Mozilla has released Firefox 52.0, its first version that all but kills support for insecure plugins such as Java, Silverlight, and Flash.
Besides drastically narrowing plugin support, the new version of Firefox is the first release that includes two major security improvements that Mozilla has announced over the past year.
Among these are warnings that Firefox displays in the address bar when users connect to a site over the unencrypted HTTP protocol, and how it handles certificates signed with the insecure SHA-1 hashing algorithm.
But the most notable change is reduced leeway for web applications that rely on NPAPI or the Netscape Plugin API, such as Adobe’s Flash and Acrobat, Microsoft’s Silverlight, Oracle’s Java plugins. Historically, flaws in these plugins and difficulties patching them have made an easy entry point for hackers.
Mozilla’s 64-bit Firefox for Windows dropped support for NPAPI plugins in 2015, in line with Google dropping NPAPI support in Chrome, but until now the 32-bit version of Firefox has supported apps that hooked into the browser via NPAPI.
Mozilla warned website operators in late 2015 that it would drop NPAPI support for all plugins except Flash by the end of 2016, when it would replace plugins with Web APIs. It later pushed that back by three months to Firefox 52, but has now made good on the promise, meaning that Java applets can no longer launch from the browser.
Firefox ESR continues to support Silverlight and Java and will do so until early 2018 to help users who need the plugins.
Oracle for its part has warned developers over the past two years to move to plugin-free technologies and last January announced it would deprecate the Java plugin in Java Developer Kit (JDK) 9, which is due out belatedly this year. Oracle’s latest advice for Java developers affected by Mozilla’s narrowed support is here.
On the Flash side, Firefox began blocking non-essential Flash content last year to improve security, as well as browser and device performance.
With Firefox 52, Mozilla has also implemented its plan to raise warning signals when users visit some HTTP pages. Google did this for pages with logins and banking sites in Chrome 56. Mozilla announced it would do the same in January, starting with Firefox 51, which displayed a grey lock icon with a red strike-through in the address bar if a page collects passwords but doesn’t use HTTPS.
The message in Firefox 52 is now explicitly states that the connection is dangerous. “Firefox now displays a “This connection is not secure” message when users click into the username and password fields on pages that don’t use HTTPS,” said Mozilla.
Finally, in light of last month’s proof by Google and Dutch researchers that SHA-1 is vulnerable to a collision attack, Mozilla has updated Firefox to account for this.
Firefox 52 will now “display (but allow users to override) an “Untrusted Connection” error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla’s CA Certificate Program."