That should make it harder for JavaScript exploits that may live inside a web page to make modifications to the browser itself.Īs Firefox has kept seeing more and more exploits against it due to the fact that it doesn’t have as good of a sandboxing architecture as Chrome does, the Tor Project has started to build its own sandboxing. One of the major security improvements we’ve seen last year in Firefox is the switch to a better sandboxing architecture, which separates the UI and the content in a different process. However, sometimes staying almost a year behind is not that good, especially when the main browser introduces significant security improvements. Therefore, something like Firefox ESR is more appealing to the Tor Project. New features tend to introduce new bugs and it also takes time to validate them and to make sure they don’t break anything. This is usually a good thing for enterprise users, but also for certain organizations such as the Tor Project, which build the Tor Browser on top of Firefox ESR. That means it falls behind in supporting new features as they appear in the regular versions of Firefox.
The ESR version is a release of Firefox that only receives security patches for almost a year (seven Firefox releases, to be exact). Firefox ESR And The Tor BrowserĪlong with the regular release of Firefox 52, Mozilla also announced a new Firefox ESR, which has caught up with the features of the latest mainstream version of Firefox. Mozilla also removed support for the Battery Status API, which could have been used by some services to fingerprint users, thus significantly reducing privacy on the web. Support for the Netscape Plugin API ( NPAPI) has been removed for virtually all plugins with the exception of Flash. The browser also got an “enhanced sync” feature to enable users to send and open tabs from one device to another.ĭropping NPAPI, Battery Status API Support
Firefox esr version windows#
The multi-process architecture has also been enabled for Windows users that use touchscreen devices. However, for now, Mozilla will still allow users to bypass this warning.
With Google researchers proving that a collision attack on SHA-1 is now practical, there are even more reasons to avoid connections based on SHA-1 algorithms. All the major browser vendors have had plans to deprecate SHA-1 for a couple of years now. However, for now, the two companies are only warning about pages that require passwords or credit card information.Īn “Untrusted Connection” error will also appear when Firefox 52 users visit a website whose certificate is chained to a root certificate that still uses the SHA-1 algorithm (such as those imported by the user). Google and Mozilla have promised for many months a new “This connection is not secure” warning that will appear in login boxes on pages that use HTTP, rather than HTTPS.īoth Google and Mozilla will progressively ramp up their warnings until all HTTP web pages are greeted by big red notifications that they are not secure. Firefox 52 also supports Strict Secure Cookies, a policy that forbids HTTP websites from setting cookies with the “secure” attribute.