Mozilla’s today released the Firefox 42 browser, which provides users with improved privacy and security capabilities.
The new privacy feature in Firefox 42 is called Tracking Protection and currently works inside Firefox’s Private Browsing mode. Mozilla first introduced Private Browsing in Firefox 3.1, which was released in 2008. The basic idea with Private Browsing mode is that a user’s history and session cookies are not retained after the browser is closed.
Tracking Protection adds a new dimension by restricting the ability of third-party technologies from tracking a user.
“We care a lot about choice and control, so we’re really proud of Firefox 42,” Nick Nguyen, vice president of product for Firefox at Mozilla, told eWEEK. “Tracking Protection is a content blocker that blocks tracking elements from Web pages.”
Tracking Protection is different from “Do Not Track” (DNT) capabilities, another attempt at limiting Websites’ abilities to track users. DNT first landed in Firefox 4.0 in 2011 as a capability whereby users identify whether they want to be tracked. The problem with DNT is that it requires Websites to respect the user’s DNT choice, which does not happen often.
“DNT and Tracking Protection are both parts of the same conversation,” Nguyen said.
DNT has shown that it might be necessary to have a larger “stick” to help protect users against tracking, Nguyen said. Mozilla is not anti-advertising but does want users to have choice and control, he said.
“With Tracking Protection, we hope the advertising industry will engage with us in a dialogue about what is tracking and what gets blocked,” Nguyen said.
While Tracking Protection aims to limit the ability of tracking, it is not a panacea that enables user anonymity. Even inside Private Browsing mode with Tracking Protection in Firefox 42, the user’s IP address is still visible and potentially can be tracked by Websites.
“If there is third-party content on a page that is doing tracking, they won’t get the HTTP headers or a user’s IP address because Tracking Protection won’t load that content,” Nguyen said. “If the content isn’t loaded, the server is not aware of the client.”
Today, the majority of tracking is done via third-party components that are embedded on a Web page, Nguyen said. Mozilla is just starting to see various forms of stateless tracking, which is not something that Tracking Protection in Firefox 42 can address today, he said.
In addition to Tracking Protection, Firefox 42 introduces enhanced security indicators that aim to help users understand the security of a given Website. When a user visits a Web page that triggers Mozilla’s Tracking Protection feature, a little shield icon is now shown in the address bar. The updated security indicator now also reveals when a given Web page is only partially secured by Secure Sockets Layer/Transport Layer Security (SSL/TLS).
As part of the Firefox 42 release, Mozilla is issuing 17 security advisories for vulnerabilities, only three of which are rated critical. Among the critical advisories is MSFA-2015-116 titled, miscellaneous memory safety hazards, which patches two unique memory corruption bugs, CVE-2015-4513 and CVE-2015-4514.
The critical MSFA 2015-131 advisory details three vulnerabilities (CVE-2015-7198, CVE-2015-7199 and CVE-2015-7200) found through code inspection.
“Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection,” Mozilla warned in its advisory. “These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation.
The third critical Mozilla advisory details three vulnerabilities (CVE-2015-7182, CVE-2015-7182 and CVE-2015-7183) in the Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries.
Looking beyond Firefox 42, Mozilla is already in development for Firefox 43 and future versions of the open-source Web browser.
“You will see more options in Tracking Protection in future Firefox updates, as well as continuous improvements, including process separation,” Nguyen said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.