are at their best when users have this transparent value exchange," said Dave Camp, senior vice president of Firefox at Mozilla. "The advertising model has become a default way to fund things on the internet and to fund products, and we're pretty interested — not just for financial reasons, but actually for health of the internet reasons — to explore how can we do better for users than advertising."

Mozilla recently began charging users $4.99 per month for its VPN product and Camp says the company is exploring other subscription products. "We don't have any immediate plans in the Firefox team to do add-on services or anything like that at the moment, but we're going to look at other ways to get some value exchange going on," said Camp.

An anonymous reader shares this enthusiastic report from ZDNet: Earlier this year, Linus Torvalds approved of adding drivers and other components in Rust to Linux.* Last week, at the virtual Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. ["Nothing firm has been determined yet," reported Phoronix, "but it's a topic that is still being discussed."] And, now Amazon Web Services (AWS) has announced that its just-released Bottlerocket Linux for containers is largely written in Rust.

Mozilla may have cut back on Rust's funding, but with Linux embracing Rust, after almost 30-years of nothing but C, Rust's future is assured. Rust was chosen because it lends itself more easily to writing secure software. Samartha Chandrashekar, an AWS Product Manager, said it "helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities." Many other developers agree with Chandrashekar.

Bottlerocket also improved its security by using Device-mapper's verity target. This is a Linux kernel feature that provides integrity checking to help prevent attackers from overwriting core system software or other rootkit type attacks. It also includes the extended Berkeley Packet Filter (eBPF), In Linux, eBPF is used for safe and efficient kernel function monitoring.
* Linus's exact words were "people are actively looking at, especially doing drivers and things that are not very central to the kernel itself, and having interfaces to do those, for example, in Rust. People have been looking at that for years now. I'm convinced it's going to happen one day."

The article also reminds readers that AWS's Bottlerocket "is also designed to be quick and easy to maintain... by including the bare essentials needed to run containers..."

"Besides its standard open-source elements, such as the Linux kernel and containerd container runtime, Bottlerocket's own code is licensed under your choice of either the Apache 2.0 or the MIT license."

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user's computer. From a report: Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker. The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file. There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use. Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can't be fully achieved because browser makers can't fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.

An anonymous reader writes: Researchers from Mozilla report in a study that web browsing histories (the lists of user visited websites) are uniquely identifying users (PDF). In their study that was the case for 99% of users. Treating web browsing histories like fingerprints, the researchers analysed how the users can be reidentified just based on the coarsened list of user-visited websites.

In doing so they upheld and confirmed a previous study from 2012, prompting the author of the original study to say that web browsing histories are now personal data subject to privacy regulations like the GDPR.

Sensitivity of web browsing history data questions the laws allowing ISPs to sell web browsing histories.
The now-vindicated author of the 2012 study added this emphatic note in their blog post. "Web browsing histories are personal data. Deal with it."