Does Desktop Linux Have a Firefox Problem? (osnews.com) 164
But "I'm genuinely worried about the state of browsers on Linux, and the future of Firefox on Linux in particular..." While both GNOME and KDE nominally invest in their own two browsers, GNOME Web and Falkon, their uptake is limited and releases few and far between. For instance, none of the major Linux distributions ship GNOME Web as their default browser, and it lacks many of the features users come to expect from a browser. Falkon, meanwhile, is updated only sporadically, often going years between releases. Worse yet, Falkon uses Chromium through QtWebEngine, and GNOME Web uses WebKit (which are updated separately from the browser, so browser releases are not always a solid metric!), so both are dependent on the goodwill of two of the most ruthless corporations in the world, Google and Apple respectively.
Even Firefox itself, even though it's clearly the browser of choice of distributions and Linux users alike, does not consider Linux a first-tier platform. Firefox is first and foremost a Windows browser, followed by macOS second, and Linux third. The love the Linux world has for Firefox is not reciprocated by Mozilla in the same way, and this shows in various places where issues fixed and addressed on the Windows side are ignored on the Linux side for years or longer. The best and most visible example of that is hardware video acceleration. This feature has been a default part of the Windows version since forever, but it wasn't enabled by default for Linux until Firefox 115, released only in early July 2023. Even then, the feature is only enabled by default for users of Intel graphics — AMD and Nvidia users need not apply. This lack of video acceleration was — and for AMD and Nvidia users, still is — a major contributing factor to Linux battery life on laptops taking a serious hit compared to their Windows counterparts... It's not just hardware accelerated video decoding. Gesture support has taken much longer to arrive on the Linux version than it did on the Windows version — things like using swipes to go back and forward, or pinch to zoom on images...
I don't see anyone talking about this problem, or planning for the eventual possible demise of Firefox, what that would mean for the Linux desktop, and how it can be avoided or mitigated. In an ideal world, the major stakeholders of the Linux desktop — KDE, GNOME, the various major distributions — would get together and seriously consider a plan of action. The best possible solution, in my view, would be to fork one of the major browser engines (or pick one and significantly invest in it), and modify this engine and tailor it specifically for the Linux desktop. Stop living off the scraps and leftovers thrown across the fence from Windows and macOS browser makers, and focus entirely on making a browser engine that is optimised fully for Linux, its graphics stack, and its desktops. Have the major stakeholders work together on a Linux-first — or even Linux-only — browser engine, leaving the graphical front-end to the various toolkits and desktop environments....
I think it's highly irresponsible of the various prominent players in the desktop Linux community, from GNOME to KDE, from Ubuntu to Fedora, to seemingly have absolutely zero contingency plans for when Firefox enshittifies or dies...
Google's Chrome Begins Supporting Post-Quantum Key Agreement to Shield Encryption Keys (theregister.com) 13
"Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success." As a step down this path, Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115. This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:
X25519 — an elliptic curve algorithm widely used for key agreement in TLS today
Kyber-768 — a quantum-resistant Key Encapsulation Method, and NIST's PQC winner for general encryption
In order to identify ecosystem incompatibilities with this change, we are rolling this out to Chrome and to Google servers, over both TCP and QUIC and monitoring for possible compatibility issues. Chrome may also use this updated key agreement when connecting to third-party server operators, such as Cloudflare, as they add support. If you are a developer or administrator experiencing an issue that you believe is caused by this change, please file a bug.
The Register delves into Chrome's reasons for implementing this now: "It's believed that quantum computers that can break modern classical cryptography won't arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today?" said O'Brien. "The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves." O'Brien says that while symmetric encryption algorithms used to defend data traveling on networks are considered safe from quantum cryptanalysis, the way the keys get negotiated is not. By adding support for a hybrid KEM, Chrome should provide a stronger defense against future quantum attacks...
Rebecca Krauthamer, co-founder and chief product officer at QuSecure, told The Register in an email that while this technology sounds futuristic, it's useful and necessary today... [T]he arrival of capable quantum computers should not be thought of as a specific, looming date, but as something that will arrive without warning. "There was no press release when the team at Bletchley Park cracked the Enigma code, either," she said.
Google Chrome Switching To Weekly Security Patch Updates (9to5google.com) 28
The current patch gap is around 15 days. It was previously 35 days before switching to patch updates every two weeks in 2020. Google expects weekly patch updates to result in security fixes shipping "3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult." This new schedule will also result in fewer unplanned updates that occur when there are known in-the-wild exploits: "By now shipping stable updates weekly, we expect the number of unplanned updates to decrease since we'll be shipping updates more frequently."
Google Fails To End $5 Billion Consumer Privacy Lawsuit (reuters.com) 29
The plaintiffs alleged that Google's analytics, cookies and apps let the Mountain View, California-based company track their activity even when they set Google's Chrome browser to "Incognito" mode and other browsers to "private" browsing mode. They said this let Google learn enough about their friends, hobbies, favorite foods, shopping habits, and "potentially embarrassing things" they seek out online, becoming "an unaccountable trove of information so detailed and expansive that George Orwell could never have dreamed it."
Microsoft's AI-Powered Bing Chat Is Coming To Mobile Browsers 9
Z-Library Rolls Out Browser Extensions In Anticipation of Domain Name Troubles (torrentfreak.com) 15
The new browser extensions are available for both Chrome and Firefox and promise 'seamless access' to alternative domains in the event that existing ones run into trouble. "Say goodbye to searching for available domains, as this handy extension takes care of everything for you. Simplify your online library experience and enjoy seamless access to a world of knowledge, right at your fingertips. "After launching the extension, the process of searching for an available domain will begin. Within some seconds when the domain is found, you will be redirected to the library homepage," Z-Library explains.
While installing browser extensions should always happen with caution, in just a few hours thousands of Z-Library users have already installed the new software. According to the Chrome store, the Z-Library Finder currently has over 7,000 users. These extensions may indeed help to point users to new domain names, but the solution isn't bulletproof. The authorities may attempt to remove the listings from the Chrome and Firefox extension libraries, for example. Even if Z-Library decides to self-host these tools, they still rely on technical infrastructure that could be targeted in the future. That being said, the releases are still notable; it's rare to a service going full steam ahead in the face of an active criminal case.
ChromeOS Is Splitting the Browser From the OS, Getting More Like Linux 19
On the browser side, ChromeOS would stop using the bespoke Chrome browser for ChromeOS and switch to the Chrome browser for Linux. The same browser you get on Ubuntu would now ship on ChromeOS. In the past, turning on Lacros in ChromeOS would show both Chrome browsers, the outgoing ChromeOS one and the new Linux one. Lacros has been in development for around two years and can be enabled via a Chrome flag. Tofel says his 116 build no longer has that flag since it's the default now. Google hasn't officially confirmed this is happening, but so far, the code is headed that way.
GameStop To Remove Crypto Wallets Citing 'Regulatory Uncertainty' (coindesk.com) 11
'Tor's Shadowy Reputation Will Only End If We All Use It' (engadget.com) 65
"This is not a hacker tool," said Pavel Zoneff, director of strategic communications at The Tor Project. "It is a browser just as easy to use as any other browser that people are used to." That's right, despite common misconceptions, Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity. This may sound familiar, because it's how a lot of people approach VPNs, but the difference is in the details. VPNs are just encrypted tunnels hiding your traffic from one hop to another. The company behind a VPN can still access your information, sell it or pass it along to law enforcement. With Tor, there's no link between you and your traffic, according to Jed Crandall, an associate professor at Arizona State University. Tor is built in the "higher layers" of the network and routes your traffic through separate tunnels, instead of a single encrypted tunnel. While the first tunnel may know some personal information and the last one may know the sites you visited, there is virtually nothing connecting those data points because your IP address and other identifying information are bounced from server to server into obscurity.
Accessing unindexed websites adds extra perks, like secure communication. While a platform like WhatsApp offers encrypted conversations, there could be traces that the conversation happened left on the device if it's ever investigated, according to Crandall. Tor's communication tunnels are secure and much harder to trace that the conversation ever happened. Other use cases may include keeping the identities of sensitive populations like undocumented immigrants anonymous, trying to unionize a workplace without the company shutting it down, victims of domestic violence looking for resources without their abuser finding out or, as Crandall said, wanting to make embarrassing Google searches without related targeted ads following you around forever.
Google's Nightmare 'Web Integrity API' Wants a DRM Gatekeeper For the Web 163
The goal of the project is to learn more about the person on the other side of the web browser, ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways. The intro says this data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games, and help financial transactions be more secure. Perhaps the most telling line of the explainer is that it "takes inspiration from existing native attestation signals such as [Apple's] App Attest and the [Android] Play Integrity API." Play Integrity (formerly called "SafetyNet") is an Android API that lets apps find out if your device has been rooted.
Root access allows you full control over the device that you purchased, and a lot of app developers don't like that. So if you root an Android phone and get flagged by the Android Integrity API, several types of apps will just refuse to run. You'll generally be locked out of banking apps, Google Wallet, online games, Snapchat, and some media apps like Netflix. [...] Google wants the same thing for the web. Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
Google Urges Gmail Users to Enable 'Enhanced Safe Browsing' for Faster, More Proactive Protection (msn.com) 58
This enhanced security feature has been around for three years, but Google recently started putting a message in Gmail inboxes suggesting that people turn on Enhanced Safe Browsing.
Security experts told me that it's a good idea to turn on this safety feature but that it comes with trade-offs. The company already knows plenty about you, particularly when you're logged into Gmail, YouTube, Chrome or other Google services. If you turn on Enhanced Safe Browsing, Google may know even more about what sites you're visiting even if you're not signed into a Google account. It also collects bits of visual images from sites you're visiting to scan for hallmarks of scam sites.
Google said it will only use this information to stop bad guys and train its computers to improve security for you and everyone else. You should make the call whether you are willing to give up some of your privacy for extra security protections from common crimes.
Gmail users can toggle the feature on or off at this URL. Google tells users that enabling the feature will provide "faster and more proactive protection against dangerous websites, downloads, and extensions."
The Post's reporter also asked Google why it doesn't just enable the extra security automatically, and "The company told me that because Google is collecting more data in Enhanced Safe Browsing mode, it wants to ask your permission."
The Post adds as an aside that "It's also not your fault that phishing scams are everywhere. Our whole online security system is unsafe and stupid... Our goal should be to slowly replace the broken online security system with newer technologies that ditch our crime-prone password system for different methods of verifying we are who we say we are."
ChromeOS 115 Rolling Out: Android App Streaming, PDF Signatures (9to5google.com) 4
Android apps, which open in a phone-sized window, can be launched via the Phone Hub where you get a row of Recent apps at the bottom of the panel with the ability to browse all compatible "Apps from your phone." Applications can also open when you tap through a messaging notification. When opening PDFs in the Gallery app, ChromeOS 115 adds a signature tool. Appearing next to Draw in the top toolbar, you can add a signature, which is much easier with a touchscreen than a trackpad and save it for future use. You can place it in any document and resize the signature to ensure line fit. Lastly, Google has updated the keyboard Shortcuts app with "new navigation and taxonomy," improved search, and a "refreshed shortcut visualization" that better shows what to press.
Meanwhile, this is unmentioned in the stable release notes, but ChromeOS 115 is testing better windowing options in the beta channel. Hovering over the expand/minimize button in the top-right corner control group will show you a new layout menu. There's Split (half), Partial, Full and Float. That last option is new and makes it so that the window is always on top, just like Picture-in-Picture (PiP) for video. The other options were previously accessed by dragging a window and moving to the left/right side of the screen until an overlay appears. This approach is much more accessible and hopefully sees a wide launch soon. The announcement can be read here.
Google Starts the GA Rollout of Its Privacy Sandbox APIs To All Chrome Users (techcrunch.com) 11
macOS Sonoma Brings Apple Password Manager To Third-Party Browsers (macrumors.com) 19
Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.
Firefox 115 Released (mozilla.org) 61
* Hardware video decoding is now enabled for Intel GPUs on Linux..
* Migrating from another browser? Now you can bring over payment methods you've saved in Chrome-based browsers to Firefox.
* The Tab Manager dropdown now features close buttons, so you can close tabs more quickly.
* The Firefox for Android address bar's new search button allows you to easily switch between search engines and search your bookmarks and browsing history.
* We've refreshed and streamlined the user interface for importing data in from other browsers.
* Users without platform support for H264 video decoding can now fallback to Cisco's OpenH264 plugin for playback.
But the most important feature is that this release is the new ESR. Why this is important? y'all ask, well:
* Many a "downstream" project depends on Firefox ESR, for example the famous email client Thunderbird, or KaiOS (a mobile OS very popular in India, SE Asia, Africa and LatAm), so, for better or worse, whatever made it to (or is lacking from) this version of the browser, those projects have to use for the next year.
* Firefox ESR is the default browser of many distros, like Debian and Kali Linux, so, whatever made it to this version will be there for next year, ditto to whatever is lacking.
* If you are on old -- unsupported OSs, like Windows 7, 8-8.1 or MacOS 10.14 (Mojave, the last MacOS with support for 32 Bit Apps), 10.13 or 10.12 you will automatically be migrated to Firefox ESR, so this will be your browser until Sept. 2024.
Google's New Standard For ChromeOS: 'Chromebook X' (9to5google.com) 27
Aside from the added "X," what actually sets a Chromebook X apart from other devices is the hardware inside. Specifically, Google appears to require a certain amount of RAM, a good-quality camera for video conferencing, and a (presumably) higher-end display. Beyond that, Google has so far made specific preparations for Chromebook X models to be built on four types of processors from Intel and AMD (though newer generations will likely also be included): AMD Zen 2+ (Skyrim), AMD Zen 3 (Guybrush), and Intel Core 12th Gen (Brya & Nissa).
To further differentiate Chromebook X models from low-end Chromebooks, Google is also preparing an exclusive set of features. As mentioned, one of the key focuses of Chromebook X is video conferencing, with Google requiring an up-to-spec camera. Complementing that hardware, Google is bringing unique features like Live Caption (adding generated captions to video calls), a built-in portrait blur effect, and "voice isolation." Earlier this year, we reported that ChromeOS was readying a set of "Time Of Day" wallpapers and screen savers that would change in appearance throughout the day, particularly to match the sunrise and sunset. We now know that these are going to be exclusive to Chromebook X devices. To ensure that those wallpapers only appear on Chromebook X and can't be forcibly enabled, Google is preparing a system it calls "feature management." At the moment, feature management is only used to check whether to enable Chromebook X exclusives. Based on that, some other exclusive features of Chromebook X include: Support for up to 16 virtual desks; "Pinned" (available offline) files from Google Drive; and A revamped retail demo mode.
Windows 11 Update Breaks Chrome for Some Antivirus Software Users (bleepingcomputer.com) 49
Then Friday BleepingComputer reported that the same update "also breaks Google Chrome on systems protected by Cisco and WatchGuard EDR and antivirus solutions." "We deploy Secure Endpoint 8.1.7 to our few thousand devices, and we started getting a mountain of reports this morning that Google Chrome would not appear on the screen after attempting to open it," one admin said. "With a little trial & error, I found that killing the Secure Endpoint service or uninstalling Secure Endpoint will allow Chrome to open again..."
WatchGuard staff also confirmed on Friday that Google Chrome wouldn't open on Windows 11 after installing KB5027231 if anti-exploit protection is enabled in the company's Endpoint Security software.
Thanks to Slashdot reader boley1 for sharing the news.
Google Lifts Ban on Downloader App (arstechnica.com) 10
"The app was removed on May 19th due to the DMCA takedown request," developer Elias Saba wrote in a blog post today. "Instead of recognizing the absurdity of the claim that a web browser is somehow liable for all the unauthorized use of copyrighted content on the Internet, Google took a backseat and denied my appeal to have the app reinstated." The free app has been downloaded over 5 million times on Google Play and is available on the Amazon app store for devices such as Fire TVs. In addition to the rejected appeal, Saba filed a DMCA counter notification with Google. That "started a 10-business-day countdown for the [TV companies'] law firm to file legal actions against me," Saba wrote today. "Due to the app being removed on a Friday and the Memorial Day holiday, 10 business days had elapsed with no word from the law firm on June 6th and I contacted Google to have the app reinstated."
Google's Password Manager Gains Biometric Authentication on Desktop (techcrunch.com) 18
Exactly which types of biometrics are available in Password Manager on desktop will depend on the hardware attached to the PC, of course (e.g. a fingerprint reader), as well as whether the PC's operating system supports it. Beyond "soon," Google didn't say when to expect the feature to arrive.