Mozilla Firefox 23.0 Now In Beta With New Features

Discussion in 'other software & services' started by lotuseclat79, Jun 30, 2013.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Mozilla Firefox 23.0 Now In Beta With New Features.

    -- Tom
  2. siljaline

    siljaline Former Poster

  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

  4. m00nbl00d

    m00nbl00d Registered Member

    I rarely used Firefox, and by taking away that kind of functionality from the preferences UI, just makes not even reconsider Firefox at any moment. There are advanced settings that make sense to be hidden, but JavaScript and the other two aren't the case, IMHO. :blink:

    Heck, even Chrome (for some reason it's called Chrome ;)) doesn't go that far. And, trust me, many would ditch it for good if Google were to ever remove these advanced settings from the GUI. :argh:
  5. TheWindBringeth

    TheWindBringeth Registered Member

    I fairly quickly looked over those three changes in an attempt to determine how extensive they are. Removing the ability to change a preference somewhere in Tools->Options is one thing. Removing the underlying support as well... completely eliminating the feature... is another. I also saw signs that they will be resetting some preferences back to the way they want them. FWIW, here are my notes. Bear in mind that things *might* change between now and the release of Firefox 23.

    Remove "Enable JavaScript" checkbox from Prefs

    1) User interface Changes: Tools->Options->Content control elements removed
    2) Underlying support removed: None that I can see
    3) Forced preference resets: The following settings will be reset to their defaults: dom.disable_window_move_resize, dom.disable_window_flip, dom.event.contextmenu.enabled, javascript.enabled, permissions.default.image. Be sure to double check and readjust all but the last one as desired.

    Remove "Load images automatically" checkbox from Prefs

    1) User interface changes: Tools->Options->Content control elements removed
    2) Underlying support removed: permissions.default.image preference, site specific exceptions list, and related code removed. Those wishing to control the loading of images will have to use an addon.

    Remove the ability to not "Always show the tab bar"

    1) User interface changes: Tools->Options->Tabs "Always show the tab bar" checkbox removed
    2) Underlying support removed: browser.tabs.autoHide preference and code that shows/hides the tab bar removed from code. Those who don't use tabs and who don't like the loss of vertical real estate will have to use an addon.

    There are some other changes being pushed for (by the same guy/crew) that you might want to be aware of...

    Remove "ask me every time" as an option for cookies

    Do not surface the certificate manager in our UI

    Prevent hiding the NAV bar from the context menu/toolbar menu

    Remove TLS version UI (Options->Advanced->Encryption->Protocols)
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Thanks, I'm starting to dislike that guy :doubt:
    I also noticed some versions ago that the certificate validation options were simplified, it used to be like this:
    Now the option to validate all certs using a specified OCSP server is gone. Which makes OCSP less effective Afaik. Attackers using a fake cert can attack the OCSP server as well so the connection fails and with default settings, the browser(and most others browsers as well) does not warn. If Firefox only validates a cert if it specifies an OCSP server, then it seems to me the attackers just have to change their fake cert to it doesn't specify one and it's trivially bypassed. It seems dumb to me to only let it validate if the cert tells you to, it makes the entire system kind of useless, just like when browsers don't warn when the server connection fails. I wonder if other browsers also just validate when the certificate tells it to.
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Yeah, I remember that being removed. On the surface it seemed to me like something that would be useful to an individual or organization that wanted to run its own OCSP server/proxy for enhanced security and/or privacy. I suspect you'd have to be very careful to pick a server that you know can act as a proxy or otherwise answer correctly for all of the certs you might need to check.

    Edit: Somewhere I saw a chart of how each browser handles revocation checking. I can't find it now. I think I read, some time ago, that Google was moving away from CRL/OCSP queries towards use of a (non-thorough!) CRL set distributed via updates. I think I also saw, somewhere, some indication that you can configure it to (also?) use OCSP checks.
    Last edited: Jul 2, 2013
  8. JRViejo

    JRViejo Global Moderator

  9. TheWindBringeth

    TheWindBringeth Registered Member

    That wasn't it, but I'm glad you shared that link, thanks. Breaking out the Firefox specific stuff:

    Has anyone come across explanations as to why Mozilla doesn't extend the same CRL & OCSP behaviors to non-EV certs? Edit: as an option at least.
    Last edited: Jul 3, 2013
  10. demoneye

    demoneye Registered Member

    every new beta / release Mozilla make their grave S@#@ hole deeper and deeper ;)
Thread Status:
Not open for further replies.