Mozilla Firefox 52 Released As ESR Branch, Will Receive Security Updates Until 2018

prisoninmate quotes a report from Softpedia: Back in January, we told you that the development of the Mozilla Firefox 52.0 kicked off with the first Beta release and promised to let users send and open tabs from one device to another, among numerous other improvements and new features. Nine beta builds later, Mozilla has pushed today, March 7, the final binary and source packages of the Mozilla Firefox 52.0 web browser for all supported platforms, including GNU/Linux, macOS, and Windows. The good news is that Firefox 52.0 is an ESR (Extended Support Release) branch that will be supported until March-April 2018. Prominent features of the Mozilla Firefox 52.0 ESR release include support for the emerging WebAssembly standard to boost the performance of Web-based games and apps without relying on plugins, the ability to send and open tabs from one device to another, as well as multi-process for Windows users with touchscreens. With each new Firefox release, Mozilla's developers attempt to offer new ways to improve the security of the widely-used web browser across all supported platforms. Firefox 52.0 ESR implements a "This connection is not secure" warning for non-secure pages that require user logins, along with a new Strict Secure Cookies specification.

Upgrade experience

[Artem S. Tashkinov]

• My bookmarks bar is invisible on start up and in every new private window. The only way to show it is to hide and then unhide it.
• The settings button (three horizontal bars) doesn't work. You click it - nothing happens
• Firefox doesn't restore saved windows/tabs from the previous session even though it's what my preferences say: Show my windows and tabs from last time.
• Firefox has reset my lightweight theme (luckily I have a backup).

The worst update ever. I'm horrified by the prospect of upcoming Firefox 5

Re:

[Artem S. Tashkinov]

Have you even followed your own link? Firefox 45 will see the last release in several weeks and after that it's 52 for the next 9 months or so.

45 ESR is basically dead and unsupported.

Re:Upgrade experience

[Artem S. Tashkinov]

You must have zero add-ons installed, IOW you could use any other web browser. That's the sole reason Firefox was created, right? To allow extreme customizability, no?

I have a shitton of addons installed because it's the only way to make Firefox behave like I want it to.

Re:

[Anonymous Coward]

As another AC pointed out, the previous ESR is still supported until mid-June (and you don't have to stop using it as soon as its support ends).

I hope you consider submitting those bugs to Bugzilla [mozilla.org], because you seem to be quite good at identifying and articulating the problems you experience.

Re:Upgrade experience

[Artem S. Tashkinov]

Nowadays Mozilla devs have a peculiar way of treating new bug reports: first, they offer you to disable all add-ons, then reset all settings, then try a fresh profile. I don't like any of these "options".

Alas, that's what I'm going to do, because Firefox is still the best web browser out there. Too bad, it's headed in the direction of becoming a Chrome clone.

Re:Upgrade experience

[Tranzistors]

All that resetting is necessary to help to debug. If the bug is in add-ons, then it should be reported to the add-on developers. If it is really a fault of Mozilla, add-on developers should report it, since they will probably have a better insight of what exactly has gone wrong.

Similar with settings. If you have messed with about:config, it is nigh impossible for Mozilla to test all the permutations, or provide reasonable upgrade path to all of them.

In my workplace, we have similar issues, but we solve them by selling support. Since you get FF for free, it would be unreasonable to expect them to handle your specific configuration.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mujadaddy]

I switched nearly 2 years ago and I can tell you its really good

Quantify "really good" for compsci nerds.

How many security updates have Pale Moon Devs done since "2 years ago"? The internet seems to unfortunately be a moving target. You'd think they'd run out of bugs eventually =-)

I ask these questions as someone who has frozen at an earlier FF (51?) on my personal desktop, and doesn't bother with it at all for work development, and is saddened by it.

I just don't think the Pale Moon team has the manpower to keep up.

Re:

[knorthern knight]

> How many security updates have Pale Moon Devs done since "2 years ago"?

Check their announcements page https://forum.palemoon.org/vie... [palemoon.org] Since 2015/03/13 they've released 25.3, 25.3.1, 25.3.2, 25.4, 25.4.1, 25.5, 25.6, 25.7.0, 25.7.1, 25.7.2, 25.7.3, 25.8, 25.8.1, 26.0, 26.0.2 (Note; 26.0.1 "internal only"), 26.0.3, 26.1.0, 26.1.1, 26.2.0, 26.2.1, 26.2.2, 26.3.0, 26.3.1, 26.3.2, 26.3.3, 26.4.0, 26.4.0.1 (yes), 26.4.1, 26.5.0, 27.0.0, 27.0.1, 27.0.2, 27.0.3, 27.1.0, 27.1.1, and 27.1.2

That sounds like ke

Re:Upgrade experience

[Waffle Iron]

Nowadays Mozilla devs have a peculiar way of treating new bug reports: first, they offer you to disable all add-ons, then reset all settings, then try a fresh profile. I don't like any of these "options".

Let's say you bring your pickup truck to the Ford dealer for warranty repairs because you claim it "handles like crap".

If they tell you to first remove the after-market 6-inch lift kit and 35-inch off road-tires that you installed, would that be unreasonable?

Re:

[Anonymous Coward]

Let's say the 6" lift kit and 35" off-road tires are used by > 50% of Ford truck owners. Would it be reasonable to assume Ford has some interest in making it work well with that setup?

Re:

[SeaFox]

Let's say the 6" lift kit and 35" off-road tires are used by > 50% of Ford truck owners. Would it be reasonable to assume Ford has some interest in making it work well with that setup?

Not if they are after-market parts -- you're putting Ford in the position of keeping track of what the aftermarket mod industry is doing. That's a classic case of the tail wagging the dog. Ford builds the truck to perform a certain way as they built it. If the owner adds a bunch of crap to it Ford had no design input on, they can't hold Ford responsible if the truck no longer performs the same.

If that suspension change was so popular, Ford would start offering the truck in that configuration from the factor

Re:

[Anonymous Coward]

The more accurate car analogy would be for you to remove the non-manufacturer provided tires you got from their approved retail partners, then delete your radio station presets and move your seats back to their initial positions, then replace the body with a new one.

I agree with the GP, if the problem is with the engine, fix the engine.

Re:Upgrade experience

[Artem S. Tashkinov]

For anyone who has the same problems (they are all caused by the same add-on): the culprit is

Status-4-Evar

Disable it and Firefox becomes functional, albeit without a status bar. I'm now trying to understand what status bar add ons still work with Firefox 52 (the status bar was removed aeons ago because Firefox developers believe no one needs it).

Re:

[Artem S. Tashkinov]

While we are at it, I've found it:

The Addon Bar (Restored) [mozilla.org] still works. Hopefully slashdotters will forgive me for 100+ messages in the comments section.

Re:

[Artem S. Tashkinov]

This add-on also breaks Firefox. So far there are no functional status bar addons for this version. :-(

Re:

[trawg]

I seem to have a functional status bar, just using Classic Theme Restorer!

Re:

[Blaskowicz]

Fun fact, I eventually tried Classic Theme Restorer and found it looked like ass anyway, like it didn't play well with the GTK theme and had some "default" looking colors or shape that would work fine on the Windows 7 x64 SP1 that everyone uses except linux users. The configuration GUI looks like a space shuttle simulator, which is why I went not far and moreover the Firefox 4 GUI isn't that "classic" to me. But I don't want to flame the authors or the users!

Hopefully Firefox moves on in a good way. After X

Re:

[trawg]

So I read your post in fear, backed up via MozBackup, and then upgraded to see what would happen.

Luckily I had none of the problems you did - except the font rendering has changed. This seems to be a global thing - tab titles look a little different (I think), but most notably almost every page I go to looks a little off - like the fonts aren't being smoothed properly, or something.

Super noticable on text heavy sites (like Gmail and Slashdot).

After the usual amount of fucking around trying to find what it w

Re:

[eam3]

I got lucky then. I updated to 52.0 and my bookmarks are fine (even in private mode), my add-ons are fine and it's working just like it was before. That's only on one computer though, have not tried it at home yet (Windows10/Linux Mint 18.1).

Re:

[Blaskowicz]

I recently ran some Tetris or Pacman type of game that was super smooth (and looked like early 80s, except it has to be about 1000-pixel wide now)
Well, it is butter smooth except for the garbage collection pause every second that makes it super jerky. It was not WebGL stuff though.

I wonder if we'll see 3D shit in web pages that suddenly makes your browser consume 1GB more memory, or half GB, pushing the PC into swap hell, not to mention "run out of swap" hell. I will eventually map a keyboard key to "killal

Re:

[rudy_wayne]

Considering how tightly Firefox is still integrated with Google (e.g. when you first start your browser, you get a Google cookie), I wouldn't call it "free money".

Google paid Mozilla hundreds of millions of dollars a year and all Mozilla had to do was put a Google search box in their browser. That's it. Nothing else. That "tight integration" doesn't require a lot of developers or hundreds of millions of dollars.

I call that free money.

When you have huge amounts of money constantly flowing in, with no requirement to deliver a decent product in return, you end up with a shit product, e.g., Firefox.

ESR branch!

[Anonymous Coward]

Phew, for a moment I thought it was an Eric S. Raymond branch ...

Securing a home server

[tepples]

Firefox 52.0 ESR implements a "This connection is not secure" warning for non-secure pages that require user logins

Imagine for a moment that you're seeing this notice on your home NAS. You'd consider making it secure, but a secure page requires a TLS certificate. Because friends and family bring their own smartphones, tablets, or laptops to access your home server, you don't want them to have to first install an internal root certificate. A TLS certificate that others already trust requires a domain because the CA/Browser Forum's Baseline Requirements forbids issuing a certificate for a made-up TLD or a private IPv4 address (such as 192.168/16). So now it appears everyone with a home server will have to buy a domain in order to make this go away.

Re:

[Tranzistors]

Oh, they should be informed that anyone on the network can sniff their password (which they most probably reuse). Even if they trust you to store it properly, they should not trust anyone else listening.

Re:

[tepples]

It's just a warning. And, I think you can just click the box that says "always trust this certificate."

Do the web browsers in video game consoles and set-top streaming boxes even have this box to check? If not, you can't use a self-signed certificate to stream to them from your NAS.

Re:

[tepples]

The connection to Firefox is that if you modify the site on your private network to make Firefox show the warning only once rather than on every visit, that may break your site on other devices.

Re:

[tepples]

Given that the NAS owner in your story will be using a self-signed cert (if he wasn't, then he would have been issued one by a Big CA, and he would already have a domain & etc...) and would _already_ be clicking through a "THIS IS A SELF-SIGNED CERT, ARE YOU SURE YOU WANNA DO THIS!?!?!?" warning

The NAS owner in my story was previously using cleartext HTTP. Switching from cleartext HTTP to HTTPS requires buying a domain.

Re:

[tepples]

Lolno. All it requires is creation of a local CA and signing a TLS cert with that CA.

How do you plan to install said local CA's root certificate on each device brought by a visitor to your home?

Re:

[tepples]

changes absolutely nothing about that situation. Prior to FF 52.0, your choices were:

* Create a self-signed TLS cert and deal with the warnings and rely on TOFU.
* Create a self-signed TLS cert and put your CA in each connecting device's trusted CA list.
* Get a Real Domain and get a TLS cert signed by a CA that everyone trusts.

Your comment did not list the fourth choice:

* Use cleartext HTTP instead of HTTPS.

After FF 52.0, your choices are exactly the same.

Firefox 52.0 adds a warning to the fourth choice, removing its advantage over "Create a self-signed TLS cert and deal with the warnings and rely on TOFU."

Self-signed certs can be used in a TOFU capacity with no loss of security.

Provided the device has a user interface for TOFU, as opposed to just giving an error message to the effect "Secure Connection Failed" that the device's user cannot override. I don't have an iPhone with which to test; does Safari for iOS have UI for TOFU?

Re:

[Anonymous Brave Guy]

Just be glad you're not using professional networking gear that gets installed and then stays mostly untouched for years. A lot of gear that is still in use dates from the era when plugins were necessary to do just about anything graphical in a browser-based UI, and all of them just broke completely with the removal of NPAPI support. (There is a note on the Mozilla web site that the ESR for 52 doesn't have this limitation, so it looks like anyone in that position has about a year more before Firefox won't s

the widely-used web browser

[QuietLagoon]

How Firefox's market share risen above 10% yet? What is Mozilla doing to make Firefox more compatible with sites that work well on other browsers?

.
https://www.netmarketshare.com... [netmarketshare.com]

Re:

[Anonymous Coward]

According to netmarketshare it's 11.7% if the desktop market using Firefox, which is over 10%. The number you pulled included ONLY version 51. You left our everyone using ESR, all the people with up-to-date Developer Edition, and everyone who hadn't yet received the then-latest update.

https://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0

Re:

[QuietLagoon]

According to netmarketshare it's 11.7% ...

Thanks for the update.... Now, about those rendering issues...

The important stuff for enterprise is:

[beat.bolli]

By setting security.enterprise_roots.enabled to true FF will check the Windows Certificate Store for CAs that can be pushed via GPO, so it should integrate more easily with Enterprise setups.

Who wants WebAssembly?

[Anonymous Coward]

The main sources of online vulnerabilities have been Java, Flash, Silverlight, Adobe PDF plugin, and of course javascript. Running executable code in the browser is not a good idea. So how is it that so many people think adding a new vulnerability is a good idea? The reason, of course, is services and the possible profit from them. I will not be using a browser with WebAssembly built in.

Re:

[bill_mcgonigle]

The reason, of course, is services and the possible profit from them.

Your paranoia has crossed over into pure nonsense here. Anyway, WebAssembly is easier to audit for security problems than a JavaScript JIT, so as JavaScript moves to WebAssembly as a backend you'll have even better security.

I will not be using a browser with WebAssembly built in.
. :rolleyes:

Not available in the oficial Mozilla site

[williamyf]

As of March 2PM Eastern time, the official Mozilla Firefox ESR site

https://www.mozilla.org/en-US/... [mozilla.org]

is still offering ESR 45.8.0 and NOT esr 52.0.0

Please notice that TFA links to their own download site and NOT Mozilla's

----------

As per the NPAPI support:

NPAPI support is there in the code, since the NPAPI Flash plug-in still works. Is only that Mozilla's developers decided to disable it for all other plugins.
Plugins that do not use NPAPI are failing because Firefox is slowly rolling out multiplrocess (proje

Re:

[CrashNBrn]

I've been on Nightly and Firefox Developer (Auora) for 3 - 4 years. All of the necessary Add-ons work just fine. I got rid of all of QuickSaver's extensions as he pre-announced that he wasn't going to support them any longer due to the upcoming FF 57.

Activity Stream (Mozilla)
Copy All Tab Urls WE
Enpass Password Manager
Greasemonkey
Multiple Tab Handler
Page Shot (Mozilla)
Session Manager
SnoozeTabs (Mozilla)
Stylish
Stylish-Custom
Tabhunter
Test Pilot (Mozilla)
Tree Style Tab
uBlock Origin
uMatrix
Vertical

Try Firefox 52 without installing

[pkrumins]

Hi all! I just added Firefox 52 to Browserling. You can try this latest Firefox version without installing right from your browser via this link:

www.browserling.com/firefox/52/slashdot.org [browserling.com]

We run the browsers in virtual machines and stream them to your browser. If the demand is too high then you'll have to wait in a queue for a while to try it. I'm adding more virtual machines right now to let more people try it without waiting.

ESR branch?

[Snard]

When I saw there was an ESR branch, my first thought is that they had renamed it to GNU/Firefox.