Mozilla has released Firefox 37, bringing native playback of HTML5 video for Windows, and many security changes.
Among the security improvements are updates to insecure TLS version fallback, support removed for DSA in certificates and TLS, reporting for SSL connection problems, and TLS False Start optimisation.
In the Mozilla Hacks article Trainspotting: Firefox 37, Developer Edition and More technical evangelist Dietrich Ayala expands further on the DSA in certificates and TLS. “We removed support because we found that almost nobody was using these. If you’re a site operator and your certificate was signed with a DSA algorithm, contact your CA and get a new certificate,” Ayala said.
On the subject of SSL connection problems Ayala had more information:
Users can now report SSL connection problems for a variety of non-certificate-related errors.For example, if a user encounters a non-override-able TLS error, they can now send a report to Mozilla directly from the error page. The information in the report consists of the domain you were trying to reach, the certificates the server sent, the time, which error was encountered, and some user agent information.
Ayala says Mozilla use this information to work with site operators to fix their configurations, and to improve the software that detects these issues, so users are encouraged to send reports.
Aside from the security updates, one of the most popular changes for the Firefox community is the implementation of a subset of the Media Source Extensions (MSE) API, allowing for Windows users native playback of HTML5 video on site including YouTube. The MediaSource interface represents the source of media data for an HTMLMediaElement
object.
Jordan Santell, JavaScript engineer for Mozilla, wrote about the feature for the Firefox 37 Developer Edition back in January, in the post Web Animation tools, Network Security insights, Font Inspector improvements and more. He said the panel gives information about the request’s connection, host, as well as the certificate used.
"The security panel can help debug issues related to SSL protocol versions, such as sites not working because of the POODLEBITE issue, and can help ensure that sufficiently strong security measures are implemented," Santell said.
The release also gives Firefox for Android a security and stability release. Notably, the update brings opportunistic encryption of some http:// based resources.
In the blog post Opportunistic Encryption For Firefox, Mozilla network developer Patrick McManus, describes the encryption.
He says:
This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial.
However, McManus says while these encryptions are "nice bonuses for http://...if you can run https you should - full stop.”
A more complete list of what's new in Firefox 37 can be found in the release notes here.
Mozilla welcome newcomers who want to be part of the Firefox project, and there are many ways that InfoQ readers can contribute to Firefox. A full list of options is available on the Mozilla Developer Network where Mozilla also publish a number of How To guides