|
|
Log in / Subscribe / Register

Firefox 70 released

[Posted October 22, 2019 by corbet]

Version 70 of the Firefox web browser is out. The headline features include a new password generator and a "privacy protection report" showing users which trackers have been blocked. "Amazing user features and protections aside, we’ve also got plenty of cool additions for developers in this release. These include DOM mutation breakpoints and inactive CSS rule indicators in the DevTools, several new CSS text properties, two-value display syntax, and JS numeric separators." See the release notes for more details.
to post comments

Firefox 70 released

Posted Oct 23, 2019 0:52 UTC (Wed) by flussence (guest, #85566) [Link] (13 responses)

I don't trust Mozilla to “protect” me after the Verizon viral marketing backdoor RCE farce. They're certainly protecting Google's bottom line though: https://www.jeremiahlee.com/posts/page-translator-is-dead/

Firefox 70 released

Posted Oct 23, 2019 4:05 UTC (Wed) by roc (subscriber, #30627) [Link]

What exactly do you think Mozilla's evil intent is there?

Firefox 70 released

Posted Oct 23, 2019 6:06 UTC (Wed) by rsidd (subscriber, #2582) [Link] (11 responses)

Mozilla has valid concerns about third-party extensions loading third-party code -- but in this case they should just adopt the translation extension and maintain it themselves! It is probably the single most useful thing in Chrome that is not in Firefox.

Firefox 70 released

Posted Oct 23, 2019 8:19 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (10 responses)

Firefox is working on an offline translator that will run entirely on a local computer.

Firefox 70 released

Posted Oct 23, 2019 9:01 UTC (Wed) by rsidd (subscriber, #2582) [Link] (9 responses)

Catching up to Google's standard would be rather challenging -- if they do I'll be impressed. Google's deep-net stuff has dramatically improved their translations in recent years. They even handle Indian languages quite well these days, which have a very different grammar and many quirks in declension, conjugation, word-combination, etc. I would think even Google can't do an offline translate with similar quality.

The point is, it is a useful extension. Google is offering it for free. Integrating it into Firefox doesn't seem any worse than integrating Google Search into Firefox (as an option).

Firefox 70 released

Posted Oct 23, 2019 9:13 UTC (Wed) by roc (subscriber, #30627) [Link] (5 responses)

I think if Mozilla could have integrated Google Translate into Firefox, they would have. I suspect Google would ask them to pay a lot of money for that API key.

Firefox 70 released

Posted Oct 25, 2019 9:54 UTC (Fri) by kilobyte (subscriber, #108024) [Link] (4 responses)

They made an OFF-LINE translator, which is worlds better. Besides working without network, it ensures privacy -- Google reads every single document you want translated.

Firefox 70 released

Posted Oct 25, 2019 10:41 UTC (Fri) by rsidd (subscriber, #2582) [Link] (3 responses)

It is not offline. The very name DeepL suggests a deep network at their end.

Firefox 70 released

Posted Oct 25, 2019 11:33 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link] (2 responses)

> It is not offline. The very name DeepL suggests a deep network at their end.

You are incorrect. They are going to be using Bergamot

https://www.zdnet.com/article/firefox-to-get-page-transla...

"Instead of relying on cloud-based text translation services (like Google Translate, Bing Translator, or Yandex.Translate), Firefox will use a client-side, machine learning-based translation library."

Firefox 70 released

Posted Oct 25, 2019 11:41 UTC (Fri) by rsidd (subscriber, #2582) [Link] (1 responses)

Sorry, misread the thread context. I thought you were talking about DeepL (referred to elsewhere) and whether it's better than Google Translate (debatable). But good offline translation is going to be... a challenge.

Firefox 70 released

Posted Oct 26, 2019 23:43 UTC (Sat) by pabs (subscriber, #43278) [Link]

There is Apertium for open source offline translation, but it isn't using ML and is not as anywhere near as good as Google/etc

https://www.apertium.org/

Firefox 70 released

Posted Oct 23, 2019 14:21 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (2 responses)

There was discussion on Hacker News[1] about how Google Translate has fallen behind in numerous ways. Maybe it's seen as good as long as one endpoint is English rather than doing non-English to non-English translation?

[1]https://news.ycombinator.com/item?id=21321541

Firefox 70 released

Posted Oct 25, 2019 7:18 UTC (Fri) by flussence (guest, #85566) [Link] (1 responses)

That's not surprising. Anything at Google that doesn't contribute to their main business of paperclip-maximizing mass surveillance and human manipulation is usually killed off or left to bitrot. The translate service, being a primarily on-demand thing, wasn't spared.

Firefox 70 released

Posted Oct 25, 2019 8:35 UTC (Fri) by rsidd (subscriber, #2582) [Link]

The link in the GP didn't say Google had become worse, only that another (DeepL) was better. I wasn't aware of DeepL -- thanks for that.

I gave both a quick shot at a passage from today's Le Monde. Here are the results. While DeepL is impressive, it's certainly not better than Google: it translates l'engin as "the aircraft" and uses the odd (if not ungrammatical) phrase "rescued the passengers while injured himself". DeepL also translates "choc" to "shock" rather than "impact" which is more appropriate. On the other hand, Google mangles the next line to "This is what says, Friday, October 25, the management of the company", which DeepL gets correct. I'd call it a toss.

And Google is the only realistic choice for non-western languages. But of course I hope DeepL and others catch up: we need competition.

Original:
La SNCF va « renforcer les équipements d’alerte radio en cas de choc important » pour les autorails grande capacité (AGC). C’est ce que dit, vendredi 25 octobre, la direction de la société dans un courrier accompagnant un rapport interne sur l’accident survenu mercredi 16 octobre, quand un TER reliant Charleville-Mézières à Reims a percuté un convoi routier exceptionnel coincé sur un passage à niveau. Onze personnes avaient été blessées. Le conducteur, qui a porté secours aux passagers alors qu’il était lui-même blessé, était le seul agent SNCF à bord du train. La collision a par ailleurs endommagé des organes d’alerte essentiels de l’engin.

Google:
SNCF will "reinforce radio warning equipment in the event of a major impact" for high-capacity railcars (MCO). This is what says, Friday, October 25, the management of the company in a letter accompanying an internal report on the accident occurred Wednesday, October 16, when a TER connecting Charleville-Mézières to Reims hit an exceptional road convoy stuck on a Railroad Crossing. Eleven people were injured. The driver, who rescued passengers while he himself was injured, was the only SNCF agent on the train. The collision also damaged vital warning devices of the machine.

DeepL:
SNCF will "reinforce the radio alert equipment in the event of a major shock" for high-capacity railcars (AGC). This is what the company's management said on Friday, October 25, in a letter accompanying an internal report on the accident that occurred on Wednesday, October 16, when a TER linking Charleville-Mézières to Reims struck an exceptional road convoy stuck on a level crossing. Eleven people were injured. The driver, who rescued the passengers while injured himself, was the only SNCF agent on board the train. The collision also damaged essential warning devices of the aircraft.

Firefox 70 released

Posted Oct 23, 2019 7:09 UTC (Wed) by josh (subscriber, #17465) [Link] (18 responses)

I'm enthusiastic about built-in password generation. That removes the most error-prone step of a good password policy for novice users:

- Install Firefox on every device you use (laptops and phones both). (Someone can help with this.)

- Set up a Firefox Account (formerly Firefox Sync). (Someone can help with this too.)

- When you create a new account, generate a new strong password you've never used before. (This needs a good password generator.)

- Let the browser remember it. Don't try to remember it yourself.

- Don't ever type in a password to log into an account; if Firefox doesn't fill it in for you, the site is either broken or not the site you think it is.

Firefox 70 released

Posted Oct 23, 2019 7:47 UTC (Wed) by kragil (guest, #34373) [Link] (13 responses)

Storing all your passwords in one place, what could possibly go wrong.

Firefox 70 released

Posted Oct 23, 2019 14:19 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (12 responses)

I think you missed this part:

> for novice users

Personally, I need passwords outside the browser, so a browser-based password manager is immediately off my list. But, it seems reasonable for most people.

Firefox 70 released

Posted Oct 23, 2019 19:34 UTC (Wed) by josh (subscriber, #17465) [Link] (11 responses)

I need occasional passwords outside the browser too, so I copy them out of Firefox when I need them.

Firefox 70 released

Posted Oct 24, 2019 0:08 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (10 responses)

I envy you that you just have passwords to deal with :) . TOTP secrets, SSH keys, support for doing this on Android (and acting as an autofiller there). Is Firefox on Android going to register as an autofiller? Will it act as an ssh-agent? gpg-agent? TOTP seems a little silly to store beside the password database (at least behind a single password).

Personally, I use a LUKS-encrypted USB key with some udev properties, automount rules, and udiskie to get it to act the way I want (mount on-demand once unlocked, unmount after a short inactivity window, mount at a static location, etc.) as the backing store (this is duplicated and geographically backed up as well). I don't think Firefox is going to be able to replace all the use cases I have for it (which includes storing credentials for things that store passwords in static files like cargo, fedpkg, or copr via symlinks).

Firefox 70 released

Posted Oct 24, 2019 17:46 UTC (Thu) by josh (subscriber, #17465) [Link] (9 responses)

> TOTP secrets

I use an authenticator app for those.

> SSH keys

Those aren't passwords, so I don't expect a password manager to handle those. Those just go in my home directory in the normal place.

> support for doing this on Android

I use Firefox on Android, and it syncs passwords to there.

> (and acting as an autofiller there). Is Firefox on Android going to register as an autofiller?

That would be nice, and I'd love to see that. But in the meantime, I just use an extension that provides a password manager UI for Firefox for Android, and it has a "copy password" option. I can then paste into an app.

Firefox 70 released

Posted Oct 24, 2019 18:58 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (7 responses)

> I use an authenticator app for [TOTP secrets].

With access to the password store and TOTP secrets essentially guarded by just a PIN code or fingerprint (and the same one at that), I don't find a compelling argument that having both on a device is actually using two factors (or does Firefox Sync make you unlock it after each use?). All my password database applications are set up to require a password on any use (with a longer timeout where it makes sense). The TOTP secrets are just guarded by either the Yubikey (which is a thing-you-have) that has a remembered password on my trusted devices (so that just stealing it isn't an end-of-the-world problem) or is stored on an encrypted USB drive (using the aforementioned setup). That actually keeps the thing-you-have property of the second factor.

> I use Firefox on Android, and it syncs passwords to there.

I use Klar (the always-private-browsing-mode variant) which doesn't as my main browser. I also have the Android variant installed, but mainly for just having an easy way to share pages through it to my other machines via Firefox Sync. Granted, not a problem for most :) .

In any case, it seems that I'll need to figure out some other syncing mechanism for Android since things like Syncthing (which I use) and Dropbox are basically dead with the new API restrictions that will be required next year (the Q API doesn't allow direct filesystem access and Google has been raising the minimum allowed version about a year after it was introduced). Hopefully F-Droid can extend my usage until a new solution is found, but I have low hopes for Google being reasonable here.

Firefox 70 released

Posted Oct 25, 2019 18:24 UTC (Fri) by raven667 (guest, #5198) [Link] (6 responses)

> having both on a device is [not] actually using two factors

Sure, that's true but it's better than TOTP over SMS (hi @jack) and even SMS TOTP is better than not and prevents millions of account takeovers. I too have TOTP tokens on a Yubikey (to make it easier to switch between phone, laptop and desktop) but even getting people to use a password manager at all is a pretty heavy lift and more inconvenience that many will tolerate, so anything that makes it easier lowers the bar for use and raises the bar for minimum security, its something that scales to improve the security for billions of people, in a way that complex multi-step procedure does not.

Firefox 70 released

Posted Oct 25, 2019 18:48 UTC (Fri) by apoelstra (subscriber, #75205) [Link] (4 responses)

> even SMS TOTP is better than not and prevents millions of account takeovers

Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users. The fact that many websites (especially American banks) *require* SMS based 2FA has been a massive detriment to my security, and the security of many people I know.

Firefox 70 released

Posted Oct 28, 2019 18:51 UTC (Mon) by raven667 (guest, #5198) [Link] (3 responses)

> Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users.

Is security something that only conscientious users should enjoy, or something that should be baked into the defaults. I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

> SMS based 2FA has been a massive detriment to my security

Compared to passwords alone without any second factor? SMS 2FA is worse than just bare passwords, is that your claim?Needing to do SIM cloning to intercept SMS is a significantly higher bar than just compromising the Cat Fancy blog comment system and trying all the creds on Bank of America website or similar. Its not that its impossible to beat, we both know it isn't, but whether it's better than the status quo. Password managers and random shared secrets are better than using shared common passwords across many sites, SMS 2FA is better, Phone 2FA is better still and an external token is best.

Firefox 70 released

Posted Oct 28, 2019 21:11 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

I think the issue is that companies add SMS 2FA and say they're done. Supporting the more secure variants is still necessary for those who want to be more secure. But too often I've seen response along the lines of "but we have it already" and having to explain why it's not sufficient for me is exhausting. I should probably push hard on my financial institutions (e.g., Fidelity finally has SMS which I did enable, but while other methods are possible across their setup, they're not available for my account type).

Firefox 70 released

Posted Oct 28, 2019 22:31 UTC (Mon) by pizza (subscriber, #46) [Link]

Plus, even putting aside the security flaws inherent to SMS, reliable SMS delivery is not a given -- for example, during international travel. Or should your phone suffer a catastrophic failure. Or both simultaneously.

Firefox 70 released

Posted Oct 29, 2019 20:56 UTC (Tue) by apoelstra (subscriber, #75205) [Link]

> Is security something that only conscientious users should enjoy, or something that should be baked into the defaults.

Of course security should not be limited to conscientious users, but SMS 2FA strictly increases the conscientiousness you need to be secure. With 1FA you need to use strong unique passwords; with SMS 2FA you also need to use non-public throwaway phone numbers. I know several people personally who have had their numbers ported, which led to multiple simultaneous account compromises (even when using unique passwords), not to mention being extremely inconvenient.

> I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

It doesn't seem to put any strain on the phone system's security. Phone companies are happy to let attackers port arbitrary numbers with basically no resistance and then absolve themselves of all responsibility. As far as I know no legal system in the world holds them accountable for this.

Firefox 70 released

Posted Oct 26, 2019 12:45 UTC (Sat) by mathstuf (subscriber, #69389) [Link]

The main problem I have with TOTP-over-SMS is that I can't back it up. I have TOTP secrets encrypted and geographically backed up. I can't do that with my SIM card (well, at least not without SIM hijacking or swapping myself). Not to mention the lack of trust I have for telephone companies in the first place.

As for getting people to use password managers, I have gotten my family onto LastPass. They also have Yubikeys now, but that involves some more instruction over time and hasn't been as easy for them to start using. Now that U2F is more widely available, hopefully there will be some time over the holidays to get that working for them.

Firefox 70 released

Posted Oct 25, 2019 8:37 UTC (Fri) by christoph.gysin (guest, #57794) [Link]

> > (and acting as an autofiller there). Is Firefox on Android going to register as an autofiller?

> That would be nice, and I'd love to see that. But in the meantime, I just use an extension that provides a password manager UI for Firefox for Android, and it has a "copy password" option. I can then paste into an app.

It's already there, and it's called Firefox Lockwise. For both iOS and Android.

Firefox 70 released

Posted Oct 23, 2019 9:14 UTC (Wed) by roc (subscriber, #30627) [Link]

I wonder how they cope with the byzantine constraints that different sites impose.

Firefox 70 released

Posted Oct 23, 2019 12:41 UTC (Wed) by jrigg (guest, #30848) [Link] (2 responses)

> Let the browser remember it. Don't try to remember it yourself.

And if someone steals your laptop?

Firefox 70 released

Posted Oct 23, 2019 17:03 UTC (Wed) by gfernandes (subscriber, #119910) [Link]

If, for instance, you were to use a static strong password generated by, say a YubiKey, then if someone stole your laptop, they'd still not have your YubiKey.

So they'd not be able to get to your passwords.

But you would be - but using your YubiKey and Firefox Sync to recover your passwords.

Would that not work perfectly for a novice?

Firefox 70 released

Posted Oct 23, 2019 19:38 UTC (Wed) by josh (subscriber, #17465) [Link]

That's my primary use case for disk encryption. If someone steals my laptop, they have a laptop but no data.


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds