Mozilla Firefox 23.0 Now In Beta With New Features

Mozilla Firefox 23.0 Now In Beta With New Features.

-- Tom

 

Note: BETA SOFTWARE:

Release notes:
https://www.mozilla.org/en-US/firefox/23.0beta/releasenotes/
In your language:
https://www.mozilla.org/en-US/firefox/all-beta.html

 

Hmm, again removal of advanced settings:

 

I rarely used Firefox, and by taking away that kind of functionality from the preferences UI, just makes not even reconsider Firefox at any moment. There are advanced settings that make sense to be hidden, but JavaScript and the other two aren't the case, IMHO.

Heck, even Chrome (for some reason it's called Chrome ) doesn't go that far. And, trust me, many would ditch it for good if Google were to ever remove these advanced settings from the GUI.

 

I fairly quickly looked over those three changes in an attempt to determine how extensive they are. Removing the ability to change a preference somewhere in Tools->Options is one thing. Removing the underlying support as well... completely eliminating the feature... is another. I also saw signs that they will be resetting some preferences back to the way they want them. FWIW, here are my notes. Bear in mind that things *might* change between now and the release of Firefox 23.

Remove "Enable JavaScript" checkbox from Prefs
https://bugzilla.mozilla.org/show_bug.cgi?id=851702

1) User interface Changes: Tools->Options->Content control elements removed
2) Underlying support removed: None that I can see
3) Forced preference resets: The following settings will be reset to their defaults: dom.disable_window_move_resize, dom.disable_window_flip, dom.event.contextmenu.enabled, javascript.enabled, permissions.default.image. Be sure to double check and readjust all but the last one as desired.

Remove "Load images automatically" checkbox from Prefs
https://bugzilla.mozilla.org/show_bug.cgi?id=851701

1) User interface changes: Tools->Options->Content control elements removed
2) Underlying support removed: permissions.default.image preference, site specific exceptions list, and related code removed. Those wishing to control the loading of images will have to use an addon.

Remove the ability to not "Always show the tab bar"
https://bugzilla.mozilla.org/show_bug.cgi?id=855370

1) User interface changes: Tools->Options->Tabs "Always show the tab bar" checkbox removed
2) Underlying support removed: browser.tabs.autoHide preference and code that shows/hides the tab bar removed from code. Those who don't use tabs and who don't like the loss of vertical real estate will have to use an addon.


There are some other changes being pushed for (by the same guy/crew) that you might want to be aware of...

Remove "ask me every time" as an option for cookies
https://bugzilla.mozilla.org/show_bug.cgi?id=469260

Do not surface the certificate manager in our UI
https://bugzilla.mozilla.org/show_bug.cgi?id=851707

Prevent hiding the NAV bar from the context menu/toolbar menu
https://bugzilla.mozilla.org/show_bug.cgi?id=870545

Remove TLS version UI (Options->Advanced->Encryption->Protocols)
https://bugzilla.mozilla.org/show_bug.cgi?id=733632

 

Thanks, I'm starting to dislike that guy
I also noticed some versions ago that the certificate validation options were simplified, it used to be like this:

Now the option to validate all certs using a specified OCSP server is gone. Which makes OCSP less effective Afaik. Attackers using a fake cert can attack the OCSP server as well so the connection fails and with default settings, the browser(and most others browsers as well) does not warn. If Firefox only validates a cert if it specifies an OCSP server, then it seems to me the attackers just have to change their fake cert to it doesn't specify one and it's trivially bypassed. It seems dumb to me to only let it validate if the cert tells you to, it makes the entire system kind of useless, just like when browsers don't warn when the server connection fails. I wonder if other browsers also just validate when the certificate tells it to.

 

Yeah, I remember that being removed. On the surface it seemed to me like something that would be useful to an individual or organization that wanted to run its own OCSP server/proxy for enhanced security and/or privacy. I suspect you'd have to be very careful to pick a server that you know can act as a proxy or otherwise answer correctly for all of the certs you might need to check.

Edit: Somewhere I saw a chart of how each browser handles revocation checking. I can't find it now. I think I read, some time ago, that Google was moving away from CRL/OCSP queries towards use of a (non-thorough!) CRL set distributed via updates. I think I also saw, somewhere, some indication that you can configure it to (also?) use OCSP checks.

 

That wasn't it, but I'm glad you shared that link, thanks. Breaking out the Firefox specific stuff:

Has anyone come across explanations as to why Mozilla doesn't extend the same CRL & OCSP behaviors to non-EV certs? Edit: as an option at least.

 

every new beta / release Mozilla make their grave S@#@ hole deeper and deeper