“In the intervening period, as we weighed the cost of our overall portfolio and strategic focus, we made the decision not to relaunch the service,” Mozilla said. Since Send is already offline, there’s nothing you have to do to prepare for its decommissioning.

The other tool Mozilla is sunsetting is Firefox Notes. Like Send, Notes grew out of the company’s defunct Test Pilot program. It was initially a way for Mozilla to try out new ways to sync encrypted data. Once the experiment ran its course, the company kept Notes around as a tool you could use in Firefox and Firefox for Android.

In early November, Mozilla says it will discontinue support for the Firefox Notes app and syncing service. If you have the extension already installed on your desktop computer, you’ll get the chance to export all your notes. However, after November, it won’t be possible to install the extension again.

It’s never easy to see a company discontinue a product, particularly if you depended on that app for its utility. In its defense, Mozilla says parting ways with Firefox Send and Notes will allow it to focus on products like its recently launched VPN service.

Completely new to Firefox for Android is a feature called Collections that allows you to save and organize websites for later visits. If Collections sound a lot like your classic bookmarks, functionally they are, but there’s a good reason Mozilla developed the feature. According to Vesta Zare, the project’s manager, Collections came out of looking at the mental models people have built around tabs and bookmarks. She says the majority of Firefox users only bookmark the websites they think are really important to their life. A good example is your bank’s website. That’s something most people choose to bookmark because it has an almost permanent place in their lives, but when it comes to things like recipes and trip planning, the company found people using tabs as their “short-term memory,” leaving them open to clutter their tab bar.

Mozilla

“We saw the need for a middle ground,” said Zare. That’s where Collections come into the picture. The interface Mozilla built means they don’t get lost like tabs, but they’re also not meant to be permanent in the way people see bookmarks. You have multiple ways of sharing them and, in the future, the goal is to allow collaboration on Collections.

Another major feature the new release includes is better support for third-party add-ons. You could install extensions with the previous version of Firefox for Android, but, in the majority of cases, they weren’t optimized for mobile. That’s something Mozilla went out of its way to change with this release. You’ll only see about 10 currated add-ons initially, but each has had its interface optimized for mobile and Mozilla has certified that they work with its new engine. The company plans to add more add-ons as time goes on.

One other smaller but still notable new feature is the addition of picture-in-picture support for videos.

Under the hood, the new Firefox for Android is built on top of Mozilla’s GeckoView browser engine. The new backend brings with it a couple of advantages. According to Zare, most websites should load about 10 percent faster in the new Firefox for Android compared to the previous release. GeckoView also simplifies some of the foundations of the app that will make it easier for Mozilla to deliver timely updates. The company also makes a point of the fact Firefox for Android isn’t based on Blink, Google’s browsing engine. It says it built the engine with privacy in mind.

The new Firefox for Android is available to download today in Europe, with North American availability to follow on August 27th.

Mozilla’s effort to secure domain name requests now has a major new ally: Comcast. The cable giant’s Xfinity brand has become the first internet provider to provide encrypted DNS services through Mozilla’s Trusted Recursive Resolver program. If you’re a Firefox user with Xfinity service, it should be that much harder for people to snoop on your website requests or intercept them for attacks.

The technique needs companies like Comcast to help due to its very nature. In addition to encrypting the data using DNS over HTTPS, Mozilla needs to ensure that companies managing the data have rules that limit data collection, provide transparency for that data and prevent the domain name resolver from either blocking access or modifying the content. Companies like Cloudflare and NextDNS have already signed on.

It’s not hard to divine why Edge might grow so rapidly. Its status as Windows’ default browser helps, as does Microsoft’s overall clout. However, it also helps that the Chromium-based version eliminates many of the complaints about the old version of Edge running on Microsoft’s own engine, such as compatibility, speed and the range of available extensions. The old software had a reputation as the browser you used solely to download other browsers — now, it’s good enough that you might not need another browser.

Not that Google is necessarily worried. While Edge does encourage people to use Microsoft services over Google’s, the engine switch also consolidates Chromium’s grip on the web. Developers may be less inclined to build sites that are truly browser-independent instead of optimizing for Google’s engine, and that could hurt people who’d rather use Firefox, Safari or other alternatives.

Earth was originally built using the Chrome-only Native Client solution, so to get the product to other browsers, Google had to switch gears. The search giant decided to rebuild Earth by compiling the C++ code using WebAssembly, a new binary, Java-like language that works across all web browsers. WebAssembly was only recently recommended (on December 5th, 2020) by the World Wide Web consortium as the fourth native browser language after HTML, CSS, and JavaScript.

While Google Earth does run on those other browsers, Google said that it still needs “polishing,” so you will probably still get the best experience on Chrome. It also plans to bring Google Earth to Apple’s Safari browser in the future.

Once you’ve downloaded the most recent version of Firefox, hover over a video and a blue “Picture-in-Picture” option will pop up. Click the button and the video will open in a solitary player that you can move around as needed. The feature is only available on the Windows version of the browser, but it will hit Mac and Linux versions in January, according to Mozilla.

While having a second monitor would probably be the nicest way to keep one eye on a video and the other on work tasks, that’s not an option for everyone, and would be next to impossible for laptop users on the go. Picture-in-Picture mode could be a good fallback. Just make sure you’ve got a quick trigger finger for when your boss walks by.

Just why the intruders would need to do that isn’t entirely clear. If you’ve infected a system with a remote control trojan, you don’t need to patch the browser to spy on traffic. ZDNet suggested it might be a failsafe that let intruders spy on traffic for people who remove the trojan, but aren’t cautious enough to reinstall their browsers.

The perpetrators appear to be easier to identify, and that might reveal their motives. Turla is believed to work under the protection of the Russian government, and initial targets were located in Russia and Belarus. The group is sophisticated enough to have compromised Eastern European internet providers in the past to infect otherwise clean downloads. This may be an attempt to snoop on dissidents and other political targets using a method that’s difficult to thwart.

The House sent a letter on September 13th asking if Google would use data handled through the process for commercial purposes. Google has maintained that its Chrome tweaks would give users control over who shares their info, and that it won’t force people to switch to encrypted DNS.

That likely won’t allay telecoms’ fears. Internet service providers are worried that they may be shut out of the data and won’t know as much about their customers’ traffic patterns. This could “foreclose competition in advertising and other industries,” an alliance of ISPs told Congress in a September 19th letter.

Google might not have much to worry about, though, as it’s not the only one pushing for the same encryption. Mozilla also wants to use the format to secure DNS in Firefox, and the company’s Marshall Erwin told the WSJ that the antitrust gripes are “fundamentally misleading.” ISPs are trying to undermine the standard simply because they want continued access to users’ data, Erwin said. Unencrypted DNS helps them target ads by tracking your web habits, and it’s harder to thwart DNS tracking than cookies and other typical approaches.

Not every request will use HTTPS. Mozilla is relying on a “fallback” method that will revert to your operating system’s default DNS if there’s either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will “revisit” its approach if attackers use a canary domain to disable the technology.

It could take some time before DNS over HTTPS is widely available. Mozilla will be watching for hiccups before expanding availability. If all goes smoothly, Firefox may become a go-to option for anyone who insists on securing as much of their web traffic as possible.

Turns out that the root certificate was a Trojan Horse. It allowed the Kazakhstan government to perform a “man-in-the-middle” or MitM attack against HTTPS connections to a list of 37 domains, including Facebook, Twitter, Google and more, according to a study published by University of Michigan’s Censored Planet. Normally, HTTPS websites are encrypted in a way that ISPs or governments won’t be able to access it. In the case of Kazakhstan, the MitM attack broke the encryption in these sites, allowing the government to freely spy on private internet activity.

Both the Chrome and Firefox browsers in Kazakhstan will bar the illicit certificate before users can even download it. Mozilla will block Kazakhstan’s root certificate with OneCRL, which Firefox has been using to revoke certificates since 2015. Previously, users who accessed the internet in Kazakhstan received a message on their smartphone or computer asking them to install the root certificate.

Now when Firefox detects the certificate in Kazakhstan, it will instead block the connection and display an error message. “Research shows that many users click through errors without understanding what they mean, leaving them no better off than if there were no warning at all. We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism,” said Mozilla’s Senior Director of Trust & Safety Marshall Erwin in an email to Engadget.

Chrome is blocking the certificate as well. In addition, it will be added to a blocklist in the Chromium source code and included in other Chromium-based browsers in the future.

At first, the move may seem unnecessary given that Kazakhstan stopped requiring users to install the certificate a couple of weeks ago. Reuters reported that Kazakhstan earlier this month halted deployment of its surveillance system after facing legal challenges. A group of Kazakh lawyers sued three of the country’s mobile operators for restricting internet access after users refused to install the certificate. Kazakhstan’s State Security Committee backed off in response, issuing a statement that called the certificate rollout a “test” that was now complete.

In a statement to Engadget, Mozilla’s Erwin acknowledged that the company was aware of Kazakhstan ending the test. Users could still be vulnerable if they have the certificate installed. “While the government’s test has apparently ended, the mechanisms it can use to spy on web traffic is still in place. And some users may still have this malicious certificate installed. Essentially, these users are still vulnerable, even if the attack is not ongoing. We aren’t waiting for the vulnerability to be exploited again in order to fix it,” wrote Erwin.

Given Kazakhstan’s track record, it’s not unlikely that such a vulnerability will be exploited again. In its 2018 Freedom on the Net report, Freedom House classified Kazakhstan as “not free” due to the authoritarian regime’s tight controls on media and internet. Internet censorship in the nation is currently at an all-time high under the regime of its current leader, President Kassym-Jomart Tokayev. The government regularly blocks news sites and shuts down the internet and messaging services following protests. Due to a 2014 law, state agencies can freely block websites without a court order. According to the Committee to Protect Journalists, over 50,000 materials have been blocked by the government since the law passed.

Erwin said that Mozilla will continue to monitor the government of Kazakhstan’s actions and will take action if it issues similar certificates in the future. “If the Government of Kazakhstan were to push users to install a new certificate so they could resume interception, we would take similar action to protect the security and privacy of Firefox users,” wrote Erwin.