Internet Explorer 8, Firefox 3, Google Chrome 4, Apple's Safari 4, and Opera 10 include features that block sites known to host malware and malicious downloads. All but Opera also let you browse without leaving any tracks. But just as important as these protections is ensuring that whichever browser you use is thoroughly patched.
Filtering out bad sites
Firefox's built-in antiphishing tool claims to update its bad-site database 48 times a day, according to Mozilla's Firefox security page. Firefox 3 uses Google's Safe Browsing service to automatically block sites that are known to host malware. The Google Code site describes how Safe Browsing works in Firefox.
To verify that attack-site blocking is enabled in Firefox, click Tools > Options > Security and make sure "Block reported attack sites" is checked.
Firefox will prevent known-bad sites from opening when "Block reported attack sites" is checked.
(Credit: Mozilla Foundation)The same feature is built into Google's own Chrome browser. You can ensure that malware-site filtering is on in Chrome by clicking the wrench icon in the top-right corner, choosing Options, and selecting Under the Hood. "Enable phishing and malware filtering" should be checked. The Google Chrome Help site describes the feature. (Hint: This page looks very similar to the description on the Google Code site.)
Google's Chrome browser blocks known-bad sites when "Enable phishing and malware protection" is checked.
(Credit: Google)The SmartScreen technology in version 8 of Internet Explorer blocks known-malicious downloads as well as bad URLs. Other new security features in IE 8 include automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar. The Microsoft Security site describes the SmartScreen Filter and includes links to a SmartScreen FAQ and information for site managers.
Apple's Safari browser added phishing and malware blocking in version 3.2, which was released in late 2008; read about this and other security features in Safari 4 on the Apple Safari site. Likewise, Opera's Fraud Protection predates the phishing and malware filters in IE and Firefox and is enhanced in the latest version 10. But attack-site blocking is only one of Opera's many security features, which you can read about on the Opera site.
Browsing in private
To activate private browsing in Firefox 3, click Tools > Start Private Browsing, or simply press Ctrl-Shift-P. You can set Firefox to start in private-browsing mode by clicking Tools > Options > Privacy and check "Automatically start Firefox in a private browsing session." The Mozilla support site provides more information about this feature. Likewise, put IE 8 in private-browsing mode by clicking Safety > InPrivate Browsing, or by pressing Ctrl-Shift-P. You can also open a new tab and click either Browse with InPrivate or Open an InPrivate Window.
IE 8 also lets you control the information about your browsing habits that's shared with Web tracking services. To activate this feature, click Tools > InPrivate Filtering Settings and choose "Let me choose which providers receive my information." This opens the InPrivate Filtering settings dialog, where you can turn filtering off, choose which services to block from tracking you, or automatically block all trackers.
Internet Explorer 8's InPrivate Filtering lets you block some or all Web tracking services.
(Credit: Microsoft)You can open an incognito window in Google Chrome by clicking the wrench icon in the top-right corner and choosing "New incognito window," or simply press Ctrl-Shift-N. The incognito icon (a shadow figure in a fedora and glasses) appears in the top-left corner of the browser window. The Chrome support site offers a more detailed description of this feature.
Opera lacks an equivalent private-browsing capability but does offer private searching and other identity-blocking features, as described on the Opera site. To activate private browsing in Safari, simply click Safari Settings Menu > Private Browsing.
Automatic and not-so-automatic browser updates
Patching is a way of life with nearly all software, but especially with browsers and the media players associated with them: Adobe Reader, the Flash Player, Apple's QuickTime, and Sun's Java, among others. All of a browser's security features can be rendered useless by a piece of malware that takes advantage of an unpatched hole in the program.
Firefox 3 alerts users to the presence of an update and now also notifies you when your Flash Player is out-of-date. Internet Explorer 8 updates via the Windows Update/Microsoft Update services. Google Chrome made a splash by being the first browser to update itself in the background without requiring any prompting from users. Safari updates automatically via Apple's update service, which also serves up patches automatically for QuickTime, iTunes, and other Apple software. Opera also notifies you automatically when a new version is available.
But updating is too important to leave to others. Back in April, I described Secunia's Online Software Inspector and downloadable Personal Software Inspector, which identify out-of-date programs on your PC. The programs mentioned in that post have all been updated since, but Secunia's services should point you to the most recent versions.
(Note that Secunia sometimes reports a program as being out-of-date when in fact you have the latest version. On my PC, it continually reports my up-to-date Flash Player as being in need of an update, for example. But the free service Secunia provides is worth putting up with this and similar minor annoyances.)
There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.
The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.
The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.
No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.
The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.
On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.
The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.
Tom Espiner of ZDNet UK reported from London.
Firefox 3.5 (for Windows, Windows Portable, Mac, or Linux) forges ahead with strong developer support, but most improvements for casual users will probably strike them as minor. See what's new for the second-most popular browser in this slideshow.
Firefox 3.5 brings the world's second-most popular browser up to speed with current browsing technology and trends, and perhaps nudges it just a bit ahead of the competition. However, it is by no means the leap ahead that its predecessor Firefox 3 was, and it's clear that the competition isn't going away anytime soon.
Available for Windows, Windows Portable, Mac, or Linux, Firefox 3.5 nevertheless represents the best Firefox we've yet seen from Mozilla. This comes as no surprise, and with a testing process that involved four beta builds, three release candidates, and a version change to reflect what Mozilla described as the originally-unintended breadth of the improvements being made, most of the new features are no surprise, either.
Private Browsing, known to IE users as InPrivate, Chrome users as Incognito, and Safari users as, well, Private Browsing, finally comes to a public version of Firefox. It's been available to the 800,000 or so beta testers since December 2008. If you're not familiar with it, users can toggle on or off the browser's history, cookies, and other browsing traces at will via the Tools menu or CTRL+SHFT+P. A new window will open. Among its other uses that serve as fodder for second-rate comedians, it's an excellent tool for avoiding leaving tracks on publicly-used computers and its about time that Firefox finally got it. In fact, Firefox has had it in various stages of development for four years.
I'm not sure how connected Firefox's development of Private Browsing is to this next feature, but I can see far more users gaining traction from having the fine, granular control of browsing tracks that's now available in v3.5. The Clear Private Data window has been replaced by a Clear Recent History option, using the same hot key combo and in the same place in the Tools menu.
Under the Clear Recent History window, you can delete your entire recent browsing history over the past hour, two hours, four hours, today, or all content in your history. From its Details drop-down menu, you can tailor the data purge to Browsing and Download history, Form and Search history, Cookies, Cache, Active Logins, Site Preferences, and Saved Sessions. From within the History window, you can also right-click on a site to Forget this Site, which will remove all instances of that site from your history records. Because your Most Recent Sites folder pulls from your history, you gain this level of control there, too.
Another excellent improvement in v3.5 that pushes Firefox ahead of its competitors is aggressive developer support. This may not sound impressive to most users, and if you're not a developer, I can see why its hard to get worked up about support for CSS media tags, HTML5 local storage, downloadable fonts, Web worker thread, and native JSON support, or SVG transforms--it all sounds a bit too much like alphabet soup.
Firefox 3.5 comes with geo-locating turned on, so it always knows where you are (with your permission.)
(Credit: Screenshot by Seth Rosenblatt/CNET)However, embedded ICC profiles, and support for Ogg Vorbis and Theora video and audio means that image colors will look better and closer to how they were intended, and no plug-in will be required for properly-encoded multimedia. Since Vorbis is open-source, this will lend those formats a huge boost while rendering those pages more stable. Here's an example video from Firefox that offers a tour of the new browser, or you can check out this sample from Daily Motion. Non-Firefox users will either see the Flash version (as on Daily Motion), or be directed to download the OGV file.
The "awesome bar" that debuted in Firefox 3 has become one of my favorite features. I've personalized my browser to eliminate the search bar, and now I use the location bar for all my searching. In v3.5, Mozilla has improved the search functionality so that you can show only bookmarks, by using an asterisk after a query such as "cnet *", or show only tags by using a plus "cnet +".
You can also tear off tabs as you can in the Webkit-based browsers Chrome, Safari, and IE, although unlike those browsers, Firefox's tabs are not sandboxed. This means that, if the browser crashes, you're still hosed, although Mozilla says this feature--known in development as Electrolysis--is being worked on.
In the meantime, Mozilla has imported better session control that users could only get before from add-ons like Session Manager. Now, if Firefox crashes, you get the option to choose which tabs to revive. If a Flash-based or heavy JavaScript site was the cause of that crash, you don't need to bring back that particular tab and risk getting caught in a crash-and-restart cycle of frustration.
Firefox 3.5 natively supports HTML5 and embedded Ogg video content.
(Credit: Screenshot by Seth Rosenblatt/CNET)Mozilla abandoned development of its own geolocating technology in Firefox, but that doesn't mean that Firefox 3.5 doesn't possess the ability to know where you are. Using Google's tech, Firefox can pinpoint where you are so that in search queries, for example, you'll get the most locally relevant results first. Turning this off isn't difficult, either. Under about:config, search for "geo.enabled" and change True to False by double-clicking on it.
Performance has always been one of the keys to browser popularity, and much of Google's success with Chrome can be attributed to its fast JavaScript rendering marks. The resurgent interest in Safari also comes from its JavaScript benchmarks and Apple's claim that Safari is the fastest browser on the market with its Nitro JavaScript engine. Firefox 3.5 doesn't beat them on the JavaScript front, but it's within shooting range.
On a Lenovo T400 laptop with a Core 2 Duo T9400 processor running at 2.53 GHz, with 3 GB of RAM and Windows 7 RC 7100, I ran the SunSpider JavaScript test and Dromaeo's subset of JavaScript tests on Firefox 3.0.11, Firefox 3.5, Internet Explorer 8, Chrome 2, and Safari 4. As much as I like Opera as an all-in-one browser, I left it out because Opera 9.6 hasn't stood up well to the improvements that the field has made in the past year, and Opera 10 beta isn't ready to be compared to public releases at this point. Remember that for SunSpider the lower number is better, while the opposite is true of Dromaeo.
Firefox users can now rip tabs off into new windows, or drag them back into the old one. Still no sandboxing, though.
(Credit: Screenshot by Seth Rosenblatt/CNET)Firefox 3.0.11 completed SunSpider in 2695.4 milliseconds, and 44.22 runs per second, while Firefox 3.5 notched 1319.6 ms on SunSpider and 91.18 runs/s. This falls in line with Mozilla's published benchmarks of 3669 ms for Firefox 3 versus 1524 ms for Firefox 3.5. In both "official" numbers and in my own tests, Firefox 3.5 comes out around twice as fast for JavaScript.
Meanwhile, Chrome 2 hit 322.1 runs/s on Dromaeo and 712.2 ms on SunSpider. Either way, Chrome is significantly faster than Firefox for JavaScript, one-third faster judging by SunSpider and twice as fast by Dromaeo. Safari 4 scored 915.6 on SunSpider and 239.02 runs/s on Dromaeo, slightly slower than the its Webkit cousin Chrome but still faster than Firefox. Internet Explorer marked 4434.6 ms in SunSpider, but crashed on Dromaeo while testing base 64 encoding and decoding.
Firefox 3.5 is around twice as fast as Firefox 3. Chrome and Safari are faster with JavaScript, though.
(Credit: Screenshot by Seth Rosenblatt/CNET)It's important to note that speed is not the only criterion for judging a decent browser. Each browser only had open two tabs, the results of its Dromaeo test and the results of its Safari test. Safari consumed nearly 135 MB of RAM, IE saw 104 MB, Firefox 3.5 hit 66 MB, and Chrome logged 46.5 MB. These results will fluctuate depending on your computer and any other tasks your browser is running at the time, but they give a decent idea of how each browser is performing during these tests.
Other useful tests look at Web standards rendering, like the Acid3, and deeper analysis of the SunSpider results. Chrome and Safari both reach 100/100 on the Acid3 test, while Firefox makes it to 93/100. Official release notes for Firefox 3.5 can be read here.
Firefox 3.5 is a much-needed improvement to the world's most popular alternative browser. At the time of writing, Mozilla was about to log the 2 millionth download after only 7 1/2 hours. While some of the improvements, such as the HTML5 and other developer enhancements will continue to make the browser their first choice, many of the other changes merely keep it in-line with the competition. For now, Firefox will continue to rely on its vast base of developers and users who value their customizations over superlative claims, so long as Mozilla keeps its browser close enough to its competitors. Now that Firefox has kicked open the door against Internet Explorer, it'd be foolish to expect that they'd be the only ones to rush through it.
Editors' note: Updated June 30, 2009, at 5:55 p.m. with more extensions details.
Updated at 12:42 p.m. with more add-on details and a statement about Google Gears.
Like you, we've been hotly anticipating the launch of Firefox 3.5 for Windows and Mac. Yet every time a browser receives a major update, it ghosts out a good chunk of those favorite, ingenious, and time-saving extensions we've come to rely on. That is, until the lagging publishers update their add-ons to make them compatible once again.
Google is one high-profile example with Gears. "We're working on pushing out a new Gears version that support FF 3.5," Google's Aaron Boodman wrote to Gears users Monday online. "We typically wait until the official 'gold' release of Firefox is pushed, because otherwise, we keep having to do new builds every time a new RC is pushed."
We've compiled what is by no means an exhaustive list of extensions that we find do and do not work in Firefox 3.5 at launch. Add your insights to the comments--we'll be updating this post throughout the day. Mozilla also has a compatibility report that takes the 95 percent most-used add-ons and matches them to their version numbers. A quick glance will tell you if your favorites are a go.
If you want to attempt to force Firefox to accept old add-ons, there are ways, but prepare yourself for consequences: bugs, stability breakdowns, and tampering with advanced settings. Two Firefox 3.5-ready add-ons that often correct incompatibility are Nightly Tester Tools and MR Tech Toolkit. CNET Executive Editor Tom Merritt shows you another way to teach the new 'Fox old tricks. Both methods essentially override the maximum version number rule that keeps Firefox from loading an add-on that's been approved for a previous version build, like 3.0. Nightly Tester Tools, for instance, is cleared for versions 3.0b5 through 3.6a1pre.
Works with Firefox 3.5:
Adblock Plus
All-In-One Sidebar
AVG Safe Search
ColorfulTabs
CoolIris (requires manual redownload or reinstallation)
Customize Google
FireFTP
Flagfox
FlashGot
Forecastfox Enhanced
FoxyTunes
Greasemonkey
Googlepedia
Google Preview
Google Toolbar
IE Tab
iMacros
Java QuickStarter
McAfee Site Advisor
NoScript
Personal Menu
Read It Later
Roboform (PC only--requires manual redownload or reinstallation)
Select-n-Go by Cleeki
Session Manager
Shareaholic
Site Launcher
SmarterFox
SmoothWheel
Ubiquity
XMarks
Doesn't work with Firefox 3.5:
Better Gmail 2
Drag & DropZones
gDocsBar
Google Gears (read above)
Headup
Minimize To Tray Enhancer
Open in Google Chrome
Prism
Searchery
Tab Mix Plus
Tab Minus
Note: Windows links for Firefox add-ons should also work on Macs.
Four betas, three release candidates, and one version number change later, Mozilla finally gave Firefox 3.5 the kick out the door that the general public has been waiting for. If you're not convinced that it's worth upgrading, watch what's new in this First Look video, and download it for your Windows, Mac, or Linux computer.
Die-hard fans probably already know this, but this is the fastest version of Firefox yet. Even though some of its competitors can load JavaScript faster, version 3.5 offers plenty of toys for developers and casual users alike.
Internet Explorer 8 now comes with a Nickleback.
No, Microsoft isn't again offering cash to get people to download the browser. This time it has partnered with Live Nation and the band to offer a custom version of the browser.
(Credit:
Amazon.com)
The software maker is sponsoring Nickleback's 2009 tour as well as Live Nation's Bamboozle music festival. As part of the tie-up, users can download music-themed versions of the browser.
Those who download Internet Explorer 8 from a special Web site gain access to a new live version of Nickelback's hit single "Something in Your Mouth," as well as video of the band on tour. There is also a Bamboozle version of Internet Explorer 8 available at a separate Web site.
Microsoft routinely allows others to create and distribute custom versions of its browsers. Of course, the timing of this is rather interesting considering it comes the same day that Mozilla launched Firefox 3.5, the latest version of its Web browser.
There is also a start-up, Brand Thunder, that creates custom branded versions of Firefox.
Updated June 26 at 3:45 p.m. PDT: Mozilla stated in an e-mail today that it expects Firefox 3.5 to go public on the morning of Tuesday, June 30, almost missing its self-imposed deadline of "the end of June."
Despite hoping that Firefox 3.5 would receive only one release candidate, Mozilla has now published Firefox 3.5 RC 3 for Windows, Mac, and Linux.
Details on what's changed between RC 2 and RC 3 are light, with Mozilla saying only that the changes are based on user feedback. Given the history of Firefox updates, it's likely that these were stability- and security-based improvements.
Readers can also peruse older CNET Firefox 3.5 coverage, or check out the official Firefox 3.5 RC 3 release notes.
Fans of Firefox's beta builds can now download Firefox 3.5 Release Candidate 2 for Windows, Mac, and Linux. The latest build contains bug fixes although, according to Mozilla's Director of Firefox, Mike Beltzner, these were minor stability issues corrected after the release of the first release candidate.
Belzner also addressed some confusion among the 800,000 or so beta users about Firefox's beta-naming conventions. When the beta moves into release candidate mode, he said, it takes on the name of the final version because if no further problems are found the RC build will simply become the public version.
In an interview with CNET earlier this week, Beltzner said that he expects Firefox 3.5 to be released to the public before the end of June. Although that gives Mozilla a week and a half from today, releasing two release candidates in one week could indicate that the final version could come as early as the beginning of next week.
If you've been using the Firefox 3.5 beta, you now get to upgrade to the release candidate for Firefox 3.5. Available for Windows, Mac, and Linux, The noticeable changes to the release candidate from beta 4 and the b99 pre-release version are not readily apparent. Generally, you can expect the release candidate to be more stable than its beta predecessors, although if you're using an add-on such as Nightly Tester Tools or MR Tech to force incompatible add-ons to work in the beta you may be compromising your stability somewhat.
Firefox 3.5 natively supports HTML5 and embedded Ogg video content.
(Credit: Screenshot by Seth Rosenblatt/CNET)The upgrades to Firefox 3.5 have been well-documented by now. Private browsing, geolocation, faster performance than Firefox 3 for both loading pages and running JavaScript, local storage for better offline support, and native video for Ogg/Vorbis. If you're running the release candidate or one of its beta predecessors, you can check out Daily Motion to see how the non-Flash based video playback performs.
More improvements include support for HTML5 tags such as < audio > and < video >, native JSON support, support for Web workers so browser-based apps can run in the background, support for CSS and SVG standards, the ability to erase browsing traces by site or by time, personas for easier theme management, and downloadable fonts. The release candidate is also available in more than 70 language localizations.
Because of the 800,000 or so testers that Mozilla says have been using the beta versions, Firefox director Mike Beltzner said that he expects this to be the sole release candidate before version 3.5 goes public at the end of June.
Annoyingly, Firefox 3.5 RC1 doesn't list itself as a release candidate in the program's About box, but in half a day of testing no problems have arisen.
