Firefox 74 Arrives With Stricter Add-on Rules, TLS 1.0 and TLS 1.1 Disabled

Mozilla today launched Firefox 74 for Windows, Mac, and Linux. Firefox 74 includes stricter rules for add-ons, TLS 1.0 and TLS 1.1 disabled by default, and a handful of developer features.

Been there, hated it

[AndyKron]

So once again all my addons disappear, right?

Re:Been there, hated it

[Halo1]

The stricter add-on rules mean that external applications can no longer install add-ons (you have to do it yourself), and you can remove previously externally installed add-ons from within the browser. No add-ons will disappear, nor are there new restrictions regarding what add-ons can do or which ones you can install.

Is that a joke ore are you that clueless?

[BAReFO0t]

A program, like an installer, that runs on your normal PC OS can alter the user space however it freaking likes! Including patching out bits of the Firefox binary, replacing libraries, etc.

Unless you got some RBAC system in place or run the installer through a debugger which allows you to decide what bits of itself it gets to execute.

Seems you drank too much of the content Mafia Kool-Piss.

Re:

[Lennie]

I think unless someone takes the effort to change the Firefox binaries or it's settings it just won't just load such an addon.

That's all it's doing as far as I know.

Re: Is that a joke ore are you that clueless?

[BAReFO0t]

Thanks for repeating what I said, ... I guess ...

"Flamebait" for speaking the truth.

[BAReFO0t]

Sorry if this rustles your jimmies, coke-headed Content Mafia THIEVES, but reality is reality, no matter how much you'd like to censor the fact that you are thieves, stealing from inventors and artists, to avoid working while snorting massive amounts of cocaine.

Leeches is all you are and ever will amount to.

Re:

[Bengie]

Correct, you can't stop federally criminal malware from completely hosing your computer. News at 11. We're talking about addons that don't attract the FBIs attention, like some bundled crap.

Now I'm just waiting for you to start talking about locking your doors won't prevent a Russian tank from running over your car.

Re:

[Teun]

You mean you got weird addons?
But you probably didn't read the article.

Auto-installed tool-bars

[DrYak]

If your browser looks like this crap [engadget.com] because you mindlessly click "okay" on any installer for free software that installs two new adw^H^H^H "useful toolbars as a free bonus",
then yes, you'll complain that all your "addons" disappear.

Re:

[lgw]

So what's the best ad-blocker for FF these days? I'd been using uBlock Origin, but it recently started requesting creepy permissions (ip address and hostname - no, you don't need that). I guess everything gets corrupted eventually.

Re:Been there, hated it

[Mashiki]

uBlock Origin. They're not requesting it, that's what FF's permissions label it as. You can read the more indepth info here. [reddit.com]

Re:Been there, hated it

[twocows]

It looks like Mozilla decided to remove the prompt for that particular permission going forward (at least for DNS requests). So this shouldn't be an issue in future versions.

Unsafe browser needed

[Presence Eternal]

So, is there a sandboxed, maintained browser that just trusts and permits everything? I'm increasingly needing something like that for older device interfaces etc.

Modern browsers are increasingly arrogant and willing to flat out refuse user whitelisting these days.

Re:

[slack_justyb]

Modern browsers are increasingly arrogant and willing to flat out refuse user whitelisting these days.

Because the vast number of users that use web browsers have no clue what white listing or for that matter what using your browser in a secure manner means. They just mindlessly click okay buttons and then wonder why their browser runs slow. You are a victim of the masses, ergo, you need a niche product. The problem happens to be that once you find that product, mindless drones will start heading for it as well and bring with it the same problem you are currently facing.. It is a game of cat and mouse.

Then why do you breed such people?

[BAReFO0t]

People are efficient. They act like morons when they know some idiot's gonna pad the room, put safety labels onto everything, and save their dumb asses every time.

You people breed those morons!
And in some perfect-consumer for-profit parts, I think even deliberately.

Tell them they are on their own, and what can happen, and they will suddenly show that they can think after all! Or natural selection will solve the problem on its own.
(Or, nicer, those people get a legal guardian for their mental disability.)

Re:

[serviscope_minor]

You people breed those morons!

And you're one of the morons. Sure, you can operate a web browser in a secure manner (I assume), but that doesn't make you a god amongst men. There's inevitably a bunch of stuff where you're just as useless as those morons you so seem to despise.

Re:

[xonen]

They just mindlessly click okay buttons and then wonder[..]It is a game of cat and mouse.

That's because a combination of big tech companies, Microsoft in particular, and governmental bodies, the EU in particular, have been training people for about 2 decades to click 'OK' on pretty much anything in order for their computer to keep working and continue doing whatever it was they were doing.

Most confirmations are totally useless (like the EU cookie law) or abracadabra for the non-tech user, or even meaningless and/or abracadabra for anyone. How Microsoft implemented UAC doesn't help either, any t

Re:

[thegarbz]

Modern browsers are increasingly arrogant and willing to flat out refuse user whitelisting these days.

I get your specific requirement, but after years of being proven that users are incredibly dumb and will act against their own self interest it's no longer "arrogance" to lock them out as much as it is necessit... oh brb just got an email with Britney_Spears_Nudes.jpg.scr in it. I'm sure it's not a virus this time. *click* *click*. Huh? Anyone know how to disable Windows Smartscreen in Windows 10? It's stopping me from doing some vital research.

Re:

[Retired ICS]

Open the Group Policy editor.
Find the policy "Send Private and Confidential Information to Microsoft"
Select ENABLE. Choose "Don't Ask and Never Send" from the drop down.
Save and close the policy editor.

Re:

[Killall -9 Bash]

Browser users aren't acting against their own will. Browsers are acting against users' will.

Cookies? Popups? Pop-unders? Notifications? Toolbars? Kill flash and Java, but leave JS and push for webasm???

Browsers hold us down while the internet fucks us.

Re:

[RitchCraft]

I know what you mean. I need to maintain a laptop that dual boots to 98 and 2K just so I can access the interface on some old HP print servers still in use. No way browsers today will access those old Java apps, or even recognize them any longer.

Re:

[Anonymous Coward]

In Texas, you can still be charged, even if you blow below the legal limit.

Re:

[JustAnotherOldGuy]

An obvious setup by the space alien lizard people. They kidnapped him(under orders from Hillary Clinton and the Deep State, injected him with alcohol, and then teleported him right back into his car seat right in front of a State Trooper.

Disabling TLS1.1 is aggressive

[guruevi]

We just got around to taking out SSLv3 across most organizations, most .NET Frameworks, Java and other large enterprise deployments are still chugging along with TLSv1 at least until Microsoft stops supporting Server 2016 and paid support for Windows 7 3 years from now.

Seriously? No, you're backwards.

[BAReFO0t]

TLS 1.2 is twelve freaking years old!

Oh, and who still uses Windows servers? (Even MS seems to slowly eliminate them nowadays.)

Re:

[SpinyManiac]

I know this is off topic, but TLS 1.3 is supported in Windows since version 1903.
https://stackoverflow.com/ques... [stackoverflow.com]

Re:

[Ed Avis]

Obviously they're aggressively disabling support for unencrypted HTTP as well, since that's even less secure than TLS 1.1. Right?

Which actual version would that be?

[BAReFO0t]

You know ... the version with semantic meaning.

Re:

[thegreatbob]

In the spirit of Eternal September (Today is Tue Sep 9688 1993), I'd say we're on around FF 5.180 (5.0 was the first Rapid Release version).

This was determined by pulling /pub/firefox/releases/ and trimming away beta, rc, esr, funnelcake, random crap e.g. 'real' and 'real-real', versions prior to 5.0, and subtracting 1 (for 5.0 itself) from the final count, which gives us minor version 180.

The problem is Firefoxes Nightly Automatic Updates

[tg123]

The problem for me with Firefox is the Nightly Automatic Updates which YOU CAN'T TURN OFF
breaking thigs so that third party add on that works so sweet blocking adds on a certain website
suddenly every morning stops working and you get a message that Firefox disabled this add on.

ahhhhhhhhhhhhhh !!!!!!!!!!!!!

Re:

[tg123]

*thing

Re:

[tg123]

and it wouldn't be so bad if it was a malicious addon that was blocked but what happens is the firefox coders either don't test their updates
or arbitrarily decide they don't like a certain developers addon's and disable their stuff with the nightly update.
[end rant]
very frustrating !!!

this worked for me

[gtall]

I'm on a mac but you can find windows instructions on where to put this. Create a "policies.json" file containing
{
"policies": {
"DisableAppUpdate": true
}
}

On the Mac, put it in a folder called "distribution". Next, (and this is a royal pain that must be done every new update), open FireFox.app/Contents/Resources and plunk the distribution folder in there.

I presume this will work with the latest firefox but it whacked that damn update notice and firefo

Re:

[tg123]

Thankyou will see if it works :-)

Re:

[tg123]

Hallelujah Hallelujah YES IT WORKS !!!

THANK YOU !!!

Have been trying to do this for about 12 months.

https://www.youtube.com/watch?... [youtube.com]
( 'Hallelujah Chorus' from Handel's Messiah )

Re:

[serviscope_minor]

The problem for me with Firefox is the Nightly Automatic Updates which YOU CAN'T TURN OFF

Why don't you install Firefox ESR then?

Re:

[tg123]

Well I am not an Enterprise and I am using it at home but thanks I will look into it.

Re:

[account_deleted]

Comment removed based on user account deletion

Curious...

[kaoshin]

So rather than just staging an XPI, malicious actors now have to compromise mozilla policy on a target system, which depending on the OS involves just dropping a different file? I hope I'm missing the part where this is more secure and not just security theater at the expense of users who apparently will no longer be able to install add-ons through their distro package managers, and admins who will need to rework organizational deployments.

Re:

[Cipheron]

Just because you can target a different *existing* vector doesn't make removing a known vector "less secure". If they could do that second method before, they can still do it, but you've removed one of their options.

Translator

[alantus]

What happened to that offline automatic translation a-la-Chrome that they've been promising for some time now?

TLS 1.0 and TLS 1.1 disabled by default

[xenobyte]

This instantly 'broke' the first site I accessed after the browser updated itself. Yes, I could enable them using a convenient button and access the site but this just shows that completely removing TLS 1.0 and TLS 1.1 is very much premature. Huge warnings are fine but removing them will force peolle to access those sites using unencrypted plaintext http and that surely is much worse?

Re:

[Lennie]

Actually, the button will just re-enable TLS/1.0 and TLS/1.1 so it's not less safe than it is now.

Also it's 800 000 websites on the whole web that have it.

Chrome will do the same this month too.

Better have Firefox do it first so people can get it fixed without more people having problems with it.