W3C Payment Request API is Being Implemented in All Major Browsers | ProgrammableWeb

W3C Payment Request API is Being Implemented in All Major Browsers; Janet Wagner; In ProgrammableWeb; 2017-09-20.

Original Sources

Mentions

Participants

  • Chrome,
  • Edge,
  • Firefox,
  • WebKit.
  • Facebook
    • Facebook Messenger Extensions SDK
  • Samsung
    • Samsung Internet for Android 5.

Quoted

For color, background & verisimilitude…

  • Ian Jacobs, Lead, Web Payments Working Group, W3C.
  • Lukasz Olejnik, expert
    • Dr. Lukasz Olejnik
    • site

Usage of Differential Privacy & RAPPOR | mozilla.governance

Georg Fritzsche (Mozilla); Usage of Differential Privacy & RAPPOR, a discussion; mozilla.governance. centrally hosted at Google Groups; 2017-08-21 onward.

Concept

“The Ask”

<quote>What we plan to do now is run an opt-out SHIELD study to validate our
implementation of RAPPOR. This study will collect the value for users’ home
page (eTLD+1) for a randomly selected group of our release population  We
are hoping to launch this in mid-2017-09 [25 days hence].</quote>

Mentions

  • Differential Privacy
  • RAPPOR

Referenced

Chrome won | Andreas Gal

Andreas Gal; Chrome won; In His Blog; 2017-05-25.

tl;dr → Frustration is exhibited, the Mea Culpa is recited. Mozilla committed to Mozilla OS (Firefox OS), that was a misstep; it caused the failure of the Firefox product line.

Biography

Andreas Gal <quote>worked for 7 years at Mozilla and was Mozilla’s Chief Technology Officer before leaving 2 years ago to found Silk Labs, which uses AI.</quote>

Mentions

yes

Referenced

Actualities

A next-generation Firefox would/could/might use WebKit (Blink) engine

The future of Firefox is … ChromeKieren McCarthy; In The Register; 2016-04-11.
Teaser: Start your shouting engines

Original Sources

Mentions

(the componentry)

Previously

Top Firefox extensions can hide silent malware using easy pre-fab tool | The Register

Top Firefox extensions can hide silent malware using easy pre-fab tool; Darren Pauli; In The Register; 2016-04-04.
Teaser: The fix? No patch, just destroy all extensions.

Original Sources

  • Some Talk, at Black Hat Asia

Mentions

  • Firefox, Mozilla
  • Crossfire, demonstrator
  • Who
    • Ahmet Buyukkayhan, PhD (candidate, graduate?), Boston University
    • William Robertson, professor, Northeastern University.
  • Quoted
    • Nick Nguyen, product, Firefox, Mozilla
  • Firefox, next generation
    • WebExtensions, an API
    • Electrolysis initiative
  • Vulnerable
    • NoScript
    • Video DownloadHelper
    • GreaseMonkey
  • Unaffected
    • Adblock Plus

Previously

In The Register

 

The App-ocalypse: Can Web standards make mobile apps obsolete? | Ars Technica

The App-ocalypse: Can Web standards make mobile apps obsolete?; Larry Seltzer ; In Ars Technica; 2015-12-28.
Teaser: Many big tech companies—absent Apple—are throwing weight behind a browser-based world.

tl;dr → Betteridge’s Law; i.e. No.

Mentions

  • Lots of (emerging) standards
  • None of which “really work,” (yet)
    Especially not on Apple-culture.

Separately noted.

Firefox Now Offers a Tracking Protection within the Private Browsing Experience | Mozilla

Firefox Now Offers a Tracking Protection within the Private Browsing Experience; Nick Nguyen(Mozilla); In Their Blog; 2015-11-03.

Mentions

  • Firefox 42
  • Private Browsing
  • Tracking Protection
    • only in Private Browsing Mode
  • Scope
    • ads
    • analytics trackers
    • social share buttons
  • like Ghostery, but different.

Previously

Georgios Kontaxis (Columbia), Monica Chew (Mozilla); Tracking Protection in Firefox for Privacy and Performance; In Proceedings of the Web 2.0 Security and Privacy (W2SP); 2015-05-23; 4 pages; copy, slides (18 slides); separately noted.

Actualities

Firefox Developer Edition DevTools Challenger Screenshot

Cookies Lack Integrity: Real-World Implications | Zheng, Jiang, Liang, Duan, Chen, Wan, Weaver

Zheng, et al.; Cookies Lack Integrity: Real-World Implications; In Proceedings of the 25th USENIX Security Symposium; 2015-08-13; landing.

Authors

  • Xiaofeng Zheng, Tsinghua University and Tsinghua National Laboratory for Information Science and Technology
  • Jian Jiang, University of California, Berkeley
  • Jinjin Liang, Tsinghua University and Tsinghua National Laboratory for Information Science and Technology
  • Haixin Duan, Tsinghua University, Tsinghua National Laboratory for Information Science and Technology, and International Computer Science Institute
  • Shuo Chen, Microsoft Research Redmond
  • Tao Wan, Huawei Canada
  • Nicholas Weaver, International Computer Science Institute and University of California, Berkeley

Revisions

Abstract

A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections. Similar attacks can also be launched by a web attacker from a related domain. Although an acknowledged threat, it has not yet been studied thoroughly. This paper aims to fill this gap with an in-depth empirical assessment of cookie injection attacks. We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari). Our successful attacks have included privacy violation, online victimization, and even financial loss and account hijacking. We also discuss mitigation strategies such as HSTS, possible browser changes, and present a proof-of-concept browser extension to provide better cookie isolation between HTTP and HTTPS, and between related domains.

Promotions

Serious bug causes “quite a few” HTTPS sites to reveal their private keys | Ars Technica

Serious bug causes “quite a few” HTTPS sites to reveal their private keys; ; In Ars Technica; 2015-09-04.

tl;dr → use of Chinese Remainder Theorem (CRT) sometimes causes faults to occur during the computation of an RSA signature.

Original Sources

Mentions

  • Boxen Vendoren
    • Hillstone Networks
    • Alteon/Nortel
    • Viprinet
    • QNO
    • ZyXEL
    • BEJY
    • Fortinet.
  • Libraries
  • Browsers
    • Chrome
    • Firefox
  • CVE-2015-5738
    OpenSSL code library from Cavium.
  • Some of the “we found some problems, but it’s fixed now”