Just a month after shipping version 73 of its Firefox browser, Mozilla has released version 74 with a range of privacy and security enhancements. These include a privacy tweak to the way it handles the WebRTC multimedia streaming protocol.
Mozilla had promised some of its changes months or even years ago, but an unexpected addition is mDNS ICE, which improves privacy in peer-to-peer communications.
ICE stands for Interactive Connectivity Establishment, and it’s a technique used in VoIP and peer-to-peer connections within network address translation (NAT) environments. NAT boxes remap IP address spaces between networks. They enable you to use addresses on your local network (like 192.168.1.100) that don’t clash with those on the wider internet.
ICE uses ‘candidates’ that provide alternatives for connections in a NAT environment. These candidates, which contain IP address and port information, increase the chance of successful connections on unmanaged networks by helping the other party find its way to the right computer behind a NAT connection.
The problem with that, as this IETF draft explains, is that ICE candidates expose private IP addresses to web applications by default, creating potential privacy issues. This applies to WebRTC, which is a browser-based peer-to-peer real-time communications standard. You can use WebRTC for video conferencing or monitoring IP cameras without needing to install separate applications.
Firefox 74 fixes the problem by using multicast DNS (mDNS) with ICE to create a random ID that cloaks a computer’s IP address. That makes WebRTC communications more private.
Another big change concerns sideloading. This is the practice of automatically installing extensions without users taking action. In Firefox 74, users must manually install the extensions that they want, and they can also remove previously sideloaded extensions using the add-ons manager (although they’ll have to do this manually). Developers will still be able to push updates to previously-sideloaded extensions, Mozilla said.
The company explained that this doesn’t apply to those pushing out their own Firefox distributions, such as some Linux distros. Neither will it apply to Firefox Extended Support Release (ESR). Enterprises can continue to sideload extensions in Firefox browsers managed by policies.
Firefox 74 also officially deprecates versions of TLS before 1.2. Mozilla vowed to nix TLS 1.0 and 1.1 in Firefox back in 2018 and is delivering on schedule. TLS 1.0 turned 21 years old in January and has some shortcomings. According to the IETF, versions 1.0 and 1.1 don’t support current recommended cipher suites, leading some governments to ban them for applications altogether. The IETF has recommended v1.2 since 2008, so it’s probably about time that we ditched the others.
If a website tries to use a pre-1.2 version of TLS, Firefox 74 will now show an error page. If you’re intent on dealing with an insecure web page, though, you can go ahead because there’s an override button – for now.
The latest version of Firefox brings a handful of other changes including the addition of an allowlist to the browser’s Facebook Container. This extension isolates Facebook, allowing people to contain their activity on the social media site without letting it track them via other websites that they visit. Sometimes they might want another site to talk to Facebook about them, if it’s connected to their Facebook site as an app. This change lets people add custom sites to a list of exceptions.
Mozilla also fixed 12 security flaws in the browser, all with a severity rating of high or less.
Given that Mozilla has moved to a four-week release cycle, we can’t call the Firefox release date ‘fortytwosday’ anymore, in line with its past 42-day release cycle and, of course, in honour of Hitchhiker’s Guide to the Galaxy (which is 42 this month). Don’t Panic – we’ll think of something. How about 28 Days Later?
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.