Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Open Source Software

Firefox 44 Arrives With Push Notifications (mozilla.org) 182

An anonymous reader writes: Mozilla today launched Firefox 44 for Windows, Mac, Linux, and Android. Notable additions to the browser include push notifications, the removal of RC4 encryption, and new powerful developer tools. Mozilla made three promises for push notifications: "1. To prevent cross-site correlations, every website receives a different, anonymous Web Push identifier for your browser. 2. To thwart eavesdropping, payloads are encrypted to a public / private keypair held only by your browser. 3. Firefox only connects to the Push Service if you have an active Web Push subscription. This could be to a website, or to a browser feature like Firefox Hello or Firefox Sync." Here are the full changelogs: Desktop and Android.
This discussion has been archived. No new comments can be posted.

Firefox 44 Arrives With Push Notifications

Comments Filter:
  • Great! (Score:5, Insightful)

    by Motherfucking Shit ( 636021 ) on Tuesday January 26, 2016 @02:37PM (#51375989) Journal

    Who has a list of which configuration options I need to go into about:config and disable this time?

    • Re: (Score:3, Informative)

      Just don't subscribe to anything -- every page requires you to grant it permission.

      • Re:Great! (Score:4, Insightful)

        by Somebody Is Using My ( 985418 ) on Tuesday January 26, 2016 @02:52PM (#51376139) Homepage

        Just don't subscribe to anything -- every page requires you to grant it permission.

        No, it requires more than that. According to Mozilla themselves [mozilla.org], "Firefox maintains an active connection to a push service in order to receive push messages as long as it is open." Supposedly the connection is encrypted and anonymized, but you'll have to take their word on it and anyway, it's another potentially-vulnerable service running in the background. So it's not just a matter of "don't subscribe and you'll be safe"; there needs to be a way to disable this service entirely.

        Oh wait... there is [palemoon.org].

        • Re:Great! (Score:5, Insightful)

          by jopsen ( 885607 ) <jopsen@gmail.com> on Tuesday January 26, 2016 @03:50PM (#51376723) Homepage

          but you'll have to take their word on it

          No, you can view the source... All of it... Both client and server side.

          https://github.com/mozilla-ser... [github.com]
          If I'm not mistaken... There a lot of mozilla projects, but this one seems recent.

          there needs to be a way to disable this service entirely.

          At least look up about.config before complaining, it's right in there under "dom.push.enabled".

          But really, I don't see the point...

        • Re:Great! (Score:4, Insightful)

          by wonkey_monkey ( 2592601 ) on Tuesday January 26, 2016 @05:47PM (#51377703) Homepage

          No, it requires more than that.

          More? Or do you mean less? It does require permission to establish a push connection, as far as I can tell.

          According to Mozilla themselves [mozilla.org], "Firefox maintains an active connection to a push service in order to receive push messages as long as it is open."

          "Firefox maintains..." - that particular quote says nothing about whether permission is required to establish such a connection in the first place.

          There's something a bit non-sequitur-ish about your first two sentences.

    • Re:Great! (Score:5, Informative)

      by fahrbot-bot ( 874524 ) on Tuesday January 26, 2016 @02:49PM (#51376113)

      Who has a list of which configuration options I need to go into about:config and disable this time?

      As buchner.johannes noted, just don't subscribe to anything, but from what I have read, set:

      • dom.webnotifications.enabled = false
      • dom.webnotifications.serviceworker.enabled = false
      • Re:Great! (Score:5, Informative)

        by fahrbot-bot ( 874524 ) on Tuesday January 26, 2016 @02:56PM (#51376203)

        Who has a list of which configuration options I need to go into about:config and disable this time?

        As buchner.johannes noted, just don't subscribe to anything, but from what I have read, set:

        • dom.webnotifications.enabled = false
        • dom.webnotifications.serviceworker.enabled = false

        Other candidates seem to also be:

        • dom.push.connection.enabled = false
        • dom.push.enabled = false
      • You may also want to set dom.push.serverURL to 127.0.0.1 as extra insurance.

        Great to think that anything that can spoof or MITM that site can push whatever crap they want into your browser...

    • Re: (Score:3, Funny)

      by ZeRu ( 1486391 )
      Firefox, the only software that comes with a warranty.
    • Who has a list of which configuration options I need to go into about:config and disable this time?

      You must be an old timer!

      Programs are configurable! Just go through all the apps and programs that you use on a daily basis and change whatever you want to make the system work to your liking.

      All these features are easy to change, and learning a mere handful of methods will get you anywhere you want to go.

      1) Go to about.config, click on the "I understand", type in "this.obscure.value", double click it to change value. The "this.obscure.value" is named in a transparent, easily understandable way such as "browser.cache.disk.smart_size.enabled". This enables the "smart size" feature of the caching system. It's obvious what it does, because it's name says it all.

      2) Go to start->run->regedit, navigate to "this obscure value", type in "add new value" in DWORD format and set it's value to 1. For instance, to disable the new volume control and go back to the old style, just navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, create a new key MTCUVC, create a new DWORD EnableMtcUvc, and set its value to 0.

      Only old folks think that's not simple, and I don't for the life of me know why!

      3) Pick a random number, put "KB" in front of it, and do what's described there. For example, KB3035583 tells you how Microsoft has helpfully introduced "additional capabilities for Windows Update notifications when new updates are available to the user". It's just telling you how Windows 10 is now available. If you want to customize this behaviour, you can use task manager to stop the GWX.exe process. Or, you can go to programs and then click or tap on View installed updates, then scroll down until you see the KB3035583 update, select it, press "uninstall", and then confirm that you want to uninstall it.

      Nothing could be simpler, I just *don't get* where these old folks are coming from!

      4) Changing things in linux it's even easier! Just go to /etc as root and vi "some-random-file", and change the configuration manually. It's easy to do, because all the configuration files are in one place! For example, remote disks are called "shares", and the process that manages this is called samba, and the file to edit is thus /etc/samba/smb.conf.

      What could be easier? The .conf ending lets you know that it's a configuration file!

      If you don't know how to use vi, simply type "man vi" and you'll find all the information you need!

      Really, I don't understand why old folks don't understand these things - everything is so simple!

      • by rtb61 ( 674572 ) on Tuesday January 26, 2016 @05:20PM (#51377495) Homepage

        Yet, mind bogglingly enough it is still way simpler than trying to fix windows registry. Mind you fuck up about:config and the browser stops working, Windows registry fucks itself up and you computer stops working. Want to keep a computer working, always dual boot and that way you can boot to Linux to fix your gaming and browsing machine. I have managed to keep windows 7 going since getting this computer without a reinstall by that very method. Damn being able to edit a text file makes like so much easier when it comes to fixing a broken OS or broken program. Having to reinstall a program or and entire OS and every program you have because you couldn't edit a text file is fucking nuts. One five minute edit versus hours and hours of reinstall, oh, yeah that edit is so very, very hard.

        • by AmiMoJo ( 196126 )

          You are doing it wrong. The registry is just a database of settings, a simple hierarchy. It stores access control information too, on a much finer grained level than Linux allows. On Linux you have simple file permissions, and that's it.

          The registry is periodically backed up. If you someone screw it up, which with the default permissions is hard to do, you can just revert back to an older version. Windows can do this automatically most of the time, or you can do it manually by booting the install media, goi

      • by shanen ( 462549 )

        Where can I borrow a cup of mod points? This post deserves more on several dimensions...

      • Re: (Score:1, Funny)

        by el_chicano ( 36361 )

        You must be an old timer!

        Only old folks think that's not simple, and I don't for the life of me know why!

        Nothing could be simpler, I just *don't get* where these old folks are coming from!

        Really, I don't understand why old folks don't understand these things - everything is so simple!

        There is a fine line between being funny and being an ASSHOLE and you definitely are not funny.

        My first computer course was at Rice University, programming PL/1 on an IBM mainframe with punch cards. I programmed COBOL and FORTRAN on VMS on a VAX at the University of Houston. I used UNIX before Torvalds ever thought of making Linux.

        I used OS/2 Warp when everybody was suffering through Windows 95. I started using Linux when IBM killed off OS/2. I ran WebCT on Solaris for over 6,000 professors and st

      • 4) no troll is complete without mentioning systemd has replaced much of traditional configuration :)

    • Re: (Score:3, Funny)

      by Tablizer ( 95088 )

      Who has a list of which configuration options I need to...disable [useless new features]?

      1. Go to palemoon.org

      2. Click the Download Browser button.

      3. Click "Confirm" at install prompt.

      4. Profit!

    • by Anonymous Coward

      So based on last month's stats, Firefox is down to about 7% of the browser market [caniuse.com]. That's across all versions, on all desktop and mobile (where Firefox for Android has a massive 0.05% of the market) platforms.

      At this point, Firefox as a whole is nearly below iOS Safari 9.2, IE 11, and UC Browser for Android. It almost has fewer users than Opera Mini, even! Hell, even Chrome 46 still has almost as many users as Firefox has in total, and Chrome is up to version 48 now!

      It's now clear that Firefox 44 introduces

      • I'd wager that most of the firefox use now is by IT personnel who use it for its extensions, and Mozilla has been alienating us by breaking functionality at every step - breaking flash, breaking java, and of course, completely excluding code for low-bit cryptography, which forces us to use multiple browser versions to get to out of band management on older boxes and appliances. I can see disabling older crypo algorithms by default, but don't exclude it from the project.

        Same with unsigned or self-signed exte

        • I'd wager that most of the firefox use now is by IT personnel who use it for its extensions,

          Yup, that is the sole reason I still use Firefox.

          Fortunately, Mozilla has come up with a means of dealing with that when they break extension support in the near future. At that point there'll be no more reason to keep using it.

      • And before anyone harps in with "fuck flash" - vmcenter (vmware) utilises flash heavily, as do quite a few load balancers. It's fucktarded, I know.. but that's the reality of it.

      • For me, the final straw was when Firefox started calling Google "untrusted", then refused to let me make an exception and go about my usually-seamless search business. I don't know why the behaviour started. I don't care. They were already on thin ice after switching off my Garmin GPS update and map extensions, disabling my Kaspersky special functions like virtual keyboard, and other stuff I won't bore you with.

        I'm almost completely switched over to Pale Moon now. It's faster, and it actually works. Fu

    • Backend POSTs to you!
  • by buchner.johannes ( 1139593 ) on Tuesday January 26, 2016 @02:40PM (#51376023) Homepage Journal

    "a website could notify you when something important happened, even if you [don’t] have the site open"
    Cool!

    Is RSS dead now, like web onthologies?

    • Comment removed based on user account deletion
      • Re:The next RSS (Score:5, Insightful)

        by mbkennel ( 97636 ) on Tuesday January 26, 2016 @03:20PM (#51376419)

        And will be used for "One Weird Trick to a Titanic Penis" and "Firefox has detected a CRITICAL security problem. Click on _this link_ to eliminate the malware from your system"
    • Re:The next RSS (Score:4, Interesting)

      by zoward ( 188110 ) <email.me.at.zoward.at.gmail.com> on Tuesday January 26, 2016 @03:33PM (#51376551) Homepage

      RSS is dying because sites don't like it. People use it as a shortcut to see whether anything on their list of favorite blogs is worth navigating to the site to read. If not, then they won't visit the site, taking page hits (and ad revenue) from the site. I love RSS, but it seems like sites are dropping support for it left and right.

      • by chihowa ( 366380 )

        RSS support started dropping from browsers before it started dropping from sites. In the end, now that I don't have a handy list of RSS feeds I just don't visit most of the webcomics that I used to read. I can't see how that's a real win for them.

        • I never settled on a native RSS client but use theoldreader on both desktop and mobile.

          I agree if sites don't have feed I tend to forget about them rather than reloading a series of bookmarks in case they have something interesting on them.

      • What's nice is that most sites just run wordpress or similar anyway, so you can just mess with the url a bit and get a feed link to plug in your reader.

  • by Anonymous Coward on Tuesday January 26, 2016 @02:40PM (#51376027)

    This version is also the first to require signed extensions with no way to:
    1) Disable the signature check at all
    2) Use any signature other than Mozilla's
    3) Install a extension built and packaged by your distribution repository (unless Mozilla signs each build)
    4) Forcefully install a extension that you built yourself

    I don't understand why Mozilla gets away with this type of hidden DRM. At least in Secure Boot you could enroll your own signatures.

    Here, the only option you have is to switch to an unbranded fork of Firefox.

    • by vux984 ( 928602 )

      "Installation of unsigned extensions will still be possible on Nightly and Developer Edition, as well as special, unbranded builds of Release and Beta that will be available mainly for developers testing their extensions."

      Is this not the case?

      Here, the only option you have is to switch to an unbranded fork of Firefox.

      Oh... it IS the case; but you made it sound like a FORK; when its really a proper release channel for developers.

      At this point you sound like someone whining that the LTS release doesn't have the cutting edge features you want.

      That said, the problem with your options 1

      • by Nutria ( 679911 )

        Oh... it IS the case; but you made it sound like a FORK; when its really a proper release channel for developers.

        Is that what Ubuntu users are called now?

        • by vux984 ( 928602 )

          Is that what Ubuntu users are called now?

          Only if they want to get their Mozilla Firefox extensions from a source *other* than Mozilla; or did I miss something?

          • by Nutria ( 679911 )

            did I miss something?

            I think so, since "build from source" is what Linux distros do.

            • by vux984 ( 928602 )

              I think so, since "build from source" is what Linux distros do.

              Then what is the problem? Have the distro modify the source going into the repo to remove any non-OSS friendly stuff... isn't that what iceweasel is?

              • by Nutria ( 679911 )

                Have the distro modify the source going into the repo to remove any non-OSS friendly stuff

                They already only distribute OSS extensions.

      • At this point you sound like someone whining that the LTS release doesn't have the cutting edge features you want.

        Sounds to me like he's "whining" about an LTS that has added overly restrictive features that he doesn't want.

        Do you call it "whining" when you do it, or is it only for other people?

        • by vux984 ( 928602 )

          Sounds to me like he's "whining" about an LTS that has added overly restrictive features that he doesn't want.

          Not really. If it really was a distinction between rolling and LTS then I'd see a problem. But its really two different rolling releases, once aimed to be safe as possible for neophytes and one with fewer restrictions and more options to hang yourself. He's on the safety release now, but wants to do more advanced stuff... which is fine. He can switch to one of the more advanced releases... but he apparent doesn't want to for no reason given.

          Further, he wants the rolling release software that he's currently

      • by PRMan ( 959735 )
        And now, if we want to do something revolutionary with an Extension that they haven't foreseen, well, too bad. You need their permission which some negative nancy will refuse to grant because "powerful".
    • Of course, all you have to do to fix that is replace one line of code with
      if (true)

    • by rastos1 ( 601318 ) on Tuesday January 26, 2016 @03:23PM (#51376461)

      This version is also the first to require signed extensions

      I'm confused. We are delaying the removal of this preference to Firefox 46 [mozilla.org]

      • That doesn't really fix any of the problems with signing.

      • Yes, you are confused. Delaying something instead of cancelling it means I know before it pissed me off. Posted via chrome.

        And chrome sucks for dashslot, so I'm not real happy about it either.

    • by Anonymous Coward

      This version is also the first to require signed extensions with no way to:
      1) Disable the signature check at all

      That is incorrect. They pushed it back again to FF46. [mozilla.org]

      But more generally, I agree it is total bullshit. And what's worse is that the answer is super fucking easy. All they need to do is let the user specify a white-list of extensions that do not need signatures. Require that the white-list be kept in an admin-only writeable location, like the system-wide firefox install directory where there is already some config data. If an attacker can write to admin-only files then the whole system is already compr

  • by cruff ( 171569 ) on Tuesday January 26, 2016 @02:46PM (#51376085)
    From the push notification link describing it:

    A website registers a Service Worker with the browser. Service Workers are small JavaScript programs with super powers like intercepting network requests or running even when their parent website is closed.

    What could possibly go wrong?

  • To assist law enforcement by fingerprinting your browser payloads are encrypted to a public / private keypair held only by your browser

    FTFY.

    • Who's using FF to manage his CP server or plot the next season of 24? FF is as bourgeois as Chrome now it's designed to be trendy and give what the "mass" of it's users expect and thats good, because the browsers wars v2 it's over now and if you have that puny expectations of privacy you should now better and use any of the imperial fuckton of browser available. The overreaction anytime FF does sometime dobious is getting old, they had its 15 minutes and all but it's time to move on.

      That said I use FF as
  • Yeah, to keep your antivirus and ad blockers out of the way.

    Oh well, at least there's still Netscape.

  • let someone know they're being Pushed out the door [wikipedia.org] for not toeing the party line on some Social Justice issue unrelated to javascript compiler speed? Cause Mozilla clearly already had that feature

    • Why do people keep trying to drag what they call "social justice" into every sodding thread? Are you one of those so-called "social justice warriors" I keep hearing so much about?

  • Drop it. (Score:1, Interesting)

    If you haven't already, rather than messing around with settings and installing extensions, just drop it. Uninstall and don't look back. There are other browsers.
    • Re: (Score:3, Informative)

      by rudy_wayne ( 414635 )

      If you haven't already, rather than messing around with settings and installing extensions, just drop it. Uninstall and don't look back. There are other browsers.

      Sadly, all the "other browsers" suck just as much as Firefox, they just suck in different ways.

  • by Billy the Mountain ( 225541 ) on Tuesday January 26, 2016 @04:04PM (#51376851) Journal
    Web push is already easily handled through WebSockets. I wrote a couple applications that are able to handle hundreds of random notifications per second coming from a server. Works with Chrome, Firefox and even IE. Older versions of IE require a polyfill but even that works great.
  • Firefox is really pissing me off anyway, mine keeps loosing the spellcheck. I've gone through all the troubleshooting steps, checked the language packs are installed, and yet often the "Check Spelling" disappears and instead "Add a dictionary" shows up.
  • by klui ( 457783 ) on Tuesday January 26, 2016 @04:47PM (#51377241)

    Does anyone know if security.tls.insecure_fallback_hosts is now deprecated? I have an old device that will never get its SSL certificates reissued and I cannot create a new certificate with better algorithms. I use an old portable version of Firefox that I use to sometimes login. I noticed with Firefox 44 if I now go to the IP address, which I have added in the above preference name, I am greeted with the Advanced button and expanding it gives me a link to "(Not secure) try loading 'ip address' using outdated security." If I click on it it does nothing and gives redirects back to the "Your connection is not secure" page.

    The latest version of ssh allows one to whitelist hosts with deprecated encryption so I have access that way, too. It would be nice to not have Firefox 44 and another just to access this device.

  • I searched about:config for 'push' Changed a few values from true to false, and buggered up the Mozilla push URL. Has crashed yet. Only time will tell
  • My reaction (sent to Mozilla) to the inclusion of the Amazon plug-in:

    [Firefox has made me] very, VERY sad indeed. Amazon? Why don't you just shoot my privacy in the head? It would be a kinder solution. More to the point, sucking up to Amazon is NOT going to fix your terrible financial model. Amazon does NOT share any of Mozilla's laudable goals, but "partnering" with those vicious privacy-destroying monsters will destroy you, too. How can ANYONE possibly trust an Amazon partner? Amazon will share a few pennies with you--but Amazon will laugh when you go bankrupt anyway.

    Now I've suggested an alternative business model of project-oriented charity shares. I'm already getting blue in the face from repeating that solution, but you are ABSOLUTELY NOT offering a better alternative. Amazon is EVIL, and now I regard Firefox as EVIL, too. My chief regret is that there are no alternatives that are significantly less evil--and it always comes back to stupid financial models.

    Longer version with more about the alternative financial model I favor: https://ello.co/shanen0/post/8... [ello.co]

  • BLOAT BLOAT BLOAT (feature creeeep) BBlooaaatTTT
  • by Anonymous Coward

    The mozilla devs have destroyed firefox. Citing 'stability', 'maintainability', 'unused features', etc. they have removed most of what firefox was known for and reduced it to a chrome knockoff. The new firefox is pathetically crippled, lacks a decent interface and configuration options, and looks out of place in the major linux desktop environments. Push notifications should have been implemented as an add-on for those who want it and not implemented in such a way as to create new problems for users who don

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...