Forgot your password?
typodupeerror
Firefox Mozilla Software

Firefox 27 Released: TLS 1.2 Support, SPDY 3.1, SocialAPI Improvements 167

Posted by Soulskill
from the onward-and-upward dept.
jones_supa writes "Mozilla has released Firefox 27 for Linux, Android, Mac, and Windows (download). One of the big changes is enabling support for TLS 1.1 and 1.2 by default. Firefox 27 also supports the SPDY 3.1 protocol. Developers got some new toys: support was added for ES6 generators in SpiderMonkey, the debugger will de-obfuscate JavaScript, and style sheets can be reset by using all:unset. Mozilla also announced some new social integration options. In addition to all these changes, the Android version got some UI improvements and font readability upgrades. For a future release, Mozilla is currently testing a new approach for Firefox Sync in Nightly builds. They recognized the headaches involved with how it works, and they're now opting to use a simple e-mail and password combination like Google Chrome does. In the old system, users were forced to store an auto-generated authorization code, which, if lost, would render their bookmarks, passwords and browsing history inaccessible. "
This discussion has been archived. No new comments can be posted.

Firefox 27 Released: TLS 1.2 Support, SPDY 3.1, SocialAPI Improvements

Comments Filter:
  • Recent Firefox versions supported TLSv1.1 and TLSv1.2, by setting security.tls.version.max=2 in about:config. It is nice to have it by default now, but the missing bit was GCM ciphers support. They are important because CBC ciphers are more and more under attack (BEAST was CBC-specific). Do they implement GCM now?

    • What makes you think that the ciphers available in TLS were chosen for the benefit of users?

      • Back under the bridge...

        • Has the NSA sent out its minions to mod down comments pointing out they standards they worked to subvert?

          • by utkonos (2104836)
            Didn't some Snowden documents reveal that slashdot was used as an NSA vector to spread malware?
      • by manu0601 (2221348)

        At least I know what happens on servers I manage.

        Here is an Apache setup which blocks no modern client, and achieve 97% of AES256 with PFS enabled at mine:

        SSLProtocol all -SSLv2
        SSLHonorCipherOrder On
        SSLCipherSuite ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL

      • by epyT-R (613989)

        The same could potentially be said of any of them.

    • by Anonymous Coward

      Supporting TLSv1.2 requires GCM support.

      Not to be picky, but CBC and GCM aren't ciphers; they're modes of operation. AES can be run in either mode (and many others besides). Also, the concept of CBC isn't flawed, it was the particular implementation prior to TLSv.1.1 that was flawed. The CBC implementation in TLSv1.2 is not susceptible to BEAST.

  • Do not want ... (Score:5, Insightful)

    by gstoddart (321705) on Tuesday February 04, 2014 @02:52PM (#46152695) Homepage

    Mozilla also announced some new social integration options

    I sincerely hope these are optional and not going to get rammed down our throats so Mozilla can collect more ad revenue.

    Because, quite frankly, I have no interest in having my web browser trying to integrate with social media.

    • Re:Do not want ... (Score:5, Informative)

      by 0racle (667029) on Tuesday February 04, 2014 @03:03PM (#46152859)
      Did you see them before? This release didn't add them, it added more. Personally I have no idea where they are.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The fact that you do not see it is irrelevant.The code is there, increasing the attack surface of Firefox and thus adding risk for the user without giving him choice.

        This is especially annoying because 'social' is not a core function of a browser and should not be an integral part of it. This is what add-ons are for.

        • by Anonymous Coward

          It's not even enabled until YOU (as in: user) decide to turn on the social stuff. So no, it is not an attack surface if you leave it disabled.

    • by dysmal (3361085)
      On the plus side, the social integration probably won't work until version 30!
      • Re: (Score:3, Funny)

        by Anonymous Coward

        you mean, next Tuesday?

    • I don't use social media so could care less about bloatware.

      I just want FF's memory leak to be fixed instead of the devs ignoring it version after version, year after year.

      Chrome's "Task Manager" that shows per tab it's Name, Memory, CPU Usage, Network Traffic and FPS still lacks any counter part in FF.

      • Re:Do not want ... (Score:5, Informative)

        by Billly Gates (198444) on Tuesday February 04, 2014 @03:40PM (#46153373) Journal

        I don't use social media so could care less about bloatware.

        I just want FF's memory leak to be fixed instead of the devs ignoring it version after version, year after year.

        Chrome's "Task Manager" that shows per tab it's Name, Memory, CPU Usage, Network Traffic and FPS still lacks any counter part in FF.

        Chrome uses more ram than any other browser according to benchmarks. FF the least. A lot has changed since 2011.

        • > Chrome uses more ram than any other browser according to benchmarks.

          And in the real world of actual usage when I use it for a month straight with 100+ tabs, closing ALL the tabs down Firefox STILL hogs about 2 GB of RAM. The only work around I've found is to completely restart FF which has minimal RAM usage. And no, "about:memory" with manual forcing the GC to run doesn't help.

          > A lot has changed since 2011.
          LOL. I've been using FF since the 1.x days. I see the same slow memory leak version after v

      • Re: (Score:2, Informative)

        by Anonymous Coward

        "I just want FF's memory leak to be fixed instead of the devs ignoring it version after version, year after year."
        Do you happen to have a bug number on bugzilla? Also, please start reading Nicolas Nethercote's blog, they fixed a sh*tload of leaks already.

        "Chrome's "Task Manager" that shows per tab it's Name, Memory, CPU Usage, Network Traffic and FPS still lacks any counter part in FF."
        Content elements of separate pages can be shared in FF, making a per-page memory report much harder than in the per-process

        • by Rufty (37223)
          FF had a huge memory leak problem. It thrashed. And thrashed and thrashed. This was consistently denied. Now I'm told "It's been fixed!" Why should I trust them now - I now use Chrome and that doesn't suck. My trust in FF has gone, why should I spend my time trying it again when the devs can't even be honest with me?
      • Re:Do not want ... (Score:5, Informative)

        by complete loony (663508) <Jeremy.Lakeman@gm a i l . c om> on Tuesday February 04, 2014 @06:27PM (#46155867)
        It's called "about:memory" and it shows you memory allocation in all kinds of fine or coarse grained ways. And it's been almost continually improved for the past couple of years, while the big issues this page has revealed have been fixed.
        • I'm quite well aware of about:memory for years and no, it still doesn't fix the problem.

          My suspicion was that it was the Flash plugin leaking memory but I don't use any plugins with FF and it still leaks memory albeit -- much more slowly.

          • by tibman (623933)

            Didn't you say a few posts up that you use a youtube downloader?

            • Sorry for not communicating the context of the time frame more succinctly ...

              FF v?? -- forgot which version added the about:memory -- memory leak was about 1/2 plugged
              FF v25 -- no youtube downloader, no plugins, leaks memory slowly
              FF v26 -- youtube downloader, still leaks memory slowly

              I find Chrome's design of 1-process-per-tab to not have any hidden memory leaks compared to FF's lets-share-everything and GC everything later.

              When you FF using 2 GB of RAM, every tab closed except 1 blank one, and pressing th

      • Thanks, UnknownSoldier, for this: "I just want FF's memory leak to be fixed instead of the devs ignoring it version after version, year after year."

        I first reported that problem about 10 years ago.

        Mozilla Foundation
        Top 20 Excuses
        for Not Fixing the
        Firefox Memory and CPU Hogging bugs


        These are actual excuses given at one time or another. They are not all the excuses, just the top 20.

        1) Maybe this bug is fixed in the nightly build. [The same memory and CPU hogging bug has been reported many,
        • The Firefox Memory and CPU Hogging bugs are NOT fixed in Firefox version 26.0. I had 2 crashes last week. One of them did not trigger a crash report. My system is very stable in all other conditions. (Windows 7 Ultimate)

          Firefox is the most unstable software in common use.

          The problems occur when using many windows and tabs and sleeping and hibernating the OS.

          PLEASE don't bore everyone by saying you don't have the problem, but not listing your usage patterns, OS, and extensions.
          • by ultranova (717540)

            The problems occur when using many windows and tabs and sleeping and hibernating the OS.

            The problems occur when Firefox's memory usage starts nearing 2GB. That strongly suggests it's a problem with address space exhaustion/fragmentation and resulting memory allocation errors. And that means it won't be fixed before 32-bit version is left behind.

        • I hear you! Your list is priceless ! I've seen some of those bugzillas from time to time and you are spot on.

          Ignoring a problem a problem doesn't make it go away, as much as the FF dev's would like to remain delusional.

          I used to hate Chrome with a passion and refused to use it for a year or two. But after running FF from pre 1.x to 26 I gave up on FF about 4 years ago once I saw Chromes "Task Manager", the built-in Flash player, and built-in PDF previewer.

          I keep trying FF every version to see if the memo

    • by Drew617 (3034513)

      With you on social media, but I'll go further and say the browser shouldn't really be integrated with anything external to the OS.

      The concept of browser-as-platform (looking at you, Chrome) seems wrong and disruptive to me, but it should be especially unnecessary for a browser to integrate with a service that's normally delivered in a browser to begin with.

      When I want to integrate with something, I'll let you know by punching in the address, thankyouverymuch.

      • by paziek (1329929)
        Well, we've got internet search engines integrated into almost any browser nowadays. Difference would be that you can choose what search engine you want to use.
        Seems like they added some support for Delicious and whatever India streaming service; what you need to do in order to get integrated, beats me, but I bet on $. I guess its sad, but then again Mozilla in its manifesto never mentions neutrality or any such thing and they need money to pay staff.
        • by Drew617 (3034513)

          Good point. I guess my concern isn't so much for neutrality, but good design. In general I want a browser to do one thing well, and otherwise get out of the way.

          I do understand the technical difference, but looking at it functionally: I expect "apps" to run in the OS. I do not also want a separate set of "apps" to run on the browser, or inside any other application for that matter. For example, in OSX or Windows I can have both a native Evernote binary "app" and a separate Evernote "app" running in Chro

    • by reikae (80981)

      The integration features certainly don't seem intrusive in any way, because I have no idea how to access them. There is nothing in the main menu about social media integration, nor in the options dialog. Which is nice.

  • WebApi/WebPayment (Score:4, Interesting)

    by buchner.johannes (1139593) on Tuesday February 04, 2014 @02:53PM (#46152711) Homepage Journal

    I want to see WebPayment lift off. This could be a huge enabler for small internet businesses. Any news on that?

  • I see they haven't reversed the horrible misfeature of the "awesome" bar being restricted to whatever's specified in the search bar (e.g., Wikipedia) instead of using your default search engine regardless.

    Or is there an about:config setting for that which I don't know about?

    • by Anonymous Coward

      No about:config entry whatsoever. Maybe this will help: https://addons.mozilla.org/en-US/firefox/addon/foobar/ You may find this to be handy: http://kb.mozillazine.org/Using_keyword_searches

      Also, blame Alex Limi.

    • by Anonymous Coward

      No. There were viable security reasons to remove your pet search feature from the default installation, but it's still available if you use an addon.

      And now I'll sit back with my popcorn and watch the idiotic cries of "they're dumbing it down for the filthy casuals!"

    • by dbug78 (151961)

      The workaround here is to use keywords:
      Click the engine dropdown in the search box and choose Manage Search Engines.
      Create keywords for the search engines you care about (eg. 'g' for google, 'wp' for wikipedia, 'd' for dictionary.com, etc).
      Perform searches in the Awesome Bar by typing "<keyword> <search terms>" and ignore the search box (except to configure more search engines and/or keywords).

  • Maybe it's me, but Firefox 26 would crash at the drop of a hat (and that's on Windows and Linux). I would sincerely hope that 27 is somewhat better in that respect.

    • by gigaherz (2653757)
      I have only had one single crash while running Firefox Aurora (the alphas) in years. Are you using any misbehaving Extension or plugin?
      • But then again, it's bad if an extension or plugin crashes the whole browser.
      • Last year I was running Firefox on Win7-32, on a machine with 4GB RAM, and it would crash five times a day. Now that I'm running Win7-64, on the same hardware but with a lot more swap space enabled, it still crashes occasionally, but maybe once or twice a week.

    • by Lord Crc (151920) on Tuesday February 04, 2014 @03:33PM (#46153269)

      Maybe it's me, but Firefox 26 would crash at the drop of a hat

      Tried running it in "safe mode" without addon's and see how that goes?

      Firefox still crashes for me when it runs out of memory due to buggy javascript in either an addon or on a page. For example we use FinalBuilder at work, and the build control page has a massive memory leak in the javascript (sucky dom handling in web 2.0 crap) causing FF to run out of memory if I leave the page open over night.

      Other than that it's been very stable on all the machines I've used it on for many years now (and that's both Windows and Linux).

    • by tyle (1243518)
      Had this as well in Firefox 26 on Linux with Nvidia drivers, but Firefox stopped crashing when I updated to Nvidia driver 331.38.
    • by dkman (863999)
      I'm with the other guys. I almost solely run FF current builds on multiple machines (work 6GB ram with intel graphics. home main 16GB with AMD. home media server was 2GB with nvidia - very recently upgraded). I haven't had crash issues on any of them. I definitely would have switched or investigated the cause, but I would have to say you have a bad addon. Potentially you have bad ram, but I would imagine that using a different browser wouldn't have fixed the issue.
  • I'll give FF another shot when there's a GTK3 port.

    But, uh, hey... apparently we got us some Saavn (?) integration.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The GTK3 support seems to be coming along nicely. They're actually supposedly pretty close, if I'm reading the bug tickets correctly. They mostly just have to support spinning off GTK2 process for plugins like Flash that don't support GTK3, and I believe there are some GTK3 widget glitches to iron out. I even remember seeing a Red Hat/Fedora test binary with GTK3 support that you can try out, though I don't have a link handy.

    • Ain't gonna happen.

      One of the weaknesses of Linux is you can't have more than one library with dynamic linking for .so objects like you can with .dlls starting with Windows 7 and later.

      This means gnome2 users and Mate users will be fucked as you can't have GTK2 and GTK3 on the same system. Since CentOS comes with gnome 2 by default it means Firefox can not be made to work with it until they downgrade to GTK2.

      • One of the weaknesses of Linux is you can't have more than one library with dynamic linking for .so objects like you can with .dlls starting with Windows 7 and later. This means gnome2 users and Mate users will be fucked as you can't have GTK2 and GTK3 on the same system.

        Just FYI, .so files are versioned in Linux, and you can (and any sane distro does) have libgtk2 and libgtk3 side by side.

  • by vanyel (28049) *

    I'm hoping support for DANE will show up soon...

  • by dkman (863999)

    I only sync Bookmarks and Addons (for security reasons I don't even store passwords). But I've never had a problem with the way sync works now. You need to have a synced device on had to generate a code to feed into the device you want to add. As long as you have 1 accessible synced device you're good.

    If you were using it to back up bookmarks on one machine and you are rebuilding that machine, then you may be in trouble. So I guess that's what they're referring to here.

    I have it on my phone, so I can al

    • As long as you have 1 accessible synced device you're good.

      And if you don't, you're fucked. So that's the problem.

    • by rts008 (812749)

      If you were using it to back up bookmarks on one machine and you are rebuilding that machine, then you may be in trouble.

      For that specific issue, try FEBE(Firefox Extension Backup Extension)
      I highly recommend it for this.(and a whole lot more useful stuff)

      FEBE allows my Firefox experience to be almost exactly the same between Windows and Kubuntu(dual boot), and having a current backup of the FEBE folder allows me to painlessly restore Firefox to my liking after a fresh install, or a new PC.

    • by c0l0 (826165) *

      I switched over from Chromium to Firefox mainly because of how Firefox Sync worked back then - in the way that it encrypted your sync data with a secret that Mozilla would never know. Now, with the new sync that just requires a tuple of email address and password, I wonder what - if anything - they use to encrypt the data so they cannot know what I store there (which is a strict requirement for me to even consider any kind of "cloud"-y offering). Given that email/password is used for authentication and auth

      • by c0d3g33k (102699)

        I switched over from Chromium to Firefox mainly because of how Firefox Sync worked back then - in the way that it encrypted your sync data with a secret that Mozilla would never know. Now, with the new sync that just requires a tuple of email address and password, I wonder what - if anything - they use to encrypt the data so they cannot know what I store there (which is a strict requirement for me to even consider any kind of "cloud"-y offering). Given that email/password is used for authentication and authorization only (I'm pretty certain they'll have a routine for users to "reset" their password...), I'm worried they'd left out the one thing that made Firefox Sync usable for folk concerned with privacy...

        I have the same general concerns you did but am less trusting, so I set up my own sync server. Check out Run your own Sync Server [mozilla.com] at mozilla.com.

        If you're technically inclined, familiar with general LAMP server management and have a personal linux server handy, it isn't that hard. There's a time investment up front, but once I got it running, it's been working flawlessly across several platforms and multiple browser profiles. I hope they deprecate the old sync behavior but keep it in place for awhile to

        • Re: Sync (Score:5, Informative)

          by c0l0 (826165) * on Tuesday February 04, 2014 @05:17PM (#46154775) Homepage

          Yeah, I knew about that possibility before, but since the data to be stored on Mozilla servers was being properly encrypted on my device and in my client, I opted out of the usual "maintain my own infrastructure" chores that one time. Now, the "old" (read: current) Firefox Sync system is going away completely in the not too distant future, and you'll probably have to install some kind of add-on to keep your existing, self-hosted infrastructure functional. Meanwhile, I asked some Mozilla people/developers what the change was about, and how the new system is supposed to keep users' data confidential. The transcript of the IRC session is available here, on Debian's inofficial pastebin [debian.net] - enjoy! :)

          • by c0d3g33k (102699)

            Thanks for that transcript. It seems to clarify some things (the questions you were asking and the answers) but raises others. Such as why the desperate push to move to an entirely new infrastructure that's apparently incompatible with the old, requires Firefox Accounts and introduces "recoverable" keys (in the hands of Mozilla) alongside the current non-recoverable keys that only the client has. The rather vague answer was the 'recoverable' keys were for some nebulous future service of benefit to the us

  • by TheMadTopher (1020341) on Tuesday February 04, 2014 @04:13PM (#46153843)
    Am I the only one who could care less about social media integration?
    • by Anonymous Coward

      Am I the only one who could care less about social media integration?

      No, I'm pretty sure there's a lot of people who couldn't care less.

    • by rts008 (812749)

      I see this frequently...*sigh*

      I personally couldn't(could not) care less about social media integration.

      I think that was what you meant...if so, then the answer would be no, but the two statements are opposite in their actual meaning.

      Your version: "I could care less about it, but I don't."

      My version:
      "I could not possibly care less about it, as I don't care for it at all."

      Think about it a little, and it is very clear that 'could' and 'could not' have opposite and specific meanings.

    • by Tom (822)

      No. On the contrary, it's rather a counter-argument for me.

      Because "social" media is anti-social. When I invite friends over for chill-out or a movie or whatever, I can either call up 6 or 7 and get 4 or 5 "ok, sounds cool, I'll be there" - or I can invite 30 on Facebook, get 10 replies, half of which are "maybe" which is just code for "not really but I don't want to look as if I don't like you" and half of the "yes" will drop out at the last moment.

      Nothing beats actual personal face-to-face social interact

  • by tlhIngan (30335) <(ten.frow) (ta) (todhsals)> on Tuesday February 04, 2014 @04:28PM (#46154045)

    One of the biggest changes in Firefox was that JavaScript was permanently enabled.

    But a side effect of the removal of "Enable JavaScript" checkbox was the removal of the "Advanced" button which limited what scripts could do - move/resize windows, bring windows to front/back, allow scrpits to write to status bar, disable context-click (right click), etc.

    Which is annoying because those options were good to have - especially sites that disable right-click.

    On Firefox, it's possible to re-enable right click if you hold down Shift then right-click - this will force Firefox to display the proper right-click menu. But that's a PITA

    While extensions like NoScript work, they don't prevent permitted sites from playing around with stuff like that - a site needs javascript ot work and then they promptly open a bunch of windows or disable right-click while it's enabled.

  • So, just curious to know. The previous sync version had client-side encryption, i.e., Mozilla did not know what data you upload on their servers. In order to do authentication with a Mozilla account, I presume this has to be changed and now the Mozilla people have full access to an unencrypted version of your bookmarks/passwords etc.

    Is this correct? That seems a worrisome change.

  • Curious if the folks who got the update saw this feature. I thought it would be a pretty desirable setting in a mobile browser, but the last version didn't seem to have it, even in about:config.

  • I breathed a sigh of relief upon reading this headline.

    The latest TLS version Firefox supported until now has been broken in principle--and increasingly in practice--since almost a year ago

    Here's Matthew Green, JHU cryptography engineering professor/researcher, with a full account: http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html [cryptograp...eering.com]

  • de-minify, not de-obfuscate. Obfuscated code generally replaces named variables with random letters, thus making it hard to read. Obviously there's no way of restoring the original code. But minified code can be restored by a parser. That seems to be what they are referring to.
  • So, what useful UI elements were removed this time? I think they're starting to run out of things to axe, but pretty much every time there is "UI improvements" in patch notes, it meat a useful element of UI was removed from the browser, often with no real means of putting it back in.

    Well, good thing that 3.6.28 is still quite functional, and for all other needs, there's pale moon.

    • I can say that my request FINALLY made it into FF!

      When using the "Inspect Element" function, all colors in the 'Rules' column were expressed in 8-bit RGB --a pain which forces designers/developers to use another app to convert the values to 8-bit hex. Now all values default to 8-bit hex and have a small 'swatch' filled with the color. Very handy!

      Thank you to all the people that worked on this feature 'upgrade' --I read all of your posts on Bugzilla and stayed as active with it as needed.

  • When? Until Firefox gets that, it's not getting a place back on my desktop.

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...