Mozilla has bid farewell to RC4 encryption in the latest iteration of the Firefox browser. The release also uses a SHA-256 signing certificate for Windows builds, and enables push notifications from websites.
Push notifications mean users can get an alert for updates to a site that isn't currently loaded in a tab. As the developers explain, they realise that this feature could be abused if it's not done right, so:
- The Web Push identifier Firefox provides to each site is randomised, "to prevent cross-site correlations."
- Payloads are encrypted to prevent eavesdropping on the push notifications.
- Connections to a push service require explicit permission from the user.
The release also continues the long process of getting rid of 1024-bit certificates, with the Equifax Secure Certificate Authority 1024-bit root removed (again, since it was pulled last year but temporarily re-enabled after complaints of “considerable breakage”).
Developers get a bunch of goodies, including a WebSocket debugging API, animation tools including the ability to view and edit CSS animation keyframe rules in the browser, a variety of visual layout and style tools (demonstrated here), and memory heap inspection tools.
The desktop build can now support H.264 video, with WebM and VP9 fallback. The full desktop changelog is here.
The Android build gets cloud printing, user prompts if they try to open an in-page app in private browsing mode, and support for launching URIs that use the MMS (Microsoft media server) protocol. ®