Firefox will soon block ad-tracking software by default

Mozilla is taking a bold stance against more insidious web advertising practices with an announcement today that its Firefox browser will soon block web trackers by default. The move, which will involve a series of updates over the course of the next few months, is among one of the most proactive approaches to protect consumer privacy that it’s ever employed.

“Anyone who isn’t an expert on the internet would be hard-pressed to explain how tracking on the internet actually works,” reads the announcement posted to Mozilla’s blog. “Some of the negative effects of unchecked tracking are easy to notice, namely eerily-specific targeted advertising and a loss of performance on the web. However, many of the harms of unchecked data collection are completely opaque to users and experts alike, only to be revealed piecemeal by major data breaches.”

Mozilla says that web trackers will be disabled by default in the future, and Firefox users will have a series of controls to choose which information to share with which websites. In addition to protecting consumer privacy, Mozilla describes the decision as a way to also improve performance, as many web trackers inflate page load times. The organization cites a Ghostery study from May of this year that found that more than 50 percent of all time spent loading webpages was dedicated to loading third-party trackers designed to follow users around the web, collect data, and hand that data over to advertisers.

Mozilla’s approach will be three-fold. It’s going to study the effects of blocking trackers that slow page times starting next month, and it will make that feature on by default in Firefox 63 if it proves successful in improving performance. It will also “strip cookies and block storage access from third-party tracking content,” a move it will also test in September with beta users before implementing in Firefox 65, which is due out sometime in the next few months. Both of those features are available today for users of Firefox Nightly, which is the browser’s public pre-release channel for new features.

The third approach Mozilla is taking is to block by default newer and harder-to-detect practices like fingerprinting, which detects the type of device a user is using without their knowledge or consent, and cryptomining scripts that make use of excess computing power on a device to secretly generate digital currency.

This isn’t the first time Mozilla has pushed back against the web advertising industry. The organization blocked pop-up ads in the very first public Firefox release in 2004. Over the years, Mozilla has implemented features designed to promote consumer privacy and cut down on practices it sees as harmful to the open web, most notably the wholesale blocking of ads and trackers in private browsing mode starting in 2015.

Earlier this year, Mozilla released a tool to stop Facebook from tracking your online behavior in the wake of the Cambridge Analytica data privacy scandal. That same month, it also gave users control of annoying web pop-up notifications.

“Some sites will continue to want user data in exchange for content, but now they will have to ask for it, a positive change for people who up until now had no idea of the value exchange they were asked to make,” reads Mozilla’s most recent announcement. “Blocking pop-up ads in the original Firefox release was the right move in 2004, because it didn’t just make Firefox users happier, it gave the advertising platforms of the time a reason to care about their users’ experience. In 2018, we hope that our efforts to empower our users will have the same effect.”

Reddit says hackers stole user data from 2007 and earlier in security breach

Reddit informed its users today that a hacker broke into some of its systems and accessed user data, including current email addresses and a 2007 database that contained usernames and passwords that were already salted and hashed (or scrambled for protection).

Reddit is sending an email to all affected users — mostly people who joined Reddit in 2007 or earlier. The hacker was also able to read the email digests Reddit sent out in June 2018 as well, so they could see users’ email addresses and relevant, safe-for-work subreddits they followed. Reddit is recommending users who may still be using passwords similar to the ones they had in 2007 to change their password on Reddit and other sites.

The company is also encouraging users to enable token-based two-factor authentication through a service like Authy or Google’s Authenticator, as the hacker gained access to Reddit’s systems through an SMS intercept attack. “We learned that SMS-based authentication is not nearly as secure as we would hope,” Reddit wrote in its post to users.

Between June 14th and June 18th, the hacker compromised several Reddit employees’ accounts through the company’s cloud provider and source cost hosts. Reddit had required two-factor authentication on its accounts but the hacker intercepted the SMS verification and was able to gain access. The bad actor was able to see backup data, source code, and other employee logs in Reddit systems, but did not have access to changing any of it.

By June 19th, Reddit discovered the attack and began investigating the extent of the damage, while ramping up security measures. Reddit contacted law enforcement and is cooperating with their investigation.

The hacker was able to see private and public messages posted from 2005, when Reddit was created, to 2007. A user commenting on the security post also noted that there’s the possibility the hacker can piece together a Redditor’s actual username from looking at their email address, and to be safe, users should delete any incriminating posts accessible from their profile.