firefox 25 is out

hi
firefox 25 is out
sadly again can't find the change logs

you can get it here

all languages
_ftp://ftp.mozilla.org/pub/firefox/releases/25.0/win32/

enlgish
_ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/25.0/win32/en-US/Firefox%20Setup%2025.0.exe

maybe someone can find the changelogs

cheers

 

tnx m8!

i could not find the changelog but here are some of the new features:
http://www.phoronix.com/scan.php?page=news_item&px=MTQ5Nzk

 

v25 is being offered through the internal updater already - nice. Supposedly this version supports TLS 1.2, but that's not mentioned on the phoronix page. We need BoerenkoolMetWorst to check it out for us

Edit:

TLS defaults are still 1 and 0

security.tls.version.max = 1
security.tls.version.min = 0

 

Release Notes
http://www.mozilla.org/en-US/firefox/25.0/releasenotes/

 

Yes, TLS 1.1 and 1.2 are still disabled by default

They do now finally show details on the used SSL cipher:

 

I wonder if forcing TLS to max=2 and min=1 works now? And by the way there's an update for Calomel SSL Validation.

 

Is the a real benefit changing this?? thanks

 

I don't know why it shouldn't work, I have it to max=3 for quite a while now.
If you want to be sure what TLS/SSL versions and ciphers are enabled you can check it here:
https://www.ssllabs.com/ssltest/viewMyClient.html
https://mikestoolbox.net

You mean enabling TLS 1.1 and 1.2 manually?
Yes, because Beast and Crime attack only work on TLS 1.0 and SSL 3.0

 

Ah, I see that TLS max needs to be set to "3" to enable TLS 1.2, thanks. I also changed TLS min to "2", but I'm seeing that SSL 3 is still enabled. Does SSL 3 need to be manually disabled and would you recommend that?

Edit: Just noticed if I set TLS Min=2 I can't load the Bank of America website so Changed TLS Min back to 1. Maybe I should tell them to upgrade their TLS implementation? I'm sure they'd listen

Edit 2: Is this related at all to FIPS? Do you have FIPS enabled too?

Edit 3: Answering my own question here: https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation

 

Implement TLS 1.1 (RFC 4346) in Gecko (Firefox, Thunderbird), on by default
Status: RESOLVED FIXED
Target Milestone: mozilla28
https://bugzilla.mozilla.org/show_bug.cgi?id=733647

Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default
Status: NEW (clone)
Target Milestone: mozilla28
https://bugzilla.mozilla.org/show_bug.cgi?id=861266

 

If you set TLS min to 1 or higher SSL3 will be disabled, but as noted on the test, only the highest enabled protocols can be reliably detected. Afaik TLS 1.0 is a tiny bit more secure than SSL 3, so for security you can disable it.

Unfortunately there are still a lot of sites that don't support TLS 1.1 and/or 1.2, so if you disable SSL 3 and TLS 1.0 by setting TLS Min=2 that can break a lot of sites. Just disabling SSL 3 should be fine though. Contacting sites about it is a good incentive but big institutions are indeed less likely to listen..

You answered it already yourself, but keep in mind that while FIPS mode is nice, it disables RC4 ciphers. Because the BEAST attack exploits a vulnerability in AES in CBC mode (Which is afaik almost all commonly used AES ciphers, except the new AES in GCM mode, but support for that is even less than TLS 1.2 support) at the time is was suggested for websites to disable AES-CBC and use the older RC4. RC4 is however cryptographically weaker and not much later, a practical attack against RC4 was discovered. Also, AES-CBC is safe from BEAST in TLS 1.1 and higher. Unfortunately there are still a lot of sites that only support RC4 ciphers.

Firefox is really lagging behind the other major browsers

 

The option to disable updating using a background service is gone from the GUI..
I can't find it in about:config, though I can't find it in about:config in v24 either.

 

If you install FF, using the full installer, and decline the updater installation (by doing a custom install), you don't get the background service option (because it doesn't exist!)

I haven't ever had the option because I manually upgrade with the full installer package (not the online updater or stub installer.)

 

They have seriously priority issues (see: supporting XP users)

 

Link please....

 

http://www.neowin.net/news/mozilla-...ws-xp-after-microsoft-ends-support-for-the-os

 

Vulnerabilities fixed:

Fixed in Firefox 25
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

Yes, you're correct, thanks

 

Thanks for the link. How is the choice to continue support for XP a priority issue?

 

It isn't on it's own. Mozilla have shown that their dev team just isn't anywhere near as capable as the Chromium team, and push very few changes with each release. Many releases have had random useless features (e.g. social crap) when people are sitting wondering when they will work on 64bit support, separate threads, sandboxing, TLS 1.2 support, the list goes on.

This is what I mean by priority issues.

 

Ok, thanks for the explanation. I would also like to see them make faster progress implementing the latest security standards. FWIW TLS 1.2 appears to work in v25, it's just not ON by default.

Regarding security, have a look at the latest version of the Calomel SSL Validation extension.

 

Thanks for the heads up. This is a huge update that I've been waiting for for awhile.

And Calomel is really on the ball too, right there with an update of their own to accommodate the changes. I've been waiting to tick that box for TLS 1.2 support for awhile now, and now have. I make the mods manually in the about:config first, but look at the ticked boxes in Calomel as a way of sort of locking them in and protecting from modification.

I have TLS max set to 3, and min to 2. SSL3 disabled. And have the FIPS and PFS boxes checked as well. All but 1 site I use is working fine with the new settings.

And I don't see why Firefox wouldn't still put emphasis on an OS that is still being supported by Microsoft, is probably the most loved OS ever created, and still used by many people, especially businesses. I don't get why this angers people. It shouldn't prevent them from also putting priority on the newer OS's... I'm sure they have enough people working for them to handle both tasks.

 

thx, while chrome is faster to start up and faster to run with all the addons and extensions, I trust firefox since its open source and not nsa connected

 

Does anybody know anything about whether HTML5 was integrated into this version? I've heard that it was supposed to be. As of now I'm using an addon for it. If it's no longer necessary I'd like to be able to remove it and be able to use it natively through the browser.