Payment Request API | W3C

Payment Request API; W3C; 2017-09-21.

  • Adrian Bateman, Microsoft Corporation
  • Zach Koch, Google
  • Roy McElmurry, Facebook
  • Domenic Denicola, Google
  • Marcos Cáceres, Mozilla

Promotions

WebRTC and STUN for intra-LAN exploration & end-user tracking

WebRTC

  • WebRTC, promotional site
  • Availabilities
    all the browsers that matter

    • Android
    • Chrome (Linux, Android, Windows)
    • Firefox
    • Opera
    • Safari (iOS)

STUN

Related

Standards

  • RFC 7350Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN); Petit-Huguenin, Salgueiro; IETF; 2014-08.
  • RFC 7064URI Scheme for the Session Traversal Utilities for NAT (STUN) Protocol; Nandakumar, Salgueiro, Jones, Petit-Huguenin; IETF; 2013-11.
  • RFC 5928Traversal Using Relays around NAT (TURN) Resolution Mechanism; Petit-Huguenin; IETF; 2010-08.
  • RFC 5389Session Traversal Utilities for NAT (STUN); Rosenberg, Mahy, Matthews, Wing; IETF; 2008-10.
    (obsoleted)

    • RFC 3489STUN – Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs); Rosenberg, Weinberger, Huitema, Mahy; 2003-03.

In Jimi Wales’ Wiki.

Implementation

Tracking

In archaeological order

Leaking


665909webrtc WebRCT Tracking; In Bugzilla of Mozilla; 2011-06-21 →2016-01-11; Closed as INVALID


Some droid using the self-asserted identity token cchen; How to Stop WebRTC Local IP Address Leaks on Google Chrome and Mozilla Firefox While Using Private IPs; In Privacy Online Forums; 2015-01→2015-03.

Mentions

  • Availability
    of the problem (not of WebRTC in general)

    • Chrome of Google
      • Windows
    • Firefox of Mozilla
      • Unclear, perhaps Windows only
    • Internet Explorer of Microsoft
      WebRTC is not available at all.
    • Opera of Mozilla
      • Unclear
    • Safari of Apple
      WebRTC is not available except through a plugin
    • Unavailable
      • Chrome of Google
        • OS/X
        • Android
      • Linux at all
        not clear; not mentioned at all.
  • Blocking
    • Chrome of Google
    • Firefox of Mozilla
      • Production
        • about:config
        • media.peerconnection.enabled set to true (default true)
      • Development
        same

        • Canary
        • Nightly
        • Bowser
    • Opera of Opera
  • API Directory
    • voice calls
    • video chats
    • p2p file sharing

Configuration

  • Chrome
    default is available and active
  • Firefox
    • about:config
    • media.peerconnection.enabled set to true (default true)
  • Opera
    only when configured, with a plugin, to run Google Chrome extensions

Demonstration

webrtc-ips, a STUN & WebRTC test rig

  • diafygi/webrtc-ips
  • via on-page JavaScript, makes latent requests to certain STUN servers.
  • Firefox 34 → Does. Not. Work.
  • Fails with
    Error: RTCPeerConnection constructor passed invalid RTCConfiguration - missing url webrtc-ips:58

Argot

  • Private Internet Access (PIA)
  • Real-Time-Communication (RTC)
  • Virtual Private Network (VPN)
  • WebRTC

Previously

In Privacy Online Forums:

Referenced

  • 2013
  •  Since WebRTC uses javascript requests to get your IP address, users of NoScript or similar services will not leak their IP addresses.

Via: backfill.


Firefox

  • about:config
  • media.peerconnection.enabled set to true (default true)

HOWTO Disable HTML5 Video Autoplay in Firefox

about:config
media.autoplay.enabled = false [default true]

Does not work until Firefox 41:

  • 1242713media.autoplay.enabled=false does not prevent videos on youtube to autostart; In Bugzilla of Mozilla; 2016-01-25→current.; still open.
    tl;dr → describes Firefox 42, on Linux.
  • 659285Extend media.autoplay.enabled to provide a way to disable untrusted play() invocations; In Bugzilla of Mozilla; 2011-04-24→2016-01-25; resolved as fixed.

Brave (browser)

Brave (browser)

Mentions

  • Available
    • no
    • circa v0.7
    • assemble the sources yourself
    • closed beta program.
  • Cultures
    • Linux
    • Mac (OS/X)
    • Windows (sic)
    • Android
    • iPhone (iOS)
  • Basis
    • Chromium → Linux, Mac, Windows
    • iOS → Firefox for iOS
    • Android → Bubble (linkbubble)
  • linkbubble
  • Funding
    • $2.5 million
    • Unnamed individuals
      “angel” investment.
  • Features
    • Known
      • HTTPS Everywhere add-on
    • Expected, not declared as existing
      • a UI
      • cross-platform sync
      • incognito mode
      • password manager

Source

Promotions

  • Mozilla co-founder unveils Brave, a Web browser that blocks ads by default; ; In Ars Technica; 2016-01-21.
    Teaser: … but Brave then replaces blocked ads with its own ads, taking a 15% cut of revenues.
    Mentions

    • <quote>In practice, Brave just sounds like a cash-grab. Brave isn’t just a glorified adblocker: after removing ads from a Web page, Brave then inserts its own programmatic ads</quote>
  • Brendan Eich Launches Brave New Browser Ian Elliot; In I Programmer; 20165-01-20.
    Teaser: Brendan Eich, the man who invented JavaScript and the co-founder of Mozilla, has just launched a new browser called Brave. Is this a Firefox fork?

Via: backfill.

On the path to the deprecation, abandonment & refusal to honor SHA-1 signatures

Policy

  • Chrome will completely stop supporting SHA-1 certificates, soon
    • on or before 2017-01-01 (after 2016-12-31).
    • but maybe 2016-07-01 (after 2016-06-30).
  • Chrome will exhibit a warning if
    AND

    • a site presents a certificate
    • the site’s certificate
      OR

      • is signed with a SHA-1-based signature
      • is issued on or after 2016-01-01 (after 2015-12-31)
      • chains to a public CA.
  • Chrome 48
    due “early in 2016″.

Who

  • Lucas Garron, Chrome security team, Google.
  • David Benjamin, Chrome’s networking group, Google.

Statements

Apologia

  • Ryan Sleev; A History of Hard Choices; On His Blog, at Medium; 2015-12-28; separately noted.
    Ryan Sleev, cross-platform crypto & PKI core, Chromium, Google.

Promotions

Unsanctioned Web Tracking | W3C

Unsanctioned Web Tracking, Finding, Technical Architecture Group (TAG), W3C,

This Version:
unsanctioned-tracking-20150717
Latest Version:
unsanctioned-tracking
Latest editor’s draft:
work site
Editor:
Mark Nottingham

Findings

Section 5

<quote>

  • Finds that unsanctioned tracking is actively harmful to the Web, because it is not under the control of users and not transparent.
  • Believes that, because combatting fingerprinting is difficult, new Web specifications should take reasonable measures to avoid adding unneeded fingerprinting surface area. However, added surface area should not be a primary factor in determining whether to add a new feature.
  • Asserts that when a new feature does add fingerprinting surface area, it should be documented as such.
  • Finds that new local storage features and other potential tracking mechanisms should maintain and interoperate with existing user controls.
  • Encourages browser vendors to expose appropriate controls to users who wish to minimize their fingerprinting surface area.
  • Acknowledges that despite best efforts, technical solutions to unsanctioned tracking are not able to completely prevent its use by a determined adversary. Instead, our focus should be on making sure that unsanctioned tracking does not become “normal” on the Web.
  • Encourages policy makers to be aware that unsanctioned tracking may introduce privacy, security and consumer protection concerns within their jurisdiction, and to consider appropriate action.

</quote>

Definitions

Light on the definition of the effect (what is ‘unsanctioned tracking’?).  This seems to be enumerated in Sections 1 & 2 as:

  • unsanctioned web tracking → is the inverse of standards-defined tracking.
  • standards-defined web tracking→ interpreted as
    • Technologies
      • HTML4 State (Cookies)
      • HTML5 Web Storage
    • Acceptable pattern of use
      • Pixels (GET of zero-sized, no-op, documents [images])
      • Consumer-visiblity affordance
      • Consumer-visible opt out signalling.
    • Acceptable product features & business models
      • shopping carts
      • persistent site preferences
      • behavioral advertising
      • [unclear the list is closed or open]

Not Mentioned

  • Advertising Identifiers, e.g. IDFA, GPSAID
  • Geofencing, geo-behavioral identification.

References

Appendix A

[RFC6265]
A. Barth. HTTP State Management Mechanism. 2011-04. Proposed Standard. URL:
[confinement]
Butler W. Lampson. A Note on the Confinement Problem. In Communications of the ACM; Volume 16, Number 10; 1973-10; 5 pages.
[spy-sandbox]
Yossef Oren; Vasileios P. Kemerlis; Simha Sethumadhavan; Angelos D. Keromytis. The Spy in the Sandbox – Practical Cache Attacks in Javascript.; previously filled.
[udhr]
Universal Declaration of Human Rights.
[webstorage]
Ian Hickson. Web Storage (Second Edition). 2015-06-09. W3C Candidate Recommendation.

Inline

Linked within the document; in order of appearance

Related

Rebuttal

This is a straw man, a red herring, a toy argument.  The elements cited are substantially fringe techniques in any case, but that not withstanding.  There is no such category as unsanctioned tracking.  All in-industry tracking&targeting is done under consumer consent, with agreements voluntarily entered-into with full presentment of Notice & the availability of affordance of Choice subject to the stated Terms & Conditions of the owner of the (entertainment) service which being delivered unto the consumer for their enjoyment.  There is no other kind of trak-N-targ except under consumer consent; it simply doesn’t exist, it can’t exist by definition.  Acceptance of the T&C contract is by adhesion and the consumer’s remedy upon inability to accept the T&C is to leave the area [leave the internet].  For fun, here is a publisher who makes this framework very clear: <quote>If you don’t agree to the terms contained in this User Agreement and Privacy Policy, you must immediately exit the Service.</quote>

California Privacy Policy; At Condeé Nast, in force at Ars Technica; 2014-01-02 → 2015-07-17 (present).


Via: backfill

Tracking Protection in Firefox for Privacy and Performance | Kontaxis, Chew

Georgios Kontaxis (Columbia), Monica Chew (Mozilla); Tracking Protection in Firefox for Privacy and Performance; In Proceedings of the Web 2.0 Security and Privacy (W2SP); 2015-05-23; 4 pages; copy, slides (18 slides).

Abstract

We present Tracking Protection in the Mozilla Firefox web browser. Tracking Protection is a new privacy technology to mitigate invasive tracking of users’ online activity by blocking requests to tracking domains. We evaluate our approach and demonstrate a 67.5% reduction in the number of HTTP cookies set during a crawl of the Alexa top 200 news sites. Since Firefox does not download and render content from tracking domains, Tracking Protection also enjoys performance benefits of a 44% median reduction in page load time and 39% reduction in data usage in the Alexa top 200 news sites.

Mentions

  • Mozilla Firefox
  • Configuration
    • about:config
    • privacy.trackingprotection.enabled=true
  • Release
    • Firefox Nightly
    • Firefox 35
    • Not committed for any production release?
  • Development
    • 1029886tracking bug for tracking protection
  • Architecture
    • curated blocklist
    • Disconnect’s list (not EasyList)
    • (Google) SafeBrowsing API
  • Features
    • Cookie Blocking
    • Beacon Blocking
  • Justification
    • Performance (page latency reduction).
    • Sotto voce, surveillance blocking.
    • Sotto voce, ad blocking.
  • Threat Model
    • <quote cite=”ref” page=”2″>Our adversary is a powerful billion-dollar online advertising and social networking industry</quote>
  • trackingprotectionfirefoxat some github.
  • Performance claims
    • some telemetry
    • some simulation

Similar

Somehow solving similar problems.

Actualities

Promotions

Archaeological order…

Footnoted

References

Opinion

Wandering, moot, through the naïvete of the chain of reasoning here, flow with it.

Claim

Authors = <quote cite=”ref” page=”4″>

Finally, browser makers bear tremendous responsibility in mediating conflicts between privacy interests of users and the advertising and publishing industries. Tracking Protection for Firefox is off by default and hidden in advanced settings. We call upon Mozilla, Microsoft, and other browser makers to make tracking protection universally available and easy to use. Only then will the balance of power shift towards interests of the people instead of industry.

</quote>

Rebuttal

Greybeard = <moot>

Browser makers can’t have it both ways here.  They can’t be “common carriers” who make net-neutral and nework-neutral consumer premises equipment (CPE) as pure-play suppliers the media trade and also be the arbiters of the rights, rules and procedures of that industry without also entering that industry as a primary; i.e. as a publisher which owns a venue and manages an audience, which, as busking, is a fine and honorable vocation with a long and storied tradition dating back to the earliest ages.  Indeed Firefox Sponsored Tiles.

Hiding such intervention capability in the “advanced settings” doesn’t ameliorate the conceptual error here. The terms of the trade have always and ever been between the publisher and the advertiser. The consumer (which is you, dear reader), as a catalyst of the relationship, is party to this activity only insofar is the terms of the publisher-advertiser business arrangement specify that the publisher is able to deliver any quantifiable action, generally, quantifiable attention, of the consumer (which, to remind, is you, dear reader) to the advertiser under the terms of their bilateral deal (common commercial terms being: CPM, CPC, CPA, etc.).  The consumer’s consent being entailed by virtue of having received media from the publisher in the first instance.

As for your part of this, you are a consumer, and only that.  As the appelation implies, you don’t own the creative product that you’re enjoying, you never did, you never will. Your rights are limited to personal experience under the stated terms.  Otherwise, by convention, broader allowances would had to have been granted to you in an expression, an explicit writ. Your activities with regard to blocking publishers trading with advertisers in order to petition them to change their business practices as you experience them is a project that is, at best, fraught with contradictions and complications. To want to change the legal framework of creative product ownership & delivery is a tall order and would necessarily have implications in other areas of the media business.  The law is pretty clear on the countervailing point.  Namely, that the publisher owns the media, as they created it. They are purveying it under terms set forth. The media is licensed to you, and performed for you, even when on equipment that you own, for the sole purpose of your private enjoyment as an individual.  During your experience of the work, you do not receive any other rights, such as the right of derivation, summarization, retransmission, republication, public performance, etc.  These conditions adhere to you by your presence in the experience as a consumer unit. You are necessarily subject ot the Terms & Conditions set forth at the time the media was administered to you.  Indeed the whole foundation of the Creative Commons and Open Source licensing is centered upon this point.

</moot>

Counter-Rebuttal

Activist = <moot2>

Yet “we” build, “we” own & “we” operate the CPE. These HTML5-JS-CSS3 browser media-players are “ours.”  We are the web!  Unlike print, OTA TV or radio media where the players are locked down. We build CPE; we block as we like. This cannot be stopped.

</moot2>

Counter2-Rebuttal

Publisher = We parry and invoke EME, CDM, DRM & block you with DMCA. Like we do with video. QED.

Via: backfill.

Spamness for Thunderbird (requires a folder rebuild)

Spamntess for Thunderbird: (sometimes) Does. Not. Work.  But if it did, it would be great!

Sees to work on some folders, but not on others.  Even with the folder rebuild. But, specifically, it isn’t working with inbox where  it is needed the most (because after inbox you have, by definition, refiled the mail so you pretty much know whether it’s spam or not).

thunderbird-24.5.0-1.fc19.x86_64

Recall that Thunderbird is consciously uncoupling from Mozilla (long live Thunderbird!).
c.f. Thunderbird Reorganizes at the 2014 Toronto Summit; In Their Blog; 2014-11-25.


Pure URL for Firefox removes garbage like ‘utm_source’ from URLs

Pure URL for Firefox

Data

More than the default settings (cut & paste this into) the config settings in about:addons

utm_cid, smprod, smid,it_source,wpmp_tp, utm_hp_ref,mod,tag,mbid, mtid,ncid,utm_cid,utm_source, utm_medium, utm_term, utm_content, utm_campaign, utm_reader, utm_place, ga_source, ga_medium, ga_term, ga_content, ga_campaign, ga_place, yclid, _openstat, feature@youtube.com, fb_action_ids, fb_action_types, fb_ref, fb_source, action_object_map, action_type_map, action_ref_map, ref@facebook.com, fref@facebook.com, hc_location@facebook.com, ref_@imdb.com, src@addons.mozilla.org

InContext 2014

InContext 2014 by EverythingMe.

On the notion of context and anticipation of needs in & around a device class that has no keyboard and lives with you.

Keynote

video; 48:47; slides

Benedict Evans, Andreesen Horowitz
Q&A with Benedict Evans faciliated byTim Draper (he plays John Battelle in this vignette)

  • Recites the boring statistics,
    • up-and-to-the-right,
    • explosive growth,
    • gosh it’s really big,
    • <gee whizz!>
  • He compares
    • Yahoo 1996 to App Store 2014; replaced by Google (unstructured search)
    • Web vs Internet; the web is all “the internet does”
    • Mobile is pre-pagerank”
  • What happens in 5 years
    • He doesn’t know
    • Android (in 5 years)
    • Coding languages (in 5 years)
    • iBeacon
    • Access vs owning
  • Strategies
    • Apple: top down the stack (from control of the supply chain)
    • Google: up the stack (from hardware fragmentation)
  • Strategies
    • I know what I want => Google
    • I’m bored => Facebook, BuzzFeed, etc. etc.
    • Demand Generation => empty
  • Smart(phones)
    • Are inherently social
    • Take away “winner take all”
  • Cards as content packages
    • Can be shared
    • Can be syndicated
    • Contradiction:
      • Atomised Content
      • App Silos
  • What’s Already Known
    • Contacts
    • Calendar
    • Apps frequently used
    • Travel patterns
    • etc.
  • Context
    • Google Now
    • or other similar things
  • But
    • The Filter Bubble
    • The Uncanny Valley
  • Something about ‘Ecosystem Cohorts’
  • Neither Apple nor Google “will win”; ther is no “winner take all” dynamic.

Q&A

  • Some generalized whining
    • that intent and preference prediction won’t work;
      story about Pandora from Tim Draper.
    • that Google Now is ‘closed’ to (his) startups.
  • Unclear that a human butler (ahem, “life coach”) could live achive these standards.
  • Something about the music industry
    • It’s a distribution business
    • A quote from Mic Jagger about musicians not being paid 1970s-1995, not before, not after.
  • Draper on tablet vs PC
    • Tablet is for reading (&deleting)
    • PC is for creating

Bytes of Context

video; 25:42

  • Andreas Gal, Mozilla,
  • Andy Grignon, Quake Labs/Eightly, moderator
  • Andy Hickl, A.R.O,
  • G D Ramkumar, Swell.
  • Dave Smiddy, Alohar.

Global Context

video; 28:27

  • Josh Constine, TechCrunch, moderator
  • Brendan Eich from Mozilla,
  • Seth Sternberg from Google,
  • Ami Ben David from EverythingMe.

Mozilla Product Announcement

video; 29:52

  • Ami Ben David, Co-founder and Head of Strategy and Marketing at EverythingMe,
  • Andreas Gal, VP Mobile at Mozilla.

Firefox Launcher for Android by Mozilla

Wearables in Context

video; 33:08

  • Peter Berger, People+,
  • Christina Farr, VentureBeat,
  • Monisha Perkash, LUMO,
  • Rackspace’s Robert Scoble, moderator
  • Redg Snodgrass, Wearable World.

Via: backfill

Click-to-Play in Mozilla’s Firefox

Promotions

Via: backfill, backfill

, Mozilla Wiki

; In Mozilla Support

Lightbeam for Firefox

Lightbeam

Concept

  • Visualizations
    1. Graph
    2. Clock
    3. List
  • Sharing
    • Data stored locally

Background

Previously

Promotions

Via: backfill

Actualities

Mozilla Firefox Social API in Firefox Facebook Messenger (and others)

Instructions

Turn Off Facebook ServiceDisable Facebook Service

Overview

Mentions

Concepts

  • Control Messages
  • Service Works
  • Ambient Notification Control
  • Active Notification Control
  • Page Marks (Recommendations)
  • Link Recommendation Control
  • Messages Sent to Widgets
  • from Firefox 23
    • Share (button)
    • Service Discovery

Announcements

By Mozilla …

Promotions

Ahem … surely there’s more of a following for Mozilla’s product offerings than one beat reporter over at AOL (TechCrunch).  But that’s not what the search engines are telling me…

Actualities


CliqzFinal

MSN-Screen-shot

Mozilla Prospector is User Personalization Built Into the Browser

Prospector by Mozilla Labs

Firefox

What is It?

  • Seems to be a concept, a vision.
  • A set of collaborations with publishing businesses.
  • A solicitation of feedback, a call for a vote of confidence in the vision.

Not yet

  • Running code
  • Released feature set
  • An experience
  • Not yet at the wireframe/screen shot stage.

Concept

  • Content preferences managed in the browser
  • Content targeting preferences communicated to web servers (e.g. advertisers)
  • Service destinations, e.g. Firefox Marketplace, could recommend based on declared interests.

Claimed

  • <quote><snip/>we’ve begun testing this concept with volunteer participants<snip/>sharing their interests on their own terms in order to see personalized content, and the results are promising.</quote>
  • <quote>We think this type of offering could bring transparent, effective personalization to users all across the Web in ways we haven’t even thought of yet. What do you think <snip/>? </quote>

Mentions

Promotions

Previously

Via backfill, backfill, backfill and noted.