The Mozilla Corporation announced today it was laying off approximately 250 staff members in a move to shore up the organization's financial future. From a report: The layoffs were publicly announced in a blog post today. Employees were notified hours before, earlier this morning, via an email sent by Mitchell Baker, Mozilla Corporation CEO and Mozilla Foundation Chairwoman. Baker's message cited the organization's need to adapt its finances to a post-COVID-19 world and re-focus the organization on new commercial services. Baker said that after the onset of the COVID-19 pandemic, Mozilla attempted to minimize the healthcare crisis' financial impact with "immediate cost-saving measures such as pausing our hiring, reducing our wellness stipend and cancelling our All-Hands [meetings]." However, Baker said that Mozilla's "pre-COVID plan is no longer workable." "We have talked about the need for change -- including the likelihood of layoffs -- since the spring. Today these changes become real," the Mozilla CEO said today.

Firefox has fixed a bug that was being exploited in the wild by tech support scammers to create artificial mouse cursors and prevent users from easily leaving malicious sites. From a report: The bug was discovered being abused online by UK cyber-security firm Sophos and reported to Mozilla earlier this year. A bugfix was provided and has been live in Firefox since version 79.0, released last week. he bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites. This type of customization might look useless, but it's often used for browser-based games, browser augmented reality, or browser virtual reality experiences. However, custom cursors have been a major problem for the regular web. In evil cursor attacks, malicious websites tamper with cursor settings in order to modify where the actual cursor is visible on screen, and where the actual click area is.

An anonymous reader shares a report: For years now, Google Chrome has been an absolute dominant force in the world of web browsers, but since the relaunch of Microsoft Edge based on Google's Chromium, that position has been challenged. Now, Google is preparing to drive more Android owners back to using Chrome through targeted notifications. Over the admittedly brief history of the Internet, there have been a number of fierce competitions, commonly called "browser wars," between companies, in an effort to get more people to use their particular web browser. Mozilla and Netscape waged war against Internet Explorer, and Chrome fought and won against Firefox. Most recently, Microsoft Edge and Samsung Internet have begun to wage war against Chrome on desktop and Android respectively. Now, we've found that Google is preparing to try and win back some of those who have left Chrome for other browsers, starting on Android. Based on our reading of a series of code changes, we believe Google Chrome for Android will send you a notification if you haven't used Chrome in a while.

An anonymous reader writes: Mozilla today started rolling out Enhanced Tracking Protection (ETP) 2.0 in Firefox. While the company technically launched Firefox 79 for Windows, Mac, and Linux last week, it only unveiled its marquee feature today. Firefox 79 by default blocks redirect tracking, also known as bounce tracking, and adds a handful of new developer features. [...] Since enabling Enhanced Tracking Protection by default, Mozilla says it has blocked 3.4 trillion tracking cookies. But the company notes the ad industry has since created workarounds and new ways to collect user data as you browse the web.

July's statistics from web analytics firm Net Applications showed continuing changes in the most frequently-used web browsers. Softpedia reports: Last month, Google Chrome increased its market share from 70.19% to 71.00%, while Microsoft Edge jumped from 8.07% to 8.46%... The migration to the Chromium engine allowed Microsoft to turn Edge into a cross-platform browser, and this is one of the reasons that contributed to the growth of the new app. Edge is now available not only on Windows 10, but also on Windows 7, Windows 8, Windows 8.1, and even macOS. At the same time, Microsoft is also working on a Linux version of the browser, and a preview build is expected by the end of the year.

But what made Microsoft Edge the second most-used desktop browser out there so fast after the switch to Chromium is definitely Microsoft offering it as the default browser in Windows 10.
But what about Firefox? And Opera, and Apple's Safari? Computerworld reports: A decade ago, Mozilla's browser may have dreamed of upsetting the then-order of things, taking its April 2010 share of 25.1% and parlaying it into victory over IE — down to 61.2% by then... But that was Firefox's peak.

At the end of July, Firefox stood at 7.3%, down three-tenths of a percentage point from the previous month... Firefox let its second-place spot (far, far behind Chrome) slip away in March, when Edge snatched it. That did not change in July. The gap between the two more than doubled, in fact, to 1.2 points. On almost every browser share metric, Firefox is in trouble... Since the end of January, Firefox has been stuck in the 7s; for the eight months before that, it was mired in the 8s; and between May 2018 and March 2019, Firefox floundered in the 9s. The trend is crystal clear...

Elsewhere in Net Applications' numbers, Apple's Safari plunged to 3%, a loss of six-tenths of a point, its lowest mark since late 2008. Opera software's Opera also took a dive, ending July at 0.8%, a decline of three-tenths of a point. Those numbers have to be frightening to both those browsers' makers.

"Programming language Python is now firmly the second most popular programming language, for the first time knocking Java out of the top two places in RedMonk's language popularity rankings," reports ZDNet: It's the first time since 2012 that Java is not one of the top two most popular languages in the developer analyst firm's programming language popularity list. The company's previous rankings in March placed machine-learning propelled Python in a tie for second place with Java, behind JavaScript.

RedMonk's influential programming popularity rankings are based on GitHub and Stack Overflow data. The company combines them "for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction", says RedMonk analyst Stephen O'Grady, who notes "all numerical rankings should be taken with a grain of salt....

"Python is the first non-Java or JavaScript language ever to place in the top two of these rankings by itself, and would not have been the obvious choice for that distinction in years past," O'Grady notes, comparing it to Perl in its heyday because it has become a "language of first resort" and the "glue" for thousands of small projects, while enjoying high adoption in growing categories such as data science...

Five-year-old systems-programming language Rust, created by Mozilla, has hit a more positive milestone, for the first time becoming the 20th most popular language in RedMonk's rankings.
Last week IEEE Spectrum also declared Python "dominated" their assessment of language popularity (compiled from 11 different online metrics), followed by Java and C (and then C++ and JavaScript).

Google and Apple, which already battle over mobile operating systems, are opening a new front in their fight. How that plays out may determine the future of the web. From a report: Google was born on the web, and its business reflects its origin. The company depends on the web for search and advertising revenue. So it isn't a surprise that Google sees the web as key to the future of software. Front and center are web apps, interactive websites with the same power as conventional apps that run natively on operating systems like Windows, Android, MacOS and iOS. Apple has a different vision of the future, one that plays to its strengths. The company revolutionized mobile computing with its iPhone line. Its profits depend on those products and the millions of apps that run on them. Apple, unsurprisingly, appears less excited about developments, like web apps, that could cut into its earnings.

The two camps aren't simply protecting their businesses. Google and Apple have philosophical differences, too. Google, working to pack its dominant Chrome browser with web programming abilities, sees the web as an open place of shared standards. Apple, whose Safari browser lacks some of those abilities, believes its restraint will keep the web healthy. It wants a web that isn't plagued by security risks, privacy invasion and annoyances like unwanted notifications and permission pop-ups. Google leads a collection of heavy-hitting allies, including Microsoft and Intel, trying to craft new technology called progressive web apps, which look and feel like native apps but are powered by the web. PWAs work even when you have no network connection. You can launch PWAs from an icon on your phone home screen or PC start menu, and they can prod you with push notifications and synchronize data in the background for fast startup. PWA fans include Uber, travel site Trivago and India e-commerce site Flipkart. Starbucks saw its website usage double after it rolled out a PWA.

The split over native apps and web apps is more than just a squabble between tech giants trying to convert our lives online into their profits. How it plays out will shape what kind of a digital world we live in. Choosing native apps steers us to a world where we're locked into either iOS or Android, limited to software approved by the companies' app stores and their rules. Web apps, on the other hand, reinforce the web's strength as a software foundation controlled by no single company. A web app will work anywhere, making it easier to swap out a Windows laptop for an iPad. "What you're seeing is the tension between what is good for the user, which is to have a flexible experience, and what's good for the platform, which is to keep you in the platform as much as possible," said Mozilla Chief Technology Officer Eric Rescorla.

"Starting today, there's a VPN on the market from a company you trust," Mozilla announced Wednesday.

Mozilla VPN is now officially available for Windows and Android in six countries: the U.S., Canada, the U.K., Singapore, Malaysia, and New Zealand, and it'll be coming to even more countries later this year, reports the Verge: The service is available for $4.99 a month, and, like other VPNs, it's designed to make your web-browsing more private and secure. As part of the move, the service is being rebranded from Firefox Private Network to Mozilla VPN, a change that was announced last month.

Mozilla argues that its VPN service has a couple of advantages over its many competitors. It says it should offer a faster browsing experience in many cases because it's based on a protocol with less than a third of the lines of code of an average VPN service provider. The company is also banking on the reputation it's built up with its privacy-focused browser, and it adds that it only collects the information it needs to run a service and doesn't keep user data logs.

The VPN's launch follows beta trials in the US, which also included tests of a VPN built directly into the Firefox browser. Last month, Mozilla announced that it would be testing asking users to pay $2.99 a month for unlimited usage of the extension, which is designed to mask your traffic within the browser rather than at a system-wide level.

Mozilla says it's working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked. From a report: A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October. The bug was first spotted and reported to Mozilla a year ago, in July 2019, by an employee of video delivery platform Appear TV. The bug manifests when users chose to video stream from a website loaded in Firefox instead of a native app. Mobile users often choose to stream from a mobile browser for privacy reasons, such as not wanting to install an intrusive app and grant it unfettered access to their smartphone's data. Mobile browsers are better because they prevent websites from accessing smartphone data, keeping their data collection to a minimum. The Appear TV developer noticed that Firefox video streams kept going, even in situations when they should have normally stopped.

The new lightweight and royalty-free AVIF image format is coming to web browsers. Work is almost complete on adding AVIF support to Google Chrome and Mozilla Firefox. From a report: The new image format is considered one of the lightest and most optimized image compression formats, and has already gained praise from companies such as Netflix, which considers it superior to existing image formats such as JPEG, PNG, and even the newer WebP. The acronym of AVIF stands for AV1 Image File Format. As its name hints, AVIF is based on AV1, which is a video codec that was developed in 2015, following a collaboration between Google, Cisco, and Xiph.org (who also worked with Mozilla). At the time, the three decided to pool their respective in-house video codecs (VPX, Thor, and Daala) to create a new one (AV1) that they planned to offer as an open-source and royalty-free alternative to all the commercial video codecs that had fragmented and clogged the video streaming market in the late 2000s and early 2010s.

An anonymous reader writes: Mozilla has temporarily suspended the Firefox Send file-sharing service as the organization investigates reports of abuse from malware operators and while it adds a "Report abuse" button. The browser maker took down the service today after ZDNet reached out to inquire about Firefox Send's increasing prevalence in current malware operations. Since last year, several malware operations have hosted payloads on the service. This includes ransomware gangs like REvil/Sodinokibi, financial crime crews like FIN7, the Zloader and Ursnif banking trojans operations, and government surveillance groups targeting human rights defenders. Reasons include the fact that Firefox Send doesn't have an Report Abuse mechanism, all file uploads are encrypted (useful to dodge malware scanners), and the Firefox URL is whitelisted in most orgs (useful for bypassing email filters).

Long-time Slashdot reader dhammabum writes: As reported in the recent slashdot story, starting in September we system admins will be forced into annually updating TLS certificates because of a decision by Apple, abetted by Google and Mozilla. Supposedly this measure somewhat rectifies the current ineffective certificate revocation list system by limiting the use of compromised certificates to one year... But in an attempt to prevent this pathetic measure, could we instead use DNS to replace the current certificate revocation list system?

Why not create a new type of TXT record, call it CRR (Certificate Revocation Record), that would consist of the Serial Number (or Subject Key ID or thumbprint) of the certificate. On TLS connection to a website, the browser does a DNS query for a CRR for the Common Name of the certificate. If the number/key/thumbprint matches, reject the connection. This way the onus is on the domain owner to directly control their fate. The only problem I can see with this is if there are numerous certificate Alternate Names — there would need to be a CRR for each name. A pain, but one only borne by the hapless domain owner.

Alternatively, if Apple is so determined to save us from ourselves, why don't they fund and host a functional CRL system? They have enough money. End users could create a CRL request via their certificate authority who would then create the signed record and forward it to this grand scheme.

Otherwise, are there any other ideas?

Mozilla today released the latest version of Common Voice, its open source collection of transcribed voice data for startups, researchers, and hobbyists to build voice-enabled apps, services, and devices. Common Voice now contains over 7,226 total hours of contributed voice data in 54 different languages, up from 1,400 hours across 18 languages in February 2019. From a report: Common Voice consists not only of voice snippets, but of voluntarily contributed metadata useful for training speech engines, like speakers' ages, sex, and accents. It's designed to be integrated with DeepSpeech, a suite of open source speech-to-text, text-to-speech engines, and trained models maintained by Mozilla's Machine Learning Group. Collecting the over 5.5 million clips in Common Voice required a lot of legwork, namely because the prompts on the Common Voice website had to be translated into each language. Still, 5,591 of the 7,226 hours have been confirmed valid by the project's contributors so far. And according to Mozilla, five languages in Common Voice -- English, German, French, Italian, and Spanish -- now have over 5,000 unique speakers, while seven languages -- English, German, French, Kabyle, Catalan, Spanish, and Kinyarwandan -- have over 500 recorded hours.

williamyf shares a report from The Register: Mozilla has released Firefox 78 with a new Protections Dashboard and a bunch of updates for web developers. This is also the last supported version of Firefox for macOS El Capitan (10.11) and earlier. Firefox is on a "rapid release plan," which means a new version every four to five weeks. This means that major new features should not be expected every time. That said, Firefox 78 is also an extended support release (ESR), which means users who stick with ESR get updates from this and the previous 10 releases. The main new user-facing feature in Firefox 78 is the Protections Dashboard, a screen which shows trackers and scripts blocked, a link to the settings, a link to Firefox Monitor for checking your email address against known data breaches, and a button for password management.

Developers get a bunch of new features. The Accessibility inspector is out of beta -- this is a tab in the developer tools that will check a page for accessibility issues when enabled. Source maps are a JavaScript feature that map minified code back to the original code to make debugging easier. Firefox has a Map option that lets you use source maps in the debugger, and this now works with logpoints, a type of breakpoint that writes a message to the console rather than pausing execution, so that you see the original variable names. Mozilla has also worked on debugging JavaScript promises, so you can see more detail when exceptions are thrown.

A big feature for debugging web applications when running on mobile is the ability to connect an Android phone with USB, and navigate and refresh mobile web pages from the desktop. Patience is required though, since this will only work with a forthcoming new version of Firefox for Android. Mozilla has been working on a new Regular Expression (RegExp) evaluator and this is included in SpiderMonkey (Mozilla's JavaScript engine) in Firefox 78. This brings the evaluator up to date with the requirements of ECMAScript 2018.

A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates. From a report: Following Apple's initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers. Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days. The move is an important one because it not only changes how a core part of the internet works -- TLS certificates -- but also because it breaks away from normal industry practices and the cooperation between browsers and CAs. Known as the CA/B Forum, this is an informal group made up of Certificate Authorities (CAs), the companies that issue TLS certificates used to support HTTPS traffic, and browser makers. Since 2005, this group has been making the rules on how TLS certificates should be issued and how browsers are supposed to manage and validate them.

Apple said last week that it declined to implement 16 new web technologies (Web APIs) in Safari because they posed a threat to user privacy by opening new avenues for user fingerprinting. Technologies that Apple declined to include in Safari because of user fingerprinting concerns include: Web Bluetooth - Allows websites to connect to nearby Bluetooth LE devices.
Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.
Magnetometer API - Allows websites to access data about the local magnetic field around a user, as detected by the device's primary magnetometer sensor.
Web NFC API - Allows websites to communicate with NFC tags through a device's NFC reader.
Device Memory API - Allows websites to receive the approximate amount of device memory in gigabytes.
Network Information API - Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes.

Battery Status API - Allows websites to receive information about the battery status of the hosting device. Web Bluetooth Scanning - Allows websites to scan for nearby Bluetooth LE devices.
Ambient Light Sensor - Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device's native sensors.
[...]
The vast majority of these APIs are only implemented in Chromium-based browsers, and very few on Mozilla's platform. Apple claims that the 16 Web APIs above would allow online advertisers and data analytics firms to create scripts that fingerprint users and their devices.

Some of America's biggest brands — Coca-Cola, The Hershey Company and the Levi Strauss & Co. — "are among the latest in pledging to halt advertising on Facebook as part of a growing boycott," reports USA Today: Despite Facebook CEO Mark Zuckerberg outlining several steps the social network will take to combat hate speech ahead of the 2020 presidential election Friday, the companies joined Unilever, Honda, Verizon and others in the protest... Jen Sey, chief marketing officer of Levi's, said in a statement late Friday the company was pausing all paid Facebook and Instagram advertising globally at least through the end of July across all of its brands. "When we re-engage will depend on Facebook's response," Sey said. The ad boycott on Facebook focuses on advertising for the month of July and also includes Eddie Bauer and Ben & Jerry's... Patagonia, REI, Mozilla and Upwork in addition to about 100 smaller companies also have said they are committed.

Nearly all of the social media company's revenue comes from advertising on Facebook and Instagram. Shares of Facebook dropped more than 8% on Friday.
Business Insider notes that the 8% drop in Facebook's stock price meant that Mark Zuckerberg's fortune dropped $7.21 billion in a single day.

And then Sunday Starbucks announced they were also taking action, suspending advertising on all social media because "we believe both business leaders and policy makers need to come together to affect real change."

UPDATE: It's also now being reported that even Pepsi is joining the boycott.

Both Edge and Chrome already allow users to try unreleased, experimental features (by typing about:flags in the address bar). Soon there'll be a similar "Firefox Experiments" option starting in Firefox 79.

Slashdot reader techtsp shares this report from the Windows Club: Mozilla has a dedicated Experimental Features page on MDN just for that. But limiting experimental features to Firefox's Nightly channel has a limitation: A fairly limited number of "curious" users. Now, extending some of these experimental features to stable releases will increase the scope of "Firefox Experiments" as a whole... This option will allow users to enable/disable experimental features under Preferences...

[In Firefox 79] Navigate to Preferences by entering about:preferences in the browser's address bar or click the gear icon and got to "Preferences." Discover and set browser.preferences.experimental to True. Now, you should be able to see the "Firefox Experiments" menu under Firefox 79 Preferences.

Comcast has joined Cloudflare and NextDNS in partnering with Mozilla's Trusted Recursive Resolver program, which aims to make DNS more trusted and secure. Neowin reports: Commenting on the move, Firefox CTO Eric Rescorla, said: "Comcast has moved quickly to adopt DNS encryption technology and we're excited to have them join the TRR program. Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs."

With its TRR program, Mozilla said that encrypting DNS data with DoH is just the first step in securing DNS. It said that the second step requires companies handling the data to have appropriate rules in place for handling it. Mozilla believes these rules include limiting data collection and retention, ensuring transparency about any retained data, and limiting the use of the resolver to block access or modify content. Ars Technica notes that joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements.

When the change happens, it'll be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."

With Safari on iOS 14, MacOS Big Sur and iPadOS 14, you'll be able to log in to websites using Apple's Face ID and Touch ID biometric authentication. That's a powerful endorsement for technology called FIDO -- Fast Identity Online -- that's paving the way to a future without passwords. From a report: Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. "It's both much faster and more secure," Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online. The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.