|
|
Subscribe / Log in / New account

Firefox 130.0 released

[Posted September 3, 2024 by jzb]

Version 130.0 of the Firefox browser has been released. Notable in this release is the addition of a Firefox Labs tab in Firefox Settings. This allows users to easily enable experimental features, such as the ability to translate selected text portions to different languages after a full-page translation, and add an AI chatbot to the sidebar. Firefox 130 also addresses several security issues, adds 11 new languages to its translation support, and more.


to post comments

Sync stopped working

Posted Sep 3, 2024 17:54 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Sync stopped working a while ago. Now I can't see tabs from other devices.

Yes, I tried to relogin and everything. And I can actually send tabs from a phone to the desktop, so the sync system itself works.

Sync stopped working

Posted Sep 4, 2024 14:08 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

FWIW, I had an issue where my Android install desynced twice in a week (and needed to be re-paired), but it's been stable here other than that. I have noticed that latency on refreshing the tab list is…inconsistent though.

Firefox sidebar

Posted Sep 3, 2024 19:06 UTC (Tue) by geofft (subscriber, #59789) [Link] (4 responses)

I'm a little bit surprised the default configuration of the AI chatbot isn't a local/offline one - all of the options are online services. Certainly a local one isn't going to be nearly as powerful or featureful as the flagship cloud services, but given Mozilla's work on llamafile (previous LWN coverage), I expected them to go that direction. Maybe it's coming in the future?

On a tangent, they're doing a few more things with the sidebar in Nightly. I gave the Vertical Tabs feature a try for a week or so, but I couldn't retrain my instincts to associate the shortcuts for switching to a particular tab (Ctrl-1 or Cmd-1 for the first tab, Ctrl-2 for the second, etc.) with a list of tabs that went orthogonal to the keys on my keyboard.

Firefox sidebar

Posted Sep 3, 2024 20:24 UTC (Tue) by drago01 (subscriber, #50715) [Link] (2 responses)

Local ones that are powerful enough require a dedicated GPU with sufficient VRAM.

Nothing you find on a typical laptop.

Firefox sidebar

Posted Sep 3, 2024 22:39 UTC (Tue) by josh (subscriber, #17465) [Link] (1 responses)

Or an NPU, which many current laptops do have.

Firefox sidebar

Posted Sep 3, 2024 23:31 UTC (Tue) by mussell (subscriber, #170320) [Link]

You just need drivers for that NPU, which Linux does not have.

Also you need a single API for all NPUs, which no one seems interested in making.

Firefox sidebar

Posted Sep 5, 2024 14:01 UTC (Thu) by denials (subscriber, #3413) [Link]

The Treestyle Tabs extension works pretty well for managing the dozens of tabs I have open at any given time. You can nest groups of tabs on the side, but still have the standard horizontal tabs.

FIDO2 HW token on office.com

Posted Sep 4, 2024 9:30 UTC (Wed) by rettichschnidi (subscriber, #93261) [Link] (10 responses)

Not enabled by release 130, but as of today, after more than 2 years (https://bugzilla.mozilla.org/show_bug.cgi?id=1824831), logging into a MS 365 business account using a FIDO2 HW token finally works for me on Firefox/Linux. Before, I had to change the user agent to Chrome.

FIDO2 HW token on office.com

Posted Sep 4, 2024 11:20 UTC (Wed) by Wol (subscriber, #4433) [Link] (8 responses)

You've seen the breaking? news - yubikeys can be cloned if you get physical access?

https://it.slashdot.org/story/24/09/03/1810216/yubikeys-a...

Cheers,
Wol

FIDO2 HW token on office.com

Posted Sep 4, 2024 14:11 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (7 responses)

Yes. It's in the "I'm an APT target" bucket yet, but these things only get better over time. Note that cloning requires an existing account against which to have repeated use of the secret in order to extract it. It also requires destroying the casing, so putting it back into the owner's possession unnoticed is a tricky endeavor.

FIDO2 HW token on office.com

Posted Sep 4, 2024 14:56 UTC (Wed) by Wol (subscriber, #4433) [Link] (6 responses)

Um... so a bait-and-switch headline ...

I was left with the impression that it was quick, easy(ish), and easy to conceal. I didn't read the article itself - slashdot is not a site I visit ...

Cheers,
Wol

EUCLEAK attack

Posted Sep 4, 2024 16:25 UTC (Wed) by hmh (subscriber, #3838) [Link] (4 responses)

The cute name for this one is "EUCLEAK" (and it *does* deserve to be named, even if just for the sheer educational value of the disclosure paper. And let's not joke about the impact this has, either, although hopefully it won't make it to specialized local criminal gang expertise level anytime soon).

The attack is *not* "easy" in the normal way you'd use that word, and the security researchers make it quite clear that you are much better off keeping your vulnerable device in use, than trying to do without any security token at all. But you should still replace it with a fixed one in due time. And ensure any new ones you get are not vulnerable [to that attack], of course.

Do read, or at least skim, their paper if you have the time. It is worth it.

BTW, it is not just Yubikeys and other hardware tokens like it: the attack works on many crypto-currency hardware wallets, and also e-passports from several countries, for example. For at least the wallets, well, you really should find a non-vulnerable one sooner than later if the amount of crypto-currency involved is non-trivial IMO.

Better links:
https://ninjalab.io/eucleak/
https://news.ycombinator.com/item?id=41434500

EUCLEAK attack

Posted Sep 4, 2024 21:56 UTC (Wed) by geuder (subscriber, #62854) [Link] (3 responses)

> Do read, or at least skim, their paper if you have the time. It is worth it.

I agree. Really understanding the 80+ pages is probably impossible for 99.9% of the readers including myself. But I found it rather accessible to read anyway.

They also say clearly in the beginning: It's safer to use an affected Yubikey than not to use it because of their discovery.

Unless you are Julian Assange, Edward Snowden, or someone with similarly powerful adversary there is nothing to be worried about even after this attack.

EUCLEAK attack

Posted Sep 5, 2024 10:01 UTC (Thu) by farnz (subscriber, #17727) [Link] (2 responses)

Specifically, for the EUCLEAK attack to be of concern to you, the attacker needs to be able to do the following without getting caught:

  1. Take your Yubikey away from you.
  2. Enroll your Yubikey against a site they control.
  3. Disassemble your Yubikey completely, destroying the packaging in the process.
  4. Spend approximately 5 minutes repeatedly authenticating against their site as fast as possible to gather data.
  5. Put new packaging on your Yubikey such that you're not going to notice in the time frame they need the clone to work for, noting that it will take at least 30 minutes to analyze their data and be able to create a clone.
  6. Return your Yubikey to you.

Steps 1, 3 and 5 are all hard to do without leaving traces, unless you've got powerful backers, and for most of us, the work involved in doing those steps is not worth the gain (access to accounts protected by Yubikey + password).

EUCLEAK attack

Posted Sep 5, 2024 11:49 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

Also, as I understand it, the attack is only relevant in a scenario where the attacker can't simply use your Yubikey directly (perhaps in combination with a password that they phished or keylogged from you earlier) and then either keep it or give it back to you. They only need to clone it if they want long-term persistent access to your account, without you noticing and revoking the device. If you're just using a Yubikey to protect your password manager or bank account etc, they could already steal your passwords/money/etc without this cloning attack, so it's no worse than before. (But in other scenarios it may still be a real problem.)

EUCLEAK attack

Posted Sep 5, 2024 13:14 UTC (Thu) by farnz (subscriber, #17727) [Link]

Indeed - and one of the consequences of that is that the attack is only relevant where the attacker has the capability to do a complex process taking about an hour and with risk of getting caught in order to clone your Yubikey, but does not have the capability to take your Yubikey and keep you from noticing that they've done so (e.g. because they've got you in a jail cell) until they've finished extracting everything of value from your accounts.

Doesn't stop it being a cool piece of research, and something we should aim to defend ourselves against in the long run; does mean that it's of limited practical relevance.

FIDO2 HW token on office.com

Posted Sep 4, 2024 16:53 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

The details don't fit in a headline. Ars Technica's coverage was decent IMO: https://arstechnica.com/security/2024/09/yubikeys-are-vul...

FIDO2 HW token on office.com

Posted Sep 4, 2024 12:52 UTC (Wed) by ryanduve (subscriber, #127786) [Link]

That is awesome! I'm hoping for the day I can make the same post about using TouchID on a MacBook Pro to log in on Firefox.

It's nice to see continuous improvement like this in Firefox.


Copyright © 2024, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds