Tech blogger Paul Thurrott writes: Firefox 85 now protects users against supercookies, which Mozilla says is "a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next." It also includes small improvements to bookmarks and password management.

Unfortunately, Mozilla has separately — and much more quietly — stopped work on Site Specific Browser (SSB) functionality... This feature allowed users to use Firefox to create apps on the local PC from Progressive Web Apps and other web apps, similar to the functionality provided in Chrome, Microsoft Edge, and other Chromium-based web browsers. "The SSB feature has only ever been available through a hidden [preference] and has multiple known bugs," Mozilla's Dave Townsend explains in a Bugzilla issue tracker. "Additionally, user research found little to no perceived user benefit to the feature and so there is no intent to continue development on it at this time. As the feature is costing us time in terms of bug triage and keeping it around is sending the wrong signal that this is a supported feature, we are going to remove the feature from Firefox."
Thurrott's conclusion? "Mozilla is walking away from a key tenet of modern web apps and, in doing so, they are making themselves irrelevant."

Apple yesterday released a new version of iCloud for Windows 10, and based on multiple reports and the update's release notes, it appears Apple is introducing an iCloud Passwords extension designed for Chrome, which will allow "iCloud" Keychain passwords to be used on Windows machines. MacRumors reports: As noted by The 8-Bit and a few other sources, the update adds support for an "iCloud" Passwords Chrome extension." After installing version 12 of "iCloud" for Windows, there's a new "Passwords" section in the app with an "iCloud" Keychain logo. When attempting to use the feature, though, the "iCloud" app prompts users to download a Chrome extension, but the extension is broken and clicking to install leads to a broken web page.

This is likely a bug that will be addressed in the near future, and it sounds like when it is functional, Windows users will be able to access their "iCloud" Keychain passwords on their Windows machines through the Chrome browser. It's not clear if Apple will offer this extension for Mac machines in the future as well, and it appears to be limited to Windows at this time.

Google has started rolling out Chrome OS 88. The update includes a couple of enhancements, the most notable of which is a new screen saver you can use to get more functionality out of your computer's lock screen. Engadget reports: By enabling the feature, your Chromebook will be able to display images from your Google Photos library, including those you've organized into specific albums. You can also choose from a selection of default images put together by Google. If you use the Google Photos functionality built into the Pixel Stand and Nest Hub, you'll have a good idea of how the screen saver works.

The lock screen also displays the time and local weather and provides you with easy to access media controls so you can pause or play a song. You'll find your WiFi and battery status on the bottom right corner and the option to sign out from your account if you want. You enable the feature by digging into the settings menu of Chrome OS and finding your way to the Personalization section. Once enabled, it will turn on when the operating system detects that your device has been idle for some time. The update also introduces a feature that allows you to use your pin or fingerprint, instead of a password, to log into websites that support the WebAuthn standard.

With Mozilla's release of Firefox 85 on Tuesday, Adobe's once ubiquitous Flash technology is really gone for good. The software had been widely used to expand gaming, video and animation on the web, though Adobe stopped supporting it at the end of 2020. Firefox was the last major browser to support Flash. From a report: Apple, whose late boss Steve Jobs helped sink Flash by banning it from iPhones and iPads, ditched Flash with Safari 14 in September 2020. Google Chrome, the most widely used browser, completely excised it on Jan. 19 with version 88. Microsoft's Edge 88 followed suit on Jan. 21. The schedule of removals shows just how hard it is to advance technology foundations as widely used as the web. Browser makers for years wanted to remove Flash, replacing it with more advanced standards built directly into the web. Jobs' "Thoughts on Flash" letter in 2010 solidified the opposition, and Adobe started recognizing the software's doom by scrapping the Android version of Flash in 2011. It's taken years of effort to drop Flash completely. Adobe took until 2017 to announce that Flash would be completely unsupported at the end of 2020, and still some are willing to jump through lots of hoops to keep Flash around a little longer.

Google says its new machine learning algorithms could replace cookie-based ad targeting without invading your privacy. Axios reports: Google has been testing a new API (a software interface) called Federated Learning of Cohorts (FLoC) that acts as an effective replacement signal for third-party cookies. The API exists as a browser extension within Google Chrome. The company said Monday that tests of FLoC to reach audiences show that advertisers can expect to see at least 95% of the conversions per dollar spent on ads when compared to cookie-based advertising. FLoC uses machine learning algorithms to analyze user data and then create a group of thousands of people based off of the sites that an individual visits. The data gathered locally from the browser is never shared. Instead, the data from the much wider cohort of thousands of people is shared, and that is then used to target ads.

It's a big deal that Google says it's close to coming up with a technology that will replace cookies, because one of the toughest parts of phasing cookies out of internet ad-targeting is that there hasn't been a great solution for what to replace them with. [...] Google has other proposals to replace cookies in the works, so it's not guaranteed that FLoC will be the answer, but the company said it's highly encouraged by what it has seen so far.

Google released Chrome 88 this week — and besides improving its dark mode support, they removed support for both Adobe Flash and FTP.

PC World calls it "the end of two eras." The most noteworthy change in this update is what's not included. Chrome 88 lays Adobe Flash and the FTP protocol to rest. RIP circa-2000 Internet.

Neither comes as a surprise, though it's poetic that they're being buried together. Adobe halted Flash Player downloads at the end of 2020, making good on a promise made years before, and began blocking Flash content altogether a couple weeks later. Removing Flash from Chrome 88 is just Google's way of flushing the toilet.

On the other hand, FTP isn't dead, but it is now for Chrome users. The File Transport Protocol has helped users send files across the Internet for decades, but in an era of prolific cloud storage services and other sharing methods, its use has waned. Google started slowly disabling FTP support in Chrome 86, per ZDNet, and now you'll no longer be able to access FTP links in the browser. Look for standalone FTP software instead if you need it, such as FileZilla.

That's not all. Mac users should be aware that Chrome 88 drops support for OS X 10.10 (OS X Yosemite). Yosemite released in 2014 and received its last update in 2017...

But Google killing Flash and FTP might be the footnotes that hit old-school web users in the feels.
Chrome 88 will also block non-encrypted downloads originating from an encrypted page, the article reports. And the Verge notes Chrome also offers less intrusive website permission requests (as an experimental feature enabled from chrome://flags/#permission-chip ), while Bleeping Computer describes Chrome 88's new experimental feature for searching through all your open tabs.

And Chrome's blog points out some additional features under the hood: Chrome 88 will heavily throttle chained JavaScript timers for hidden pages in particular conditions. This will reduce CPU usage, which will also reduce battery usage. There are some edge cases where this will change behavior, but timers are often used where a different API would be more efficient, and more reliable.

As of December 8, Apple has been requiring developers to provide privacy label information to their apps, outlining the data that each app collects from users when it is installed. Many app developers have included the labels, but there's one notable outlier -- Google. schwit1 shares a report from MacRumors: Google has not updated its major apps like Gmail, Google Maps, Chrome, and YouTube since December 7 or before, and most Google apps have to date have not been updated with the Privacy Label feature. The Google Translate, Google Authenticator, Motion Stills, Google Play Movies, and Google Classroom apps do include privacy labels even though they have not been updated recently, but Google's search app, Google Maps, Chrome, Waze, YouTube, Google Drive, Google Photos, Google Home, Gmail, Google Docs, Google Assistant, Google Sheets, Google Calendar, Google Slides, Google One, Google Earth, YouTube Music, Hangouts, Google Tasks, Google Meet, Google Pay, PhotoScan, Google Voice, Google News, Gboard, Google Podcasts, and more do not display the information.

On January 5, Google told TechCrunch that the data would be added to its iOS apps "this week or the next week," but both this week and the next week have come and gone with no update. It has now been well over a month since Google last updated its apps. "To lightly paraphrase former Google CEO Eric Schmidt: If your data harvesting is something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," adds schwit1.

At WWDC last year, Apple announced it was going to support Chrome-style browser extensions (the WebExtensions API) in Safari. Months after Safari 14's release, are developers bothering with Safari? Jason Snell: The answer seems to be largely no -- at least, not yet. The Mac App Store's Safari extensions library seems to be largely populated with the same stuff that was there before Safari 14 was released, though there are some exceptions. [...] So in the end, what was the net effect of Apple's announcement of support for the WebExtensions API in Safari? It's a work in progress. A very small number of extensions have appeared in the App Store, and it seems quite likely that others will follow at their own pace. Other developers remain utterly unmoved by all the extra work moving to Safari would entail. It strikes me that Apple could rapidly drive adoption of Safari extensions if it would finally bring that technology to iOS. Targeting the Mac is nice, but if they could target iPads and iPhones, we might really have something.

Privacy-focused search engine DuckDuckGo reached a major milestone in its 12-year-old history last week when it recorded on Monday its first-ever day with more than 100 million user search queries. From a report: The achievement comes after a period of sustained growth the company has been seeing for the past two years, and especially since August 2020, when the search engine began seeing more than 2 billion search queries a month on a regular basis. The numbers are small in comparison to Google's 5 billion daily search queries but it's a positive sign that users are looking for alternatives. DuckDuckGo's popularity comes after the search engine has expanded beyond its own site and now currently offers mobile apps for Android and iOS, but also a dedicated Chrome extension. More than 4 million users installed these apps and extension, the company said in a tweet in September 2020.

Besides the intended differences, web browsers based on Chromium offer an underlying experience that's mostly identical to Chrome. Google recently discovered that users of third-party Chromium browsers have inadvertently been able to access data and other sync features reserved for Chrome. From a report: "Some" Chromium browsers today can leverage features and APIs that are "only intended for Google's use." This includes Click to Call and, notably, Chrome Sync. The latter is responsible for syncing bookmarks, extensions, history, settings, and more across signed-in devices running the first-party browser. As a result, users logged into Google sites on Chromium browsers are able to see their old bookmarks and other data from previous Chrome usage. This inadvertent access was discovered during a recent audit and Google will be "limiting access to [its] private Chrome APIs" from March 15th.

Just ahead of its launch for commercial PC-like devices, an install image of Windows 10X for single screens has leaked, giving us an early peek at Microsoft's new OS. And yes, it's just like Chrome OS. From a report: Let's just get that out of the way. Microsoft has been working for years on a Chromebook competitor, but it has been largely unsuccessful. Windows 10 S, which was originally called Windows 10 Cloud, was Terry Myerson's approach, and that, of course, crashed and burned, in part because it looked identical to Windows 10 but couldn't run downloaded Windows 10 desktop applications. And now we have Windows 10X. Microsoft tried to hide its true intent with this product by pretending last year that it was aimed at a new generation of dual-display PCs, but the software giant really created 10X to compete with Chrome OS on inexpensive single-display PCs. So after failing to get its container-based Windows desktop application compatibility solution to work, Microsoft scaled back and repositioned Windows 10X as was originally intended: It will now ship only on new traditional PCs aimed at education and other commercial markets.

Google published a six-part report this week detailing a sophisticated hacking operation that the company detected in early 2020 and which targeted owners of both Android and Windows devices. From a report: The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks, Google said. "One server targeted Windows users, the other targeted Android," Project Zero, one of Google's security teams, said in the first of six blog posts. Google said that both exploit servers used Google Chrome vulnerabilities to gain an initial foothold on victim devices. Once an initial entry point was established in the user's browsers, attackers deployed an OS-level exploit to gain more control of the victim's devices. The exploit chains included a combination of both zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to the software makers, and n-day refers to bugs that have been patched but are still being exploited in the wild.

When a user attempts to load a Flash game or content in a browser such as Chrome, the content now fails to load and instead displays a small banner that leads to the Flash end-of-life page on Adobe's website. While this day has long been coming, with many browsers disabling Flash by default years ago, it is officially the end of a 25-year era for Flash, first introduced by Macromedia in 1996 and acquired by Adobe in 2005. Mac Rumors reports: "Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems," the page reads. Adobe has instructions for uninstalling Flash on Mac, but note that Apple removed support for Flash outright in Safari 14 last year.

Adobe first announced its plans to discontinue Flash in 2017. "Open standards such as HTML5, WebGL, and WebAssembly have continually matured over the years and serve as viable alternatives for Flash content," the company explained. Adobe does not intend to issue Flash Player updates or security patches any longer, so it is recommended that users uninstall the plugin.

EFF special consultant/blogger/science fiction writer Cory Doctorow warns in Locus magazine about the dangers of what Bruce Schneier calls "feudal security": Here in the 21st century, we are beset by all manner of digital bandits, from identity thieves, to stalkers, to corporate and government spies, to harassers... To be safe, then, you have to ally yourself with a warlord. Apple, Google, Facebook, Microsoft, and a few others have built massive fortresses bristling with defenses, whose parapets are stalked by the most ferocious cybermercenaries money can buy, and they will defend you from every attacker — except for their employers. If the warlord turns on you, you're defenseless.

We see this dynamic playing out with all of our modern warlords. Google is tweaking Chrome, its dominant browser, to block commercial surveillance, but not Google's own commercial surveillance. Google will do its level best to block scumbag marketers from tracking you on the web, but if a marketer pays Google, and convinces Google's gatekeepers that it is not a scumbag, Google will allow them to spy on you. If you don't mind being spied on by Google, and if you trust Google to decide who's a scumbag and who isn't, this is great. But if you and Google disagree on what constitutes scumbaggery, you will lose, thanks, in part, to other changes to Chrome that make it much harder to block the ads that Chrome lets through.

Over in Facebook land, this dynamic is a little easier to see. After the Cambridge Analytica scandal, Facebook tightened up who could buy Facebook's surveillance data about you and what they could do with it. Then, in the runup to the 2020 US elections, Facebook went further, instituting policies intended to prevent paid political disinformation campaigns at a critical juncture. But Facebook isn't doing a very good job of defending its users from the bandits. It's a bad (or possibly inattentive, or indifferent, or overstretched) warlord, though...

Back to Apple. In 2017, Apple removed all effective privacy tools from the Chinese version of the iPhone/iPad App Store, at the behest of the Chinese government. The Chinese government wanted to spy on Apple customers in China, and so it ordered Apple to facilitate this surveillance... If Apple chose not to comply with the Chinese order, it would either have to risk fines against its Chinese subsidiary and possible criminal proceedings against its Chinese staff, or pull out of China and risk having its digital services blocked by China's Great Firewall, and its Chinese manufacturing subcontractors could be ordered to sever their relations with Apple. In other words, the cost of noncompliance with the order is high, so high that Apple decided that putting its customers at risk was an acceptable alternative.

Therein lies the problem with trusting warlords to keep you safe: they have priorities that aren't your priorities, and when there's a life-or-death crisis that requires them to choose between your survival and their own, they will throw you to the bandits...
"The fact that Apple devices are designed to prevent users from overriding the company's veto over their computing makes it inevitable that some government will demand that this veto be exercised in their favor..." Doctorow concludes. "As with feudal aristocrats, the state is happy to lend these warlords their legitimacy, in exchange for the power to militarize the aristocrat's holdings... "

His proposed solution? What if Google didn't collect or retain so much user data in the first place -- or gave its users the power to turn off data-collection and data-retention altogether? And "What if Apple — by design — made is possible for users to override its killswitches?"

Google is the U.K.'s first big post-Brexit antitrust target as regulators opened a probe into the company's planned changes to curb publishers' collection of advertising data. From a report: The Competition and Markets Authority said it's investigating Google's so-called privacy sandbox changes that could "undermine the ability of publishers to generate revenue and undermine competition in digital advertising, entrenching Google's market power." The probe adds to Google's legal headaches around the world. The Mountain View, California-based company faces lawsuits from the U.S. Department of Justice and multiple states over allegedly anticompetitive practices. The U.K. probe focuses on Google's decision last year to phase out third-party cookies that help advertisers monitor customers' browsing habits and pinpoint the effectiveness of different advertising. Google's Chrome is the dominant web browser and the changes will be followed by rival products based on Google technology, such as Microsoft's Edge.

Browser makers Apple, Google, Microsoft, and Mozilla, have banned a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana). From a report: The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices. While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed. Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies. Officials cited that cyberattacks targeting "Kazakhstan's segment of the internet" grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise. The government's explanation did, however, make zero technical sense, as certificates can't prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers. After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.

This week Google "quietly acquired a company called Neverware Inc. that sells software to transform old personal computers and Macs into Chromebook devices," reports SiliconANGLE: The acquisition was announced by Neverware on Twitter, and Google later confirmed the news in a statement. Google had taken part in the company's Series B funding round three years ago.

Neverware's software is called CloudReady OS, and though it's primarily aimed at schools and enterprises that want to transform fleets of machines into Chromebooks, there's also a free Home edition that anyone can use... Google's plan is to make CloudReady an official product. "We can confirm that the Neverware team is joining the Google Chrome OS team," Google said in a statement.

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, reports ZDNet, citing an announcement from cybersecurity company Avast: Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. "For every redirection to a third party domain, the cybercriminals would receive a payment," the company said.

Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites. Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity. And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify.

Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.
ZDNet's article includes Avast's lists of the 28 extensions which they're recommending be uninstalled by users.

ZDNet also notes that "A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report."

The Verge reports: Firefox's latest update brings native support for Macs that run on Apple's Arm-based silicon, Mozilla announced on Tuesday. Mozilla claims that native Apple silicon support brings significant performance improvements: the browser apparently launches 2.5 times faster and web apps are twice as responsive than they were on the previous version of Firefox, which wasn't native to Apple's chips...

Firefox's support of Apple's Arm-based processors follows Chrome, which added support for Apple's new chips shortly after the M1-equipped MacBook Pro, MacBook Air, and Mac mini were released in November.
Firefox 84 will also be the very last release to support Adobe Flash, notes ZDNet, calling both developments "a reminder of the influence Apple co-founder Steve Jobs has had and continues to exert on software and hardware nine years after his death." Jobs wrote off Flash in 2010 as successful Adobe software but one that was a 'closed' product "created during the PC era — for PCs and mice" and not suitable for the then-brand-new iPad, nor any of its prior iPhones. Instead, Jobs said the future of the web was HTML5, JavaScript and CSS.

At the end of this year Google Chrome, Microsoft Edge and Apple Safari also drop support for Flash.

Senior Apple execs recently reflected in an interview with Om Malik what the M1 would have meant to Jobs had been alive today. "Steve used to say that we make the whole widget," Greg Joswiak, Apple's senior vice president of Worldwide Marketing told Malik.

"We've been making the whole widget for all our products, from the iPhone, to the iPads, to the watch. This was the final element to making the whole widget on the Mac."
ZDNet also notes that Firefox 84 offers WebRender, "Mozilla's faster GPU-based 2D rendering engine" for MacOS Big Sur, Windows devices with Intel Gen 6 GPUs, and Intel laptops running Windows 7 and 8. "Mozilla promises it will ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time."

Firefox now also uses "more modern techniques for allocating shared memory on Linux," writes Mozilla, "improving performance and increasing compatibility with Docker."

And Firefox 85 will include a new network partitioning feature to make it harder for companies to track your web surfing.

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer.

In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."

The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.