> Unknown Mozilla developers can distribute addons to users without their permission
"In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"
In all seriousness, I understand this is an important issue, and needs to be addressed, but we've obviously gotten to the point as a society recently where no news can't be played up for hype by pundits and commentators for their own benefit (and probably without realizing they are doing it in a lot of cases).
The whole way this is being presented (by many here, not to pick on the parent) as a new chunk of the sky falling is what I find really troublesome. No, chicken littles, the sky isn't falling, but there is some interesting shit going on up there that deserves a look.
I fail to see how getting half the people frothing at the mouth and the other half downplaying it just to try to keep some sanity in the discussion helps for a good outcome.
> "In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"
No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).
No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
> No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).
You've conflated third party javascript with javascript in general. You can turn off javascript entirely, but unless you do so, that website is generally able to ship javascript to you as included scripts from the same domain or in a script section or inline with attribute handlers.
> No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
Yes, they very often do. Currently, they generally ask if you want to restart using the new version and give you that choice, but they are often downloading newer versions of themselves ahead of time to speed up this process.
Whether they have permissions depends entirely how you installed the application. If it wasn't installed globally, user permissions are all that is needed.
> I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
Good! I hope you've also never ever piped wget output to a shell for some application's quick installer. I also hope you've never installed any programming language module through that language's package manager and not your distro's package system, because those are notoriously bad at making sure there's not holes through which bad stuff can happen either.
Regardless, it's possible that the package you downloaded, no matter the source, can do something other than stated.
> It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
Actually, I don't think I guessed wrong because I wasn't guessing anything, and I never said it works the same for everybody. I believe, since I was careful to qualify my statements, that each is easily proven correct, and I've done so.
Just coming up to speed, apologies for the potentially obvious questions.
1. Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
2. Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
3. What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
Mozilla (and other browser vendors) have the ability to push updates to their browsers outside of the normal release cadence. In many cases, these updates are distributed as add-ons, as they're cleanly separated from the rest of the browser internals, but that's just an implementation detail. If you visit about:support in Firefox, you should see a table of "Firefox Features," which are exactly that. Their source lives at: https://hg.mozilla.org/mozilla-unified/file/tip/browser/exte...
For example, we used a system add-on to control the gradual roll-out of multiprocess Firefox, and the New Tab page is also implemented as an add-on called "activity-stream."
I'll try to answer in the parent's place, since I've been watching this issue.
> Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
Unknown in the sense that this extension wasn't documented at all, there was no Bugzilla issue for it and it's not clear whether it was properly vetted by QA. Whether you argue that this kind of silent push updates is good or bad, I think they aren't tested as well as in-browser functionality. This is a necessary consequence of "let's try it and revert if something breaks or people complain".
More so, a rolled back Shield study will be invisible to the users, so any problems will be impossible to debug. This is made worse by the fact that most, if not all Shield studies are opt-out, so the user won't be notified.
> Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
> What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
People have reported that extensions.ui.experiment.hidden reverts after viewing the add-ons list. I haven't tried it myself, but you can find details in that Reddit thread.
Others have noticed that the Shield studies checkbox sometimes (possibly on version bumps) reverts to enabled. I can't overstate how bad this is; it's basically cheating the users' trust. Lately, Mozilla has been doing some pretty nasty things for an organization that takes pride in caring about the privacy of its users.
Are you aware of the complaints regarding Windows telemetry? Edge, for example, sends full browsing history to Microsoft by default. Should Mozilla follow suit? Because that's exactly what Pioneer does and, while it's not opt-out yet, Firefox advertises enabling it.
As for the rest of the system add-ons, they're either poorly documented (if they are at all), poorly named ("Presentation"), or seem concerning from a privacy point of view (e.g. Activity Stream, Follow-on Search Telemetry, Photon onboarding, Presentation, Web Compat Reporter).
For anyone curious, Presentation seems to be an implementation of a proposed Web API that allows browsers to find and talk to devices in their neighbourhood. Does that include location/proximity beacons like this old proposal https://hacks.mozilla.org/2013/06/the-proximity-api/ ? Do users really want Firefox to tell advertisers where they're shopping? That's the same kind of "experience improvement" that the spyware of yore used to bring.
Why should Pocket be an add-on with superpowers? There was quite a bit of backlash over it a while ago, but Mozilla didn't budge, and some employees actually spread misinformation (not to say "lied"). And actually none of my system add-ons seems to be providing any important functionality (if you disregard the new tab page, for which I haven't seen yet a privacy policy). Looking at Shield studies ( https://www.jeffersonscher.com/sumo/shield.php ), it's even worse: most are surveys, advertisements, asking the user to enable Pioneer (i.e. send full browsing history to Mozilla).
The comment about the visibility of the add-on (Bugzilla, QA process, documentation, etc.) is well taken, as are those regarding the naming of system add-ons, Pioneer, etc.
I've got an intercontinental flight coming up soon, and I'll do some grepping around to try to understand the prefs mentioned. If someone else beats me to it and posts a specific set of steps to reproduce a pref flip on those, I'd appreciate it.
I can confirm that extensions.ui.experiment.hidden gets reset to true on Nightly after opening about:addons. It seems to have no effect, though it might have if one uses lockPref.
> Mozilla developers can distribute addons to users without their knowledge
I think for most people this is the stickiest point. Other commenters have said things along the lines of, "well if you trust their browser you should be able to trust their add-ons" and I do, mostly, trust their add-on here... but I really don't like how it slipped into my Add-Ons without telling me. For every other Add-On I have to click an explicit blue button, so I know what's in and what's out.
In today's landscape, Add-Ons have massive potential as security threats. For instance, would a savvy user who is security-aware (most users on HN, I assume) install an Add-On like Gmail Checker Plus[0]? Without digging in, it's hard to be 100% certain what this Add-On is and isn't doing with my Gmail content (I have no reason to assume anything nefarious, it's just an example). My browser Add-Ons should be off-limits to any sort of tampering without my permission, as well should be my bookmarks and auto-fill info. If I broke into your house and changed your bedsheets, you'd rightly be creeped out... nothing was stolen, new bedsheets don't affect you in any significant way, but it's still wrong and weird and hurts trust.
I think this was a very bad move, because Mozilla installed adware in all of its browsers. The fact that it was installed through an add on, though, seems irrelevant. Mozilla developers can distribute arbitrary code to all users because they write the browser. The add on just makes this particular bit of code user visible.
* https://news.ycombinator.com/item?id=15921134
This is a link to the GitHub issue:
* https://github.com/gregglind/addon-wr/issues/36
There are several scary things about this:
- Unknown Mozilla developers can distribute addons to users without their permission
- Mozilla developers can distribute addons to users without their knowledge
- Mozilla developers themselves don't realise the consequences of doing this
- Experiments are not explicitly enabled by users
- Opening the addons window reverts configuration changes which disable experiments
- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)