Firefox to warn users who visit p0wned sites Mozilla developer Nihanth Subramanya has revealed the organisation's Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks. A recently-released GitHub repo titled “Breach Alerts Prototype” revealed “a vehicle for prototyping basic UI and interaction flow …
Sadly agree! They're turning into Microsoft, but without any positive cashflow.... Bring back easy Javascript / Image 'Toggle' / 'Exception List' as per Chrome... Stop Cookies defaulting to 3rd Party. Stop the nanny-dialogs i.e. 'refreshing' Firefox. Add EFF Panopticlick browser-signature spoofing for Privacy. Add editable exception-list for websites that need full-screen, like YouTube etc.
Also let you have Classic GUI, build in NoScript and User agent (esp needed on Linux or Mac & Windows download links vanish on stupidly designed sites).
Disable URL guessing
Allow easy toggle to turn off Awesome to have URL only bar.
Fix all the blank pages that print before selected point on webpage.
Etc.
Amen. I've retired my Firefox Quantum w/Noscript until they come up with a usable system. FF has sunk to low single-digit market share, and this could knock it out. Mozilla's declining performance over the last two years should be a lesson to those who put political correctness ahead of merit when picking a CEO.
~~~~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~
Wish Firefox would just focus on the simple things
~~~~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~
#1. For family / friends etc... In the early days of Firefox [Tools -> Options Enable-Javascript / Show-Images] was easily available. However special interests at Mozilla obfuscated the Settings.. Why not instead add Javascript 'Website Exceptions' to Firefox.... We have this for Cookies. Why not extend that to Include JavaScript and Image 'Website Exception Lists' too.... Chrome offers this, so why not Firefox???
....Yes you can block it using Add-ons, but not if your work machine is locked-down, or there's many devices at home / away you're not responsible for. Plus, Add-ons can come with toxic baggage too, especially if the hosting site / distrib mechanism gets hacked etc. (ccleaner etc)
-
#2. ALWAYS accept 3rd party Cookies is the default when allowing cookies. Why do that, what's wrong with NEVER as a default? Can't think of any website that insists on explicit 3rd-Party-Cookies anymore to work (if they do dump them immediately). Where's the advantage to the End-User here, unless Mass-Tracking & Slurp is the goal... WTF Mozilla?
-
#3. I'd like to see 'about:config.javascript' etc shortcuts for toggling JavaScript etc. Having to Type 'pt.e' as a shortcut seems dumb. Same goes for toggling images etc. like having to set dom.image.srcset.enabled to FALSE after every install to block image loads, WTF???
-
#4. Please Mozilla remove nannying like 'Do you want to refresh Firefox'.
-
#5. Add editable exception-list for sites that need 'full-screen' like Youtube.
-
#6. Browser Spying & Tracking: Offer built-in 'EFF Panopticlick' option to prevent browser fingerprinting. (Sending fake Browser ID-strings / info to websites to mask real browser-version or OS-signatures). Similar to Privacy leveraging features like this:
True, but correct me here: Its not as easy to use as Chrome's 'Exclusions List'. You have to load the page first before being able to disable images. Its not possible to lock down the browser in advance and after only re-enable what you actually want. Plus, the JS 'Exclusion List' is obviously a greater priority here, as images on many websites don't even load without JS!
On the occasions I use my mobile to browse, the baked-in list of suggestions really fucking annoys me.
There are two sites I visit regularly which start with "n" (I'm lazy, so never type the "www." unless the site is so badly designed that it won't work without it). Neither of them is netflix. I have never visited netflix on any computer, let alone my mobile. Guess which site is suggested as soon as I type "n", forcing me to type at least one more letter. For one of those two sites, the second letter is "e", so guess which one doesn't appear in the URL bar unless I type a third letter (it does, however, appear near the top in the suggestions list, but that requires moving my finger further to activate).
If it were just that one site, I might not be so annoyed. But it's just about every site, even the ones I use regularly and frequently.
If the rankings of baked-in suggestions changed as I visited other sites, I could live with that. But the ranking never changes. It doesn't matter how many times I visit the other "n" sites, netflix is the first suggestion. It doesn't matter how many times I visit a "w" site, up pops fucking walmart (which I've never been to on any computer and have no intention of ever visiting). That's what changes it from being a useful feature (start out by offering popular sites and learn from what the user actually visits) to a piece of fucking stupid incompetent shit implemented by people who should be banned from ever designing a user interface.
are you saying there IS an 'EFF Panopticlick' option? (i.e. something which defeats the browser id attack) If so, I, for one would bite yer arm off for a link...
So far I've been to the 'EFF Panopticlick' page but other than the depressing evidence that I still haven't managed to defeat their identifier test, could see nothing that suggests solution or even mitigation...
"This is an extension that I'm going to be using as a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox"
If it stayed as an extension almost no one would install it and no one would give a shit.
But no this is Mozilla - so it will be baked in bloat because Firefox users get what Mozilla wants not what Firefox users want. That and/or having crippled the framework for extensions in quantum it can no longer be implemented as one.
To avoid this loss of privacy in exchange for crap they don't want I expect users will have to dick around in about:config to disable it.
That's Google's safe browsing list. They'd need something similar for haveibeenpwned.
But as it would show sites from years ago it'd be essentially useless as the average user doesn't understand what this means or what to do about it or if it's a problem any more, and a message box in Firefox isn't going to be educate them.
That involves the user stopping what they are doing and actively searching to check the site is safe. They then have to make an informed choice based on the results. With the exception of a small minority of security conscious people no one will do that. They just want to get on the internet to get their information, not go through hoops they don't understand anyway.
This post has been deleted by its author
Look, I know it sounds stupid and obnoxious now, but I deal with people every day that think the way to go to a site is NOT to bookmark it or enter it into the address bar, but to search for it every time. I have told them time and time and time again not to, but they do. I deal with helping people whose brains shut down at the idea of free money and have only been lucky that I have stopped a pile of 419 scams against people I know. I have seen people with Flash, Java, and Firefox dating from the XP days in this TYOOL 2017.
Until we can reasonably expect users to take responsibility for what they do online, even accept that they even HAVE any responsibilities for a secure Internet, and that can actually prevent everything above the brainsteam from shutting down online then we need to start removing empowerment from their hands, and start automating steps like updates for the OS and apps, and forcing checks against sites. I don't much like it, granted, but I am accepting it has to be this way until human nature changes, sadly.
(Also, FWIW, I have said it before and will again, Troy Hunt is doing God's work...)
"I deal with people every day that think the way to go to a site is NOT to bookmark it or enter it into the address bar, but to search for it every time"
Being able to search through the address bar doesn't help educate the users either. It is very easy to get into bad habits and drop off the domain part of the name resulting in a search instead of an error. I know this can be disabled (or could before) but how many users even realise, let alone understand the difference, and potential problems that could be caused?
Don't even get me started on the browser cancer that is removing part of the URL from display. One of the stupid bass-turds even removes a leading "www.", regardless of whether the result will work, and only copying the URL will get you the actual thing, protocol and full server name.
Eh, where's my pills…
If you remove empowerment from their hands, people aren't going to magically learn on their own before you give it back to them. It just means there's no need to learn.
See parents or grandparents who are much more handy with a screwdriver and cavemen who look down on everyone else because they don't go out and kill their dinner.
"If you remove empowerment from their hands, people aren't going to magically learn on their own before you give it back to them. It just means there's no need to learn."
^ This.
Also, the sort of person who does stupid (searching for regularly visited sites instead of bookmarking* etc) is the sort of person who will develop a blind spot for notifications popped up by Firefox, and just click them away.
* Pet bloody hate - especially when they do that for important sites such as their bank. GAH!
its still better than idoits like the Dartford crossing that put up signs saying "search for dartford crossing to pay the toll"
not go to www.gov.uk/dart-charge or https://www.gov.uk/pay-dartford-crossing-charge
Signage link below:-
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/image_data/file/33480/Dartford_signage.png
I deal with people every day that think the way to go to a site is NOT to bookmark it or enter it into the address bar, but to search for it every time.
There is a reason some people do that. It may even be a valid one.
The theory goes that the more people who use Google to search for a specific web site, the more popular that site becomes in the rankings. Therefore, going to your own website that way pushes it up (even if ever-so-slightly) in the rankings.
Even if that theory is correct (I'm not saying it is), most people search for web sites that way because they're clueless idiots.
All this does is make it even more appealing for a company to keep quiet about any possible data breaches. And that's just the thing you don't want, because transparency can actually help others from protecting themselves.
Another problem I have with this is that Mozilla is basically placing the 'blame' on the website owner. But sometimes that simply isn't the case. Then what?
How does this work when an ISP had a databreach and you're visiting a website from a user of said ISP (so: they're also hosting the site with that ISP)?
I don't want to send every single website I visit to Firefox or HavIbeenPwned. For that same reason I disable similar protections on Chrome and also site prediction features.
I get that many of the population don't know or care how much data they give different companies for these kind of features to workand this may be of use to them, but let me disable it.
As for storing info, some of the previous database searching sites similar to HaveIbeenPwned, have been pwned and had all the database stolen. Ie, the big exploit.in mentioned on Troys site. So having all the info in one place...it's going to hacked eventually.
This doesn't have to be done in a privacy-violating way. It could just query a server for a list of recently compromised sites each time you start it/daily or whatever and then alert you if you visit one on the list, rather than checking each site you visit individually. Checking each site separately would be bad from a speed standpoint too, and Firefox is all about speed now...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
