
All Tridactyl installations might get removed by Firefox on Aug 21 - anoopelias
https://github.com/tridactyl/tridactyl/issues/1800
======
mcpherrinm
Oof, looks like Tridactyls "fixamo" disabled the URL checking for addon
installation in firefox, by writing into the user.js prefs:

    
    
        user_pref("extensions.webextensions.restrictedDomains", "");
    

I can see why they'd get yanked over that. I would definitely not expect
installing a random addon that makes my browser have vim controls to change a
relatively sensitive setting like that.

The developers are now whining about being asked to revert that change, on the
grounds that touching the file is a breach of trust (which, they've already
done)

~~~
Ambroisie
The thing is, users that ran this command _know_ what it did. Maybe not in all
its detail (I certainly didn't know exactly what it did, although I could have
looked for it). That's because for this command to be of any use to the user,
they first have to enable the "native client" to enable reading Tridactyl's RC
file, which is explicitly stated to weaken the security model Mozilla tries to
enforce on extensions.

This isn't a "random plug-in" playing with your security settings. It's a well
designed extension which tries its hardest to allow power users to do what
they want : control their browser the way they best see fit, without
restrictions. If you want to stay safe, just don't enable those settings :
they're not necessary to get a good out-of-the-box experience, but they allow
some very powerful fine-tuning to turn your browser into _your_ browser, with
_your_ commands.

~~~
shawnz
It's explicitly stated that it will weaken the security model, but it's not
explicitly stated that it will modify user.js. Now the author is claiming that
reversing the change would be improper because it involves modifying user.js
without explicitly saying so, but that's literally exactly what they did
already.

They are not claiming that the problem is being forced to strengthen the
security model without explicitly asking. They are claiming that the problem
is specifically being forced to _modify user.js_ without explicitly asking.

~~~
cmcaine
> it involves modifying user.js without explicitly saying so, but that's
> literally exactly what they did already.

We have never modified firefox settings without a user explicitly opting in.

All the documentation for the `fixamo` function named the two firefox settings
(as viewable in about:config) that `fixamo` would change.

`fixamo` was an opt-in feature that users were only going to find by reading
our help files or asking us on our support channel.

Disclaimer: I am one of the authors of tridactyl.

------
userbinator
"Users should not ever do this"

Overall authoritarian tone aside, that's the one phrase from the reviewer that
really pisses me off; what happened to Firefox being the browser that "puts
users in control of their online experience" (or whatever the variants thereof
which have appeared numerous times in the Firefox marketing material/slogans)?

Instead, it seems now that Mozilla have built their walled garden, they are
reluctant to let it go and have really acted against the principles upon which
it was founded and gained much of its user/fanbase, all in the name of
"security". The demand reads more like it came from an Apple app store
reviewer, not Mozilla.

It is almost exactly 4 years ago when Mozilla started to build the walls of
their garden, and some of the comments on the discussion there are well worth
reading:
[https://news.ycombinator.com/item?id=10038999](https://news.ycombinator.com/item?id=10038999)

The saddest thing about all this is that today's browser "choice" is really
between the even more restrictive Chrome-clones and Firefox, and the latter is
slowly edging in that direction too.

~~~
thristian
The problem, as usual, is one of user education. Some users fully comprehend
every detail of the consequences of their actions, some users blindly do
whatever anyone tells them, or even just flip every switch the opposite way
around to see what happens, and there are millions of users at every point on
the spectrum between those extremes. It's not practical to ship different
browsers tuned for different points on the spectrum, and even if it were, you
couldn't guarantee that people would download the browser most appropriate for
them, they'd download whatever looked nice at the time.

So you have one browser distribution, with one set of defaults, and on one
hand you want educated users to be able to configure things to their liking,
while on the other hand you want to prevent uneducated users from screwing
themselves over by accident, or because somebody told them to open the secret
Developer Console and paste a funny-looking string to see a picture of a
bunny.

There aren't really any good answers.

~~~
userbinator
_It 's not practical to ship different browsers tuned for different points on
the spectrum_

For the longest time, that's how it was. The browser at one end was called
Chrome, and the one at the other was called Firefox.

 _while on the other hand you want to prevent uneducated users from screwing
themselves over by accident_

As the saying goes, "Freedom is not worth having if it does not include the
freedom to make mistakes."

The whole "protect the users" mentality is IMHO misguided and dangerous,
because it's basically one individual or a small group making the argument
that taking away individual freedom (and thus giving more control to those in
power) is "better for everyone". The road to hell is paved with good
intentions. Incidentally, that's how a lot of dystopian sci-fi looks like...

~~~
thristian
> _The browser at one end was called Chrome, and the one at the other was
> called Firefox._

Firefox was originally the simplified, cut-down version of Seamonkey; Firefox
has been on this trajectory of simplification since before Chrome or WebKit
were invented.

> _The whole "protect the users" mentality is IMHO misguided and dangerous_

It's definitely dangerous - good intentions, dystopian sci-fi, etc. etc. - but
I'm not sure if it's misguided.

I don't mind being forced to follow road rules, even if I find them
inconvenient, because I benefit more from other people following them
(personal safety, etc.) than I would from being allowed to do what I want.

I don't mind being forced to install security updates, even if I find them
annoying, because I benefit more from other people installing security updates
(more reliable infrastructure, fewer tech-support calls from family members)
than I would from being allowed to do what I want.

I expect browser security is similar - I don't have exact numbers to hand, but
it wouldn't surprise me if I'm better off being a bit restricted than I would
be if everybody did what they wanted.

------
noodlesUK
Tridactyl is a wonderful piece of software. My problem is the assumption that
it’s unacceptable for an extension (which has a native messenger) to have the
capability to modify Firefox when _explicitly told to by the user_. I use
tridactyl, and plenty of people do, but realistically, the entire audience of
an extension that gives you vim keys is highly technical, and can be expected
to read the docs. Making the software edit personal files on disk when _not
asked to explicitly by the user_ is a breach of my trust model. It’s not as
though fixamo is run on startup, it’s something you have to do explicitly.
I’ve never run it, nor do I use the native messenger. This reviewer is totally
out of order as far as I’m concerned.

------
gabcoh
If anyone’s looking for a browser with deeply integrated vim key bindings then
check out qutebrowser. I’ve been using it for about a month now and it’s
pretty great. Only downsides for me are lacking support for my yubikey, and
questionable security. I’m not saying the security is necessarily bad (I think
the actual browser is based on chrome), just that I don’t have as much
confidence in it as I would in stock chrome or Firefox.

[https://qutebrowser.org/](https://qutebrowser.org/)

~~~
Deimorz
The adblocking/script-blocking capabilities (described in #9 and #10 in their
FAQ:
[https://qutebrowser.org/doc/faq.html](https://qutebrowser.org/doc/faq.html))
are extremely weak and inconvenient (and their claim about the negative impact
of adblocking is outright false).

Those are probably the two most important capabilities for security, so the
lack of them definitely means I'd never want to use it for general browsing.
I'd much rather deal with weaker keybinds than sacrifice that much on the
security and privacy side.

~~~
danShumway
I know it's a pain for new browsers to support, but I can't imagine myself
running any browser right now (even experimentally) that can't install UMatrix
and UBlock Origin.

If you want me to try out your browser, you have to support the WebExtension
API -- you can support other APIs in addition to that, but WebExtensions are a
minimum requirement. I guess Chromium doesn't bundle them, so it's harder for
smaller browsers to add the same capabilities?

I'm not sure how Vivaldi and Brave handle it.

~~~
The-Compiler
There's
[https://gitlab.com/jgkamat/jmatrix](https://gitlab.com/jgkamat/jmatrix)
[https://gitlab.com/jgkamat/jblock](https://gitlab.com/jgkamat/jblock) and
[https://gitlab.com/jgkamat/jhide](https://gitlab.com/jgkamat/jhide) \- not
the real thing™ but probably coming close.

Supporting WebExtensions isn't possible without QtWebEngine (the library
qutebrowser uses) doing so. That might happen some day, but will probably
still take a while.

------
tylermenezes
You can argue for or against `fixamo` as a command, but Mozilla's position
seems to be that even documenting the ability to turn off restrictedDomains
anywhere is not allowed.

Among other things they're asking the author to censor the command from his
personal dotfile. That's not justifiable and makes me really disappointed in
Mozilla.

~~~
detaro
The "personal dotfile" that's lives in the same repo as the extension and is
recommended as an example in its documentation, and only documents these
commends as "Add helper commands that Mozillians think make Firefox
irredeemably insecure". If you want to signal to a reviewer you're not taking
them seriously, that's the kind of thing to do when they ask you to remove
code.

~~~
bovine3dom
`fixamo` was first removed after an informal request via informal channels
from someone on the Firefox security team. The comment wasn't intended as a
jab at a reviewer who didn't exist at that time; I was just tickling myself as
is my wont.

I'm sorry if it offended anyone. I'm generally really appreciative of the work
reviewers do.

~~~
detaro
Ah, I had missed that aspect. That paints it in a different light.

------
ihuman
I can kind of understand why they want the developers to remove the line from
people's user.js file, but why can't they tell the users when they do this?
Why do they have to do it "without user interaction?"

~~~
detaro
I'd interpret as that they can tell users they did it, but they have to do it
without the user doing anything.

------
Arubis
Genuine question: can Mozilla prevent Firefox from allowing an extension to be
installed _at all_, or is this more a matter of de-listing an extension from
the Mozilla directory?

~~~
rebelwebmaster
There's a built-in extension blocklist which also gets updated remotely.

[https://hg.mozilla.org/mozilla-
central/file/tip/browser/app/...](https://hg.mozilla.org/mozilla-
central/file/tip/browser/app/blocklist.xml)

~~~
Mathnerd314
More on the policy for said blocklist:
[https://wiki.mozilla.org/Blocklisting](https://wiki.mozilla.org/Blocklisting)
(2008-11) [https://support.mozilla.org/en-US/kb/add-ons-cause-issues-
ar...](https://support.mozilla.org/en-US/kb/add-ons-cause-issues-are-on-
blocklist) (2012) [https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/AMO...](https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/AMO/Blocking_Process) (2019)

The expansion from "we block malicious add-on versions" to "we block add-ons
with known stability or security issues" to "we err on the side of security"
does not bode well for the future of hacking cool add-ons.

~~~
michaelmrose
What about a fork that only differs in allowing a second more permissive addon
store.

~~~
SanchoPanda
Settings change over time and maintaing any fork is hard. Maintaining a fork
of a modern browser is a sisyphian task. Even compiling it is no joke.

------
cmcaine
I am one of the developers of Tridactyl.

This dispute is because Tridactyl used to provide a function that users could
choose to run that would change two of Firefox's settings (the kind you find
in about:config). Changing these settings allows addons to run on e.g.
addons.mozilla.org and accounts.firefox.org where they otherwise cannot. The
change we made is the same change that several blogs had already talked about
and suggested.

Here is a relevant bugzilla thread that motivated the creation of the
blacklist that we turned off, so you can see what Mozilla thinks:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1415644](https://bugzilla.mozilla.org/show_bug.cgi?id=1415644)

A mozilla employee informally asked us to remove this function for security
reasons (and we did). Later, an AMO reviewer asked us to change users' Firefox
config automatically to remove these settings. We would rather this were made
an explicit choice for Tridactyl users and we're trying to negotiate a
compromise with the reviewer.

This is the only plausible route to exploitation of this situation that I know
of, assuming a user acting before we removed the fixamo command:

1\. You manually install Tridactyl

2\. You manually install our native messenger

3\. You manually run a command called `fixamo` or you manually find and
install our exemplar RC file that explicitly says at the top that you should
read and customise it because it does things you might not like; and then you
don't read or edit it

4\. You also manually install a malicious addon

5\. That malicious addon doesn't have permissions for <all_urls> (otherwise it
can steal your banking credentials without tridactyl's help) but does have
permission for accounts.firefox.org

6\. That addon can then steal your firefox account credentials and use them to
e.g. mess with your synced settings and e.g. download your passwords database
(if you don't have a master password set).

My view is that you're pretty much fucked if you install a malicious addon
with <all_urls> anyway (and many addons request that permission), so this
slight extra capability you get if you successfully phish someone in this pool
of <1000 people isn't a big deal.

\---

Some people have opined that our documentation for the command was not
explicit enough. My opinion is that it's good enough and about on par with
other resources that talked about the same settings. It would be better if it
was more explicit about the security risks, but we provided fairly complete
information about what we were doing and a link to the source code.

This is the documentation we provided:

In the "Webextension caveats" section:

"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains,
you need to open about:config, run fixamo or add a new boolean
privacy.resistFingerprinting.block_mozAddonManager with the value true, and
remove the above domains from extensions.webextensions.restrictedDomains."

In the docstring for fixamo, partially displayed if you type fixamo in the
commandline and also included in the help pages we encourage users to use with
e.g. `:h fixamo`:

"Simply sets

"privacy.resistFingerprinting.block_mozAddonManager":true
"extensions.webextensions.restrictedDomains":""

in about:config via user.js so that Tridactyl (and other extensions!) can be
used on addons.mozilla.org and other sites."

You can find these messages in src/excmds.ts at commit
92e1b005c47995e3d24f61a7d4c3935df8437f1a

We also included a variant of the fixamo command in the exemplar .tridactylrc
file (not used unless you have also installed the native messenger and also
explicitly found, downloaded and installed the exemplar). This file includes
this text at the top:

"Provided only as an example.

Do not install/run without reading through as you may be surprised by some of
the settings."

And this text right above the fixamo line:

"Make Tridactyl work on more sites at the expense of some security"

------
azpekt
Okay, so I presume that: \- development of Tridactyl stops? \- there is no way
to run it on fresh/updated versions of FF on Win10?

That sucks.

~~~
cmcaine
No. Check the latest updates in the github thread.

1\. We will release an update that we think is compatible with the AMO
reviewers' demands. 2\. You can just read the readme for the project on github
for a non AMO but easy way to install it.

------
Endy
Well, perhaps the Tridactyl devs should move back to XUL and explicitly
support Pale Moon & Basilisk. It would be a strong move since Firefox won't
support them or their users.

~~~
bovine3dom
FWIW, there's at least one (minor) change that was made to Firefox to help out
Tridactyl -
[https://github.com/tridactyl/tridactyl/issues/792](https://github.com/tridactyl/tridactyl/issues/792).

Mozilla also were happy in principle to allow us to intercept key presses on
all parts of the browser last time we spoke to them a couple of years ago; we
just need someone to write that extension to the WebExtension API -
[https://github.com/tridactyl/keyboard-
api](https://github.com/tridactyl/keyboard-api).

Rewriting Tridactyl in XUL is not something I would wish on anyone.

~~~
Endy
Have you considered working with either Pentadactyl or Vimperator?

~~~
ShinTakuya
I miss pentadactyl. I actually support everything about the WebExtensions move
but it hurt to let go of my favourite extension.

