Firefox 67 to display breach alerts
Mozilla plans to extend the functionality of Firefox Monitor by displaying breach alerts to users of the browser.
The organization ran a Shield Study back in 2018 to test Firefox Monitor in the desktop version of the browser. The feature was passive at that time; users could check whether an account -- email address -- was found on hacked passwords lists, and they could sign up to receive alerts when a particular account was discovered on new leaked lists.
Firefox Monitor uses the Have I Been Pwned service but implemented the feature in a way that the full email address is never shared with third-parties.
Mozilla started to work on a breach warning system in Firefox in 2017. If things go as planned, Firefox 67 may be the first stable version of the Firefox web browser to warn users when they visit recently hacked websites.
Note: The feature is in development currently. It is possible that the release gets delayed or that functionality changes during development.
Firefox displays the alert on the first connect to a site that was hacked in the past. The notification displays information about the breach and displays an option to check an account with Firefox Monitor.
Mozilla landed the feature in Firefox Nightly recently. Firefox Nightly, currently at version 67, is the cutting edge development channel of Firefox. New features land in Nightly first before they find they way into Beta and Release channel versions.
It is necessary to enable the feature before it becomes available.
- Load about:config in the Firefox address bar.
- Confirm that you will be careful.
- Search for extensions.fxmonitor.enabled.
- If the preference is not available, click on the Add button after making sure the name is correct and the type is set to Boolean. The new Firefox about:config interface makes it super easy to create new preferences.
- Set the value of the preference to True using the toggle button.
Firefox Monitor supports additional preferences of interest:
- extensions.fxmonitor.firstAlertShown -- This determines whether the first alert notification was shown already. You may set it to False to reset it and get notifications for sites breached in the past 12 months.
- extensions.fxmonitor.warnedHosts -- Keeps track of the list of hosts for which warnings were displayed. Change the value of the String to blank to reset it.
Firefox displays a breach alert when you visit a site that suffered from a breach in the past 12 months. Firefox displays the notification and it is up to you to use Firefox Monitor to check your accounts or dismiss it.
If you select dismiss, you get an option to turn the feature off entirely.
Firefox remembers that it displayed a breach notification and won't show it again unless you visit a site that was hacked in the past two months.
Mozilla does not want to cause notification fatigue by displaying lots of breach warnings to users. Another reason for that decision is that the action that users may take is always the same.
A click on the Check Firefox Monitor button opens the Firefox Monitor website. It lists information about that particular breach but the checking options are identical: type an email address to check it for hits in breaches.
Now You: Do you find Firefox Monitor useful? (via Techdows, thanks James)
Very handy and sensible tool. I’ve already seen it in action although I’m not using a nightly or developer version. Perhaps I was involved in a study inadvartantly.
Kudos Mozilla!
This is EXACTLY the sort of ‘digital concierge’ service Mozilla should be developing.
Experienced users can find other ways to determine their online safety, everyday users would not know where to start and so integrating this into the very same means with which users interact with the web is the most sensible place to have it.
Anonymous said: claiming that no other users will find use in this, means you’ve completely lost touch with reality.
I’d like to interject here, what you see as useful is nothing more than a polished turd, a fake illusion of security embedded in 100% user tracking. Phishing monitor and other bells and whistles come from google or mozilla (that grabs from google and others?), while AV groups provide their own solutions.
I’d stick with an AV group instead of goozilla, that tires hard to cover anything with a too-short rug.
Good addition to Firefox! I won’t personally use it since I subscribe to alerts on https://haveibeenpwned.com/ . But most people don’t subscribe to that and it is a good thing if fewer people out there have accounts in a hacked or easily hackable state and this feature helps mitigate that problem a bit. Not the whole solution of course, but good to have.
Another “popup” to be blocked. :(
Another week, another “feature” to turn off.
I like the sentiment, but presumably this feature would require sharing URLs with Mozilla as I surf the web. That’s not going to happen.
I very much doubt it does. They can just download a list of recent breaches to everyone’s Firefox and then locally check against it.
It’s really not that difficult and they’ve done far more complicated things in anonymized form already, like the personalized article recommendations on the newtab-page.
Also, it would be kind of illegal for them to not do it that way, since they’re legally a non-profit, which means they have a legally-binding mission statement and in Mozilla’s mission statement is privacy written down as a value that they fight for.
The Mozilla Foundation is the non-profit, there’s also the Mozilla Corporation which is not legally non-profit, but they’re a 100% subsidiary of the Foundation, so the Foundation can – and therefore has to – enforce their values there, too.
This bit about Mozilla’s legal status is a moot point. I am not arguing that sharing data with Mozilla necessarily means they will misuse that data. I’m simply saying that I will not give them the option.
If the feature works with a local list, I think it’s great.
Probably just the domain name, They don’t need full urls, but whos to say what Mozilla’s approach will be. The best approach would be domain lookup through a local offline (and routinely updated) database, while the email address lookup is done through the haveibeenpwn service.
It doesn’t. It downloads a list of compromised sites and checks against that list locally.
The entire comment section here is basically whining of a “useless” helpful feature.
Who do you trust more: Troy Hunt with his HIBP database or companies that acknowledges by email or post that they had a data breach three months later?
SPYWARE!
Have you actually looked into how this works?
It’s not exactly a hard feat to download a list of recent known breaches to everyone’s Firefox and then locally check whether the user browses to one of those pages.
They’ve done far more complex things in completely anonymized form already, like the personalized article recommendations they had on the newtab-page for a while.
I absolutely agree. PLUS ONE!!!
They should extend this functionality even further, and warn the users about abusive data collection as well. Visiting mozilla org should bring all the flags up. Are they going to do this as well?
It’s easier to point out someone elses mistakes and neglect yours I see…
Aren’t you using Chromium? It’s not any better than Firefox tbh, since it still has (most) Google services integrated in it.
Mozilla is approaching this totally from the wrong side.
Don’t warn users every time when they visit a site, that’s a disastrous design decision.
It would be way better to just include the monitor as a prominent tile in the startpage panel so new users are informed such a service exists when they download Firefox.
Instead, Mozilla wants to patronize again, unnerving grown up users.
The road to hell is paved with good intentions.
I rely on other ways for that, NOT a brower.
Right on.
I feel like Firefox as of lately is doing what Vivaldi is doing – implementing a lot of useless features that nobody (or an extremely slow percentage of people, like 0.00000000000000000000000001%) cares about that’s only bloating the browser and does little good whereas there are other areas of the browser that need more attention.
You’re being ignorant here. That you, an advanced user, has the ability to go check your online account security proactively, is not representative of the wider average Joe. That you’re reading ghacks says that alone.
Your percentage estimate is wildly exagerated. Do you really think people do not want their browser to notify them about security breaches in this increasingly difficut to navigate digital age? You must be ultra confident of your own digital safety! Many people struggle with this and if you need evidence of this, look at how many people use dubious passwords. Is this their fault? In part, yes. In another sense, it’s the fault of the people who design and build the internet. They have yet to solve the need for a universal, secure digital identity … TWENTY FIVE YEARS after the web was born! Hacking is rife and not even massive corporations can stop that.
People want simple lives and the more services go online-only, the less simple it gets but of course marketing spin tells us the opposite: “from the comfort of your own home” type of shite. Sorry! Some people would rather go to the bank and stand at the counter, sign their transactions with a pen! Digital = hackable. Physical much less so!
Try to think about the wider general average joe. The pensioners, the disabled, the everyday person … you are not necessarily representative!
You can say that you personally don’t need this, but claiming that no other users will find use in this, means you’ve completely lost touch with reality.
The broad population doesn’t frequently read IT news or is signed up on HIBP. I imagine less than 1% of users will get to know of any data breaches beside the truly major ones like Cambridge Analytica.
Even already the second major Facebook fuckup in 2018, or the two major fuckups of Google+, did not feel like they became known among my less tech-savvy acquaintances, even though they were probably affected, too.
Couldn’t agree more. They are competing to see who can produce the first web browser that requires 16GB of memory to run smoothly. Users on older computers with ~4GB memory and or slower connections to the Internet suffer the most from this type of software development. But of course everyone is supposed to throw out their old computers that are perfectly good and just buy new ones whenever their favorite programs that used to work just fine and did everything they needed outweigh the current hardware they are using.
The browser should just be a browser, and all of these things should be modular, optional add-ons.
another icon there?
i think in some situations Firefox could show 5 different icons before url
thats insane
Screen real estate is a separate issue. Security is much more important than losing 20 pixels of screen real estate. Try to look at the bigger picture.
@Xibula: I agree. Already the number of icons there is enough that they obfuscate whatever it is they’re trying to tell me, as they have become “clutter” that I have learned to ignore.
Haha, the number of icons is slowly starting to bother me too.
Google knows how it is done: Display everything in detail after click on the lock symbol.
At least the info-icon is totally redundant.