fidzu : thunderbird

In response to concerns from both consumers and the industry, the US Federal Trade Commission (FTC) invited public comment on whether it should amend the current Rule Concerning the Use of Prenotification Negative Option Plans to address deceptive or unfair negative option practices.

Negative option marketing is a practice in which a seller treats a consumer's silence or failure to take action as consent to be charged for goods or services. This technique is often used in subscription services, where users may be guided toward accepting recurring charges through default selections or obscure disclosures. These design practices, also known as "dark patterns," successfully manipulate and influence user behavior on a systematic level and are often employed in all aspects of digital markets, not just with subscriptions.

As a browser developer, Mozilla is well-acquainted with the negative impacts of manipulative design. The web browser market provides a documented case study illustrating how operating systems deploy deceptive design practices to weaponize friction and status-quo bias to influence consumer behavior. As such, Mozilla was eager to provide feedback and encourage the Commission to examine the breadth of deceptive design practices that undermine choice.

Dark patterns are a byproduct of power asymmetry between companies and consumers. If we don't protect meaningful choice and effective competition now, we risk giving even more control to the biggest players - and losing what makes the web open and innovative in the first place.

The FTC has a critical opportunity, both in this rulemaking and more broadly, to modernize consumer protection for the realities of digital markets. We encourage the FTC to:

• Make clear that practices which manipulate, coerce, or mislead users through interface design, defaults, or friction fall within the scope of unfair or deceptive acts or practices.
• Investigate remedies for digital markets to operate with meaningful consumer choice.
• Prioritize targeted enforcement against well-documented uses of deceptive design, such as tactics prevalent on the Windows operating system, designed to push users to the Edge browser.

We welcome the opportunity to share our relevant experiences in the browser space and look forward to continuing the conversation.

Read our full comments to the FTC for more details on our recommendations.

The post Mozilla Urges the FTC to Tackle Harmful Design Practices appeared first on Open Policy & Advocacy.

15 Apr 2026 4:29pm GMT

Bugs resolved in Moz-Phab 2.13.0:

• bug 1925717 stop calling edge.search in moz-phab patch by making use of the stackGraph revision field
• bug 2030443 Switch to uv for package management in moz-phab
• bug 2031283 Parallelize network requests in moz-phab patch

Discuss these changes in #engineering-workflow on Slack or #Conduit Matrix.

1 post - 1 participant

Read full topic

15 Apr 2026 3:30pm GMT

Welcome to the Q1 2026 edition of the Firefox Security & Privacy Newsletter.

Security and privacy are foundational to Mozilla's manifesto and central to how we build Firefox. In this edition, we highlight key security and privacy work from Q1 2026, organized into the following areas:

• Firefox Product Security & Privacy - new security and privacy features and integrations in Firefox
• Community Engagement - updates from our security research and bug bounty community
• Web Security & Standards - advancements that help websites better protect their users from online threats

Preface

Note: Some of the bugs linked below might not be accessible to the general public and restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received Firefox updates. If a link does not work for you, please accept this as a precaution for the safety of all Firefox users.

Firefox Product Security & Privacy

Collaboration with Anthropic: A few weeks ago, Anthropic's Frontier Red Team shared the results of a new AI-assisted vulnerability detection approach. Using this method, we have identified more than a dozen confirmed security issues, each supported by reproducible test cases. Learn more in our blog: Hardening Firefox with Anthropic's Red Team. Leveraging our Firefox Security expertise, we ended up finding dozens of additional vulnerabilities that were fixed in the following Firefox updates.

YouTube coverage of Firefox at pwn2own 2025: To demonstrate Firefox's focus on user security and Mozilla's commitment to openness, we invited LiveOverflow to follow us during the prestigious hacking competition pwn2own last year. LiveOverflow's four-party documentary provides behind-the-scenes coverage of our quick response to fixing two Firefox 0-day security bugs. The videos go from preparation (part 1), to exploit analysis (part 2) and disclosure (part 3), all the way to the rapid release of a Firefox update (part 4) for the 2-day event coverage.

Trustworthy JavaScript for the Open Web: Alongside partners from Meta, Proton AG, Cloudflare, and the Freedom of the Press Foundation, we presented our plans to improve the trustworthiness of JavaScript on the Web at Real World Crypto.

SafeBrowsing: Firefox 147 shipped with SafeBrowsing v5 support, allowing to protect users against malicious URLs. And starting with v149, Firefox blocks and revokes websites permissions for sites on the SafeBrowsing lists (Bug 1986300), leveling-up the built-in protection from online threats.

Stronger XSS Protection through the Sanitizer API: Starting with v148, Firefox was the first browser to add support for the Sanitizer API, helping prevent XSS attacks on the web. Learn more in our blog post, Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148, or tune in to the ShopTalk Show podcast, where Freddy Braun discusses the details of the Sanitizer API.

2048-bit Minimum for RSA Certificates: Firefox now enforces a minimum 2048-bit RSA key size for certificates issued by Mozilla's built-in root CAs. As publicly trusted CAs already meet this requirement, no significant impact to the broader web is expected.

Community Engagement

Bug Bounty Program Updates: As the threat landscape evolves, addressing the increasing volume of AI-assisted security bug reports, we're evolving our security program alongside it. With continued advances in browser security architecture, our bug bounty program is refining its incentives to prioritize the highest-impact research and the most critical classes of vulnerabilities while focusing on novelty. Learn more in our blogpost: Bug Bounty Program Updates 2026. We have also just updated our Bug Bounty hall of fame, to list all people who helped us find and fix security vulnerabilities in Q1 of 2026.

Web Security & Standards

Storage-Access Headers: Firefox 147 is shipping an extension of the Storage Access API to improve both web compatibility and parity with Chrome. These Storage Access headers allow web pages to opt out of storage isolation upfront and without the need to first load a document.

Going Forward

As a Firefox user, you automatically benefit from the security and privacy improvements described above through Firefox's regular automatic updates. If you're not using Firefox yet, you can download it to enjoy a fast, secure browsing experience-while supporting Mozilla's mission of a healthy, safe, and accessible web for everyone.

We'd like to thank everyone who helps make Firefox and the open web more secure and privacy-respecting.

See you next time with the Q2 2026 report.

- The Firefox Security and Privacy Teams

14 Apr 2026 11:00pm GMT