dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4896
share rss forum feed


therube

join:2004-11-11
Randallstown, MD
reply to siljaline

Re: Firefox 20.0 Released

> reverting

Why?



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

See previous comments in thread.
As for others, they would have their own specific reasons.

Expand your moderator at work


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 edit
reply to siljaline

Re: Firefox 20.0 Released

said by siljaline:

I'm reading elsewhere that those that have saved backups of prior builds are reverting

please provide some links ....

note: previous builds are always available from Mozilla.


therube

join:2004-11-11
Randallstown, MD

Links to what, the backups you have made ?
Otherwise all versions of FF can be found at ... Mozilla .

Index of /pub/mozilla.org/firefox/releases



therube

join:2004-11-11
Randallstown, MD

2 edits
reply to siljaline

I've read through the thread but don't get the point.

Because of the security fixes that are included?
Because of the telemetry data, which is not enabled - by default?

Because users might use their browser to browse Facebook or might use Google Search?
And yet they'll worry about TD (...TigerDirect...?).

Do these reverters even know TD?
Do they even know how long TD in some sort or another has been there?

Send performance data to Mozilla to help improve Firefox

Firefox 7: Telemetry

Adding a new Telemetry probe

about:telemetry

What is Firefox Health Report?

(Did you know that FF has no native way to upload to a FTP server.)



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to siljaline

said by siljaline:

Firefox appears to be in a new sort of telemetry reporting
»support.mozilla.org/en-US/kb/adv···ices-tab

It's not new.

It was previously under
Advanced > General > "Submit performance data" along with "Submit crash reports".

Those options now have their own tab - "Data Choices".

... explore your link (Telemetry - "Learn more").



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to therube

Appreciate your information. As noted on the Moz board I'm still a relative noob.

Will read your information to see if I can gather some clarity in the matter.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to chachazz

Ongoing thread at Wilders as requested by you chachazz See Profile
»www.wilderssecurity.com/showthre···t=344641



EUS
Kill cancer
Premium
join:2002-09-10
canada
Reviews:
·voip.ms
reply to FF4m3

Upgraded work machine this morning, and now the browser is not working.
Type an address, hit enter nothing happens. Hit the little green "goto" arrow, nothing happens.
Am now using chrome.
--
~ Project Hope ~



therube

join:2004-11-11
Randallstown, MD

Firewall?

KB: Error loading websites



EUS
Kill cancer
Premium
join:2002-09-10
canada

I'll have to check, it's just very strange, I have never seen this behavior before, and have updated FF going on 5 years.
Thanks for the tip.
--
~ Project Hope ~



Trihexagonal

join:2004-08-29
US
Reviews:
·AT&T Midwest
reply to siljaline

said by siljaline:

Firefox appears to be in a new sort of telemetry reporting

I just updated Firefox and Seamonkey on my FreeBSD boxes and am not seeing that tab on either of them.






There is no "datareporting.policy.dataSubmissionEnabled" bit in about:config either.


therube

join:2004-11-11
Randallstown, MD

1 edit

FF come from Mozilla, or are there builds specific from BSD?
If the latter, perhaps they did not include it?

I guess # pkg_add -r firefox is from FreeBSD so quite possible that they customize their builds.



therube

join:2004-11-11
Randallstown, MD
reply to therube

About »Re: Firefox 20.0 Released

Don't take anything I say personally.
When I post, I rarely post anything directed to a specific person, even if it may appear that way from my posts.
(Often I know not even who I may be replying to.)

About all I know about "telemetry" is what I dug up yesterday.
And from that, it appears that "telemetry" (or by whatever name it has gone by in the past) has been there for a long time now. The information that it may send, if it were to send, seems innocuous.

To me, it is better, smarter, to be protected by the security fixes in a current release then to worry about what potentially might be sent by some "telemetry".

Mozilla is not looking to mine your data.
In the future, who is to know.
And if it were to be, you can be sure they'd get plenty of flack on it.



Trihexagonal

join:2004-08-29
US
Reviews:
·AT&T Midwest

4 edits
reply to therube

I compile the code from source after it's ported over to FreeBSD by the port maintainer. I doubt the maintainer just chose to leave out a tab here or an option there as they saw fit when they ported it over, but I don't know why it's different on my version either.

There are options I can choose when building it but it worked from the ones I chose back in Firefox 17.0 and whether or not to include telemetry wasn't among them that I remember.

The available versions are as follows, with the version I use being the first:

/usr/ports/www/firefox
/usr/ports/www/firefox-esr
/usr/ports/www/firefox-esr-i18n
/usr/ports/www/firefox-i18n
/usr/ports/www/linux-firefox

From the port description:

quote:
Mozilla Firefox is a free and open source web browser descended from the
Mozilla Application Suite. It is small, fast and easy to use, and offers
many advanced features:

o Popup Blocking
o Tabbed Browsing
o Live Bookmarks (ie. RSS)
o Extensions
o Themes
o FastFind
o Improved Security

WWW: »www.mozilla.com/firefox
You can see the different versions on the FreeBSD ports site under the www section. I believe it would have started from firefox-16.0.2,1 and upgraded as need be when vulnerabilities were discovered:

»www.freebsd.org/cgi/ports.cgi?qu···type=all

pkg_add -r firefox fetches a binary package. Ports are complied from the same code, it just takes a lot longer to build than installing a package and you don't get to choose your options when you install a package like you do if you compile it from ports.


therube

join:2004-11-11
Randallstown, MD
reply to EUS

Bug 857672 - Address Bar not working

Comment 46.
If that's you, you've run into a bug .



EUS
Kill cancer
Premium
join:2002-09-10
canada
Reviews:
·voip.ms

This is a corp machine on w7, on a windows sever domain.
Address bar does not work at all, no dropdowns, entering urls does nothing, as in no activity whatsoever. Search bar is empty (no search engines), which does nothing when I hit "restore defaults".
I can get to a site only through bookmarks, or tile page.
--
~ Project Hope ~



therube

join:2004-11-11
Randallstown, MD

Watch that bug for a forthcoming fix (which per the bug they have yet to decide where they'll land it).
Can't hurt to (vote) on it.
Since its known, no sense on commenting unless you can lend something new to the report.
Also check out the bugs marked as "Duplicates:".



EUS
Kill cancer
Premium
join:2002-09-10
canada

First of all thanks for the bug pointer.
And after scanning the posts, there's nothing for me to add.
--
~ Project Hope ~



goalieskates
Premium
join:2004-09-12
land of big
reply to therube

I'm going to play devil's advocate here, so bear with me. It's not personal to you, but something I've been watching for a while now.

said by therube:

To me, it is better, smarter, to be protected by the security fixes in a current release then to worry about what potentially might be sent by some "telemetry".

Do you have any idea at all when the security issues that required these security fixes crept into the program?

No really, I'm serious. Let's say, for example, that Mozilla incorporates a wonderful new feature in 16.0, and discovers along about version 18.0 that it's opened a security hole. So they fix it in version 20.0 (took a while to find).

A person staying current would have certainly loaded the buggy version and would need the security fix. But a person who is running - say - version 14.0 wouldn't need it. They won't have the nifty new feature, but they also won't have the security bug. So they're not under any urgent need to upgrade to version 20.0.

What got me thinking about that was the longevity of IE 6. (Save your boos.) Most of us want more functionality than it offers, but still. People ran it for years. People ran it safely for years. Some people still run it, and their computers haven't been taken over by whatever baddie was out there. Microsoft got it to a point of stability where there were only occasional security updates when serious bugs went back that many versions. It's plain and it's out of date, but it's also not susceptible to the same things a later version is.

My point being, that this knee-jerk "security" argument being spouted by all the browser makers and treated like gospel doesn't necessarily apply to everyone. Someone lagging behind a version or two may be perfectly safe, and all the hoopla becomes more security theater to prod us all along.

Now, I'm not trying to talk you or anyone out of updating - far from it. But I consider the "telemetry" business to be a little more serious than you do. I don't allow auto updates for anything but my AV, and I've never allowed my computer to helpfully send data home to Mozilla.

But I'm also not impressed by arguments that every update Mozilla comes out with is really a big security fix for a problem that will wipe out my computer if I don't load it the minute it asks. Sometimes I look at the nifty new features and they look like security risks as much as the stuff by the bad guys. And till I figure out everything that I'm going to have to do to kill them, I don't update. It also doesn't hurt to see what issues come up for the early adopters.

It's not an either/or question vis a vis telemetry / security. I guess that's my bottom line.


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

2 edits
reply to siljaline

said by chachazz:

said by siljaline:

I'm reading elsewhere that those that have saved backups of prior builds are reverting

please provide some links ....

note: previous builds are always available from Mozilla.

said by siljaline:

Ongoing thread at Wilders as requested by you chachazz See Profile
»www.wilderssecurity.com/showthre···t=344641

Been watching that thread and checked last evening - No posts that report reverting to previous build. No mass exodus back to Mozilla Firefox 19 or earlier.


Trihexagonal

join:2004-08-29
US
Reviews:
·AT&T Midwest
reply to chachazz

said by chachazz:

said by siljaline:

Firefox appears to be in a new sort of telemetry reporting
»support.mozilla.org/en-US/kb/adv···ices-tab

It's not new.

It was previously under
Advanced > General > "Submit performance data" along with "Submit crash reports".

Telemetry reports go back as far as mid 2011, looks relatively innocuous to me.

»bugzilla.mozilla.org/buglist.cgi···elemetry


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

Yes, the option "Submit performance data" came out in Firefox 7 - September 2011.

quote:
Added an opt-in system for users to send performance data back to Mozilla to improve future versions of Firefox


therube

join:2004-11-11
Randallstown, MD

1 recommendation

reply to goalieskates

> any idea at all when the security issues that required these security fixes crept into the program

Could have been any time.

Could have been ages ago, but then they don't even bother to look at anything that is not supported. (They would look back at the ESRs.) Could very well be that a yet older version of a program is vulnerable to the same exploit, but generally, no one cares. One could look into it themselves, but would you even know?

And when something actually gets fixed could be yet another matter entirely. They may know a problem exists (I'm sure they know of plenty right now), but it might not be the (proper) time to implement the fix. Or the problem is not commonly known, is not being exploited, & has not been disclosed. Something like that could lie for ages before being fixed. And then there are the fixes that depend on others, other things. Like SSL or whatever fixes. A particular "fixed" version of SSL could be implemented, that would be the easy part, but if nothing else around, servers or whatever, speak to that version of SSL, well it all might as well be greek.

And at what point, & how do you determine that your "14" is "secure". At what point, & how do you determine that there are no bugs in "14".

> IE6 ... Microsoft got it to a point of stability

MS got to a point where they had a browser & did NOTHING to advance it. Hence from IE6 through IE9 there was not even a built-in spell-check. Yes they may eventually have patched security fixes, but no real program advances. They took the market from Netscape, they had the numbers & IE languished. It was not until others improved on it that they finally reacted. Now you might say that Enterprise wanted such a beast, & that is likely partially true, but still.

Mozilla, "seamonkey", & up through FF released when, once a year, perhaps. So if a bug was found & fixed, it would be a long time before "users" got to see the change. If a security issue arose, ditto. Now they've gone "rapid release", so every time you turn around there's a new version. But these new versions do have all the security related fixes in - in a much quicker time frame then otherwise was the case. And, more so in the FF case, they have also implemented feature changes - presumably for the better, though many would argue & also general code changes.

Could bugs, security or otherwise have crept in? Certainly. But who is to know.

> IE6 ... it's also not susceptible to the same things a later version is

It's probably more susceptible to most things, I would think. JavaScript is where it is at in a browser, & what is in IE6 is likely far less hardened then what they have now, even given IE6's "age". And yes, there certainly could be exploits against particular versions or later versions that did not affect older ...

> "telemetry" ... serious

That Mozilla knows how long it took my browser to start up? Or particular program functions (like a certain update to the bookmarks file) took an abnormally long amount of time. Information that if they are made aware can help them improve, help them fix bugs.

Windows crash reports, the same way. You submit a crash report. MS aggregates the data. Enough of the same report comes in, they say, "hey, we have a problem". Eventually, the next time you submit that crash report, assuming you do, you're forwarded to a KB article that tells you how to fix the situation. (A Windows crash report, or a Mozilla crash report could potentially return far more "private" details [like the porn sites you've been visiting] then "telemetry".)

> knee-jerk "security" argument being spouted by [anything/anyone] and treated like gospel

No, I don't buy into that either.
But who is to know. Do you? Do I? I know I don't. I have to rely on the "experts" to do what I feel is going to be in my interest. And if that says it is in my interest to update for security reasons, then I typically will do that.

> Someone lagging behind a version or two may be perfectly safe

True. Likewise someone lagging behind 10 versions may also be perfectly safe. While at the same time someone using the latest nightly version gets stung. What happens to a particular person using a particular version of a software is not really meaningful.

> I consider the "telemetry" business to be a little more serious than you do

I have no problem with that. Each must deal with a circumstance in a way they feel comfortable.

> I don't allow auto updates for anything but my AV

And I don't use an AV.

> and I've never allowed my computer to helpfully send data home to Mozilla

Luckily that is your prerogative. Not all softwares allow you to make that determination.

> I'm also not impressed by arguments that every update Mozilla comes out with
> is really a big security fix for a problem that will wipe out my computer if I don't
> load it the minute it asks

And I wouldn't particularly be concerned if I lagged for a period of time either. But who is to know? I don't. I pay the experts to advise me & I make my determination from there.

> nifty new features

That is an entirely different situation. You don't the the look (UI) or the way you interact (UX) with a newer version of a program, that is something that people complain about all the time. You don't like the features, so you'd prefer to remain with an older version. No problem with that, so long as you're able to do it securely.

> nifty new features ... look like security risks

Of course any change has the potential to introduce new security risks. But then so does the decision to remain stagnate, by malware exploiting old existing or new discovered holes in older software (that would forever more remain unpatched).

But again who is to say, or know? Older versions aren't going to be looked back at. No one cares any more that FF 19 has an existing vulnerability - because it has been patched in FF 20.

> It also doesn't hurt to see what issues come up for the early adopters

Plenty feel that way. That they'll wait before updating. Even in this thread (above) is noted a bug that crept into FF 20, that really buggers the browser for some. Does not affect me. Likely does not affect you. So it makes no difference to us. But to the ones it does affect, that are affected by it, it greatly affects them. Now you could say, "if they weren't early adopters"... But then what if it were a security related bug, that affected the same group of people. Didn't affect me. Didn't affect you. So it makes no difference to us. But it surely did affect "them". And since they decided NOT to be "early adopters", they waited ... until their bank accounts were drained. So who is to know. You do what you feel is prudent for your situation.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to chachazz

There are those reverting (elsewhere) as the telemetry tab is poorly explained ... jmho

H/T @ therube See Profile for the long-ish explanations.

I've gleaned what I need to glean for my experience with Mozilla Fireox, next release, I probably won't be so quick to slam-over-top.



Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth
reply to FF4m3

thanks...........i am really gettin' tired of using bondo on my browser



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

said by Phoenix22:

thanks...........i am really gettin' tired of using bondo on my browser

+ 1


therube

join:2004-11-11
Randallstown, MD

1 recommendation

reply to therube

quote:
WaltS: health report gathers addon information
while telemetry gathers speed measurements
»docs.services.mozilla.com/healthreport/
Cork: that's not quite correct
in a nut-shell, FHR is going to replace telemetry eventually
Cork: Thanks for that link
it reports on Firefox speed, add-ons, options, etc
and gives users a visible face for that data
as well as ways to improve Firefox (self-diagnostics)
tyler|Win7: and don't forget invade there privacy..
* Cork reall hates FHR
Cork: in release it will only be turned on if you turn it on
tyler|Win7: oh, when did that change?
when it landed it was on unless you uncheck it
Cork: never its always been planned to be opt-in only
tyler|Win7: I thought that might be the case since telemetry was disabled by default in Nightly.
tyler|Win7: an opt in where unless you uncheck it when it shows a banner isn't opt in
pre-release just had it turne don by default so we could get testing
my Nightly anyway
its opt out
Cork: on pre-release. Release will be opt-in
that was VERY good news
Cork: and there is no personally identifiable information in FHR, and we are just looking at aggregated numbers, trends, etc.
extremely even
so I can't look at the data and tell what is your machine and what isn't
I don't see anything in the raw data that invades my privacy.
unless you have an add-on, or User Agent that says "This is corks machine"
;)
tyler|Win7: yes, i know, but the fact of sending collected information without asking drives me nuts (i'm fine with it on nightly though)
Cork: you can always turn it off
so this fact makes me really happy
tyler|Win7: that was never the problem
tyler|Win7: i get a knee-jerk reflecs when i hear about solutions that enabled by default and the user has to turn if off
Cork: do some research before jumping to conclusions, see what data is actually being collected, and read the wiki and bugs
and that was one of the thing's i trusted mozilla for; and this did the opposite, and that made me quite upset to be honest
tyler|Win7: i did
New Firefox - Private Browsing bug 859326 filed by tiziana.sel@gmail.com.
and all the specs i could find was enabled unless the user disables it
Cork: rest assured, we have a large team dedicated to just privacy that spent 3+ months reviewing FHR, making sure we respected people's privacy before it even got implemented into nigtly (every Firefox change that has anything to do with Personal data has to go through a privacy review
tyler|Win7: the problem lies in what ppl view as private data
tyler|Win7: i view private data, as anything collected on the computer without my permissions
Cork: any data in Firefox is considered private data and requires a really in-dept privacy review
even something like what cpu i'm using
and if you have a problem with providing your computer's information (I'm not sure why you would, but if you do) just turn it off
They might not want anyone to know they are using any torrent extensions for example.
tyler|Win7: i don't either; as long as the user is asked BEFORE its submitted
so an option to turn it off would be a violation
tyler|Win7: my strict view comes from the fact that code can bug, and memory or data not meant to be part of the data set can be sent
so sending things without asking, it a big no. no
and that's where my firm belief that a program HAS to ask before starting sending (not collecting) data
+ comes from
Cork: that code could bug and enable sending without you knowing it.
WaltS: extreamly unlikely if the sending is triggered by a user action
Cork: all code does need several reviews before it makes it into te product, and for a large project like FHR we have it in another branch for development before landing in nightly
but sure everything is possible
Cork: having a bug that sends data that shouldn't be sent isn't likely, that would be a pretty major bug that code review and data review would check
catch*
We can only hope
tyler|Win7: and both you and i know that the environment firefox runs in in the wild has a lot of weird situations that is hard to test (and isn't tested) before release
tyler|Win7: not really, it would only need something like a memory corruption
Cork: it would require code to pull that data, send that data, and have a server configured to accept that data



EUS
Kill cancer
Premium
join:2002-09-10
canada
reply to FF4m3

As per the bug report from above, looks like 20.0.1 is to be released this week to patch the problem I'm having.
--
~ Project Hope ~