Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla pulls Bypass Paywalls from Firefox add-ons store (github.com)
338 points by AndrewDucker 3 months ago | hide | past | web | favorite | 276 comments



Lots of heat in this thread...

So, Addons are mostly reviewed by volunteers. Sometimes people make mistakes. The best course of action is to try to reach out for the AMO team on IRC or their mailing list.

- Addons forum is at https://discourse.mozilla.org/c/add-ons

- All contact info for AMO dev stuff is at: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons#Con...

- Developer Hub for addons is at: https://addons.mozilla.org/en-US/developers/

There is no need for FUD or conspiracy theories. We can just talk to people and find out what happened and maybe revert it if possible.


My experience with firefox add-on reviewers has been hit or miss - One of the most frustrating things is that reviews often happen long after your add-on has been published. I'd rather have a longer waiting time, but once an add-on is published then it means it's been approved. From the developer point of view it means that it's very hard to communicate on releases, because you never know when your addon is going to be reviewed. From the end user, it means that if someone maliciouly changes one of your addons, you may already have updated to that version before the review. I also feel that the guidelines around reviews aren't well explained, and the reviewers comments are often terse, bordering on the incomprehensible : at least with Apple, you get pointed to which part of the rules they think you didn't respect - with firefox, we often get broad comments that require a bit of back and forth to figure out what it is they're actually thinking is wrong.


This was the old model and it put a lot of pressure on the volunteer add-on reviewers and their were times where the delays stretched out to several months.


It's not like Mozilla has no funds. Why not hire a couple of people for the reviews?


Or at least hire review coordinators who can manage the program effectively. Our volunteers review 15,000+ loans a month. Happy to share insights with Mozilla on how to run an effective volunteer community and keep the pipeline flowing.


Having funds is not the same as having unallocated funds.


Surely there should be a clear appeal process, and escalation if there is to be an app store like review for addons that can remove something. Particularly if they are assessed by volunteers who may vary significantly.

There seems something off when spyware infested stylish remains an acceptable addon and this gets arbitrarily blocked.

A vague "try and reach out" doesn't, to me, seem to come close to an appeal process.


There is a escalation process. I think the authors already did it and are now waiting. What I mentioned is not the escalation problem, it is a way to reach out for people when things fail.

Usually from your add-on admin dashboard you can reach out to the team and send messages to the reviewers, right from the same tool you use to admin everything.


Is it just me or there’s a lot of these ‘hot’ threads on GitHub lately? I don’t mean the issue at hand—validity is beside the point—but the fact is that these issues unravel on GitHub on a very predictable cadence, and Github Issues is fairly ill equipped to deal with making sense of this. So everyone just shouts at thin ether at the top of their lungs, hoping to attract some attention and answers, then it becomes an arms race.

That’s a design problem - if the voting system made things become more visible, then likely fewer people would feel the need to shout. That has its own drawbacks, though.

It’s a hard problem building anything remotely social. I don’t think they realised what they were putting themselves into when they were building Issues.


What happened is Mozilla got a complaint and pulled multiple pay-wall bypassers.

Source:

https://github.com/nextgens/anti-paywall/issues/109

"It appears that your Add-on violates the Firefox Add-on Distribution Agreement and the Conditions of Use. Both prohibit Add-ons that violate the law. Your Add-on appears to be designed and promoted to allow users to circumvent paywalls, which is illegal.

...

We are responding to a specific complaint that named multiple paywall bypassing add-ons. It did not target only your add-on."


> Release and Beta versions of Firefox do not allow unsigned extensions to be installed

I'm really disappointed at Mozilla regarding this. I recently wanted to do some Firefox customization for my own private use (not even an extension, I just wanted to have some visual indication of which Firefox windows belong to which profile). I was surprised to find out that even just a header .png in a theme can't be loaded locally but must be on-line and vetted by Mozilla. Utter craziness.


I'm currently developing a browser extension, and was a bit shocked that I couldn't just load it on Firefox like on Chromium. It seems like such a basic thing, maybe that's because I'm a dev and expect that they will cater to development, but it was one of the first usability things where I preferred Chrome. I ditched iPhone for Android for similar reasons, and it seems that one thing Google does really well is make the developer workflow easy.


You can load it like on Chromium. Go to about:debugging#addons, click the "Load temporary Addons" button and select your manifest.json file.


Aaah, thank you! That will help tremendously. The third-party resources I was looking at neglected that point.


Any version of Firefox can load unpackaged addons for the current session. IIRC, with the CLI tool you can even auto-reload it as you make changes to source.


You can use web-ext[1] to simplify development process

[1] https://github.com/mozilla/web-ext


IIRC you can install unsigned extensions in the dev and nightly as well as unbranded versions of firefox (usually the last option means compiling it yourself).

Mozilla is, to some extend understandably, concerned with the image of Firefox and patrolling what Addons are available in the store is part of that. Apple does the very same thing.


> Mozilla is, to some extend understandably, concerned with the image of Firefox and patrolling what Addons are available in the store is part of that.

This is a non-sequitur. Reviewing things on their addon store has nothing to do with requiring a mozilla signature for sideloading.


Not quite. The signature is to ensure users install from the addon store. You can disable this if you wish to run non-store addons. Otherwise any website or external program (remember your A/V installing their safety toolbar?) could start adding fishy code to your browser.


That is a totally different issue. One thing is reviewing what's on your store. The other is restricting people to only installing what's on their store.

One is happening on their property. The other is happening on the user's property. They also want to exert control over the latter, which is causing these problems.


It's the difference between on the one hand some spyware or adware shoving an addon in the right location in the Firefox profile directory and either accepting any dialogs to confirm you want to side-load or social engineering the user into accepting them, and on the other the same spyware having to actually patch the firefox binary or exploit it to get the same behavior, since the binary has verification baked in.

It's a big annoyance for me too, because I use private extensions extensively for some business stuff (used by the users here), but had to switch to a different mechanism (because I don't want to deal with verification). It sucks for me, but I totally understand why they are doing it.


I am aware of mozilla's given rationale (and I disagree with the implementation), I was just pointing out that patrolling an addon store is orthogonal.

And the decision to not even let users add additional signing root keys is yet another axis on the decision space that was totally neglected.


The problem is that it's essentially just another dialog or control to be scripted or socially engineered around. You can make it more onerous because it's basically a one-time action that's not something most users will do, but to what degree is adding a signing key before install different that a dialog asking you if you really want to install this third party extension?

Until you have different access levels and can both restrict users/programs from running at the base level required to do this, and condition users to recognize when increased access is being requested, I don't see this problem going away. Windows UAC is basically what we're talking about, and it still took years to users to understand it and not just always allow it (if that's even true!), and that's a system shared over all of windows.

I think the only sane way to accomplish this that worked for users and didn't cause enterprise admins to totally shun Firefox would be to piggy back on Windows' certificate store and register certificate for Firefox use only (I assume this is possible, I'm pretty sure you can do this for app-to-app communication such as MSSQL encrypted connections), but then you have to make sure you also handle the mechanisms to do the same in Linux and OS X, and now we're seeing it's a much more complex undertaking.

Protecting users from their own stupidity is a tough and mostly unsolved problem. Punting and eating their own resources to provide the safest solution they can, even if it's annoying for a more technically literate subset of users, is a solution I can understand and respect, even if it's problematic for me, because it's putting safety and security the majority of users over a simple solution that would be worse overall.


UAC is already in place. Piggyback on that. Root on linux. And whatever osx does to protect application packages.

And I really dislike the "can be socially engineered around" buldgeon. If taken to its final conclusion you would have to lock-down systems and give users no freedoms at all because they could be convinced to do something bad with enough effort.


If taken to its final conclusion

And yet you don't take the "freedom" argument to its final conclusion, which is that you must grant Freedom -1. That's the freedom for anyone, anywhere, to run any software on your hardware, at any time and for any purpose.

And this is only half-joking: all access restrictions, even ones as basic as filesystem permissions, impinge on freedom in some fashion. You can work around them, of course, but you can work around Firefox's extension signing (and Apple's app signing, and lots and lots of other systems that people insist are objectively reducing "freedom"). Which means that to be consistent, you either have to be against even those basic access-control mechanisms, or you have to compromise on absolute "freedom" and begin arguing about how difficult or complex a workaround can be before you personally would rule out allowing a system to require it.


That would go a long way to solving the problem once and for all. It would be nice if Mozilla would provide the ability to install private signing keys to the browser.


I would disagree this is a different issue, one leads to the other. Mozilla wants to make sure that any addon the user can possibly installed is something they can trust. Including addons that other applications install (ie AV toolbars).

If you don't like that, you can use the unbranded version of firefox or the dev edition.


As in the sibling, thread, no, you can't disable the signature check, not in the regular, mainline FF download. Even if you enable it in about::config!

This was a change introduced in ~August 2016, to ignore your preferences on that setting.

(As you note in the sibling thread, you can get it in a special development version, but that still contradicts your claim that you can toggle something to allow it.)


You can toggle a compile option to allow unsigned addons. I've mentioned this repeatedly and I'm unsure how you didn't notice that.


And I've explained that you can't expect the average newbie coder to navigate the recompilation process; I'm unsure why you blithely dismiss people who aren't as capable as you.


1. So you have the set of people who would be much better off in a “walled garden”, in my experience that is almost everyone.

2. You have the set of people who can compile the code from source and who want to get outside of the wall.

3. You have the set of people who want to get out of the wall but don’t have the technical expertise to know the dangers of doing so.

4. You have people who have the technical expertise to know the dangers but not the technical expertise to compile code.

I think people in group 4 should learn how to be in group 2, because we have almost four decades worth of evidence to know how badly people in group 3 can do.

Edit: changed group 2 to group 3 in the last sentence.


Perhaps, they forced them to do that in the middle of their workday in order to get their UX back. Imagine if your computer crashed and when it restarted it came with the mouse drivers disabled and you had to use the arrows to move the mouse around, and you were reassured you could sign up for WDN to restore use of the mouse.

And I don’t think expecting the user to personally recompile for every update is reasonable, especially if you claim to let users gain control of their machines again.


Compiling a browser isn't exactly a walk in the park for the average 5 year+ old PC, either.

Googlers working on Chromium dev get maxed-out machines for this reason.


The same users who have complete “control of thier computer” who don’t know what they are doing is what causes all of the crapware, malware, ransomware on many Windows based PCs.

I’m all for platforms being in a wall gardener by default where you have to jump through a few hoops to unlock an “advanced mode”.

And signing up for WDN (Windows Developer Network?) hopefully you would get signed drivers.

You can’t imagine the number of times my mom has done the perfectly reasonable thing of searching for Windows printer drivers on Google and ended up installing crapware from a third party site instead of getting the official driver. Signing requirements from MS would hopefully alleviate that and let advanced users try to figure out how to load unsigned drivers.

(Also tangentially, why are printer drivers still a thing on Windows anyway? Anyone who connects a Mac, iPad, or iPhone to my home network - if I give them access to the non-guest network - automatically can print.)


I don't because I also mention the developer edition and nightly, which allows unsigned addons and has regular updates.

I'm not dismissing people who aren't as capable as me either, I've mentioned alternative approaches and I'm getting tired of having to repeat "there is the dev and nightly edition" to the same 5 people over and over again.

Mozilla is making tradeoffs in protecting the average user and giving the power users a little bit less freedom unless they use an edition of firefox intended for power users and developers. Simple as that.


Then you don't get security updates. That's forcing users to make uncomfortable tradeoffs.


The developer edition allows you to use unsigned addons, that has security updates.

You can't live in the modern world and expect all choices to be handed down without consequences and tradeoffs.


Right, we can't. Unless we're promising to give users control over their machines and there are trivial ways to accommodate this means of giving them control.


Users will abuse the ability to control their own machines. Given full administrative privilege on their machine, it takes, by my experience, about a month until the machine either has various pieces of malware installed or their malware has malware installed.

The average user cannot be trusted with full control of their machine and it's fairly reasonable to say that power users need to take the extra steps to, for example, install a power user edition of firefox.


I'm not asking for full administrative privilege.

I'm asking for: "If the user goes into a deep part of the obscure developer options and bypasses the warnings about unsigned addons, and then uses a non-obvious but documented process for side-loading, something virus peddlers can't really walk users through, then Firefox should honor that while explicitly displaying the list of unsigned addons the users added."

>I'm not dismissing people who aren't as capable as me either, I've mentioned alternative approaches and I'm getting tired of having to repeat "there is the dev and nightly edition" to the same 5 people over and over again.

And I and others have explained how those involve unacceptable tradeoffs and run directly contrary to "give users back control over their machines" ethos, though not, of course, to your extremely limited version of the ethos.


>"If the user goes into a deep part of the obscure developer options and bypasses the warnings about unsigned addons, and then uses a non-obvious but documented process for side-loading, something virus peddlers can't really walk users through, then Firefox should honor that while explicitly displaying the list of unsigned addons the users added."

Any such process would have to be difficult for external programs. As it stands, the best way to get verification of such a setting is through the built in binary verification that firefox does, which require that any application needs to reverse engineer and patch the binary to install it's own addons.

Your process requires editing the about:config values, which is possible for an external application and installing an addon, which copies it into a specific folder and is also possible for an external application. We know this is possible because this is what other applications did to install their shitty toolbars.

>And I and others have explained how those involve unacceptable tradeoffs and run directly contrary to "give users back control over their machines" ethos, though not, of course, to your extremely limited version of the ethos.

It seems to me that further discussion is unnecessary considering you continue to ignore significant portions of my comments.


>Any such process would have to be difficult for external programs.

Why? If the user already has a malicious 'external application' running on their system with sufficient privileges to do any of this, then they're already screwed, and they have bigger problems to worry about than malicious WebExtensions.

More generally, I don't think we should hold applications responsible for the security or behaviour of parts of the software/hardware stack at equal or higher privilege level to them, including other applications. Mostly because, well, they can't do anything truly effective in that regard.

I see you're worried about average users unknowingly installing random malicious crap, and I've seen a lot of that myself. I think the way forward is pretty much what is being done on mobile platforms currently: universally applied application sandboxing, usage of existing fine-grained access control models (and also the development of ones that are saner to use), and better communication to the user about what their applications are doing and what the permissions they are requesting actually mean. Yes, it's still a clusterfuck, but it's an improvement.

A security model involving applications in an arms-war with one another, using increasingly byzantine restictions in an attempt to prevent external manipulation, feels less like something I would want any part of, and more like something out of a dystopian sci-fi novel.

: Although I think Google went too far on the "lock things down completely" side of things when they made it outright impossible to, say, use rsync to backup or sync the entire contents of a phone's sd card to/from the network


They could add a way to add signing keys to the stables. This gives you security updates and user freedom without significant downsides because the user would still be in charge of signing.


That would allow any third party software running on your computer to add malicious plugins to the browser (which has happened in the past and is in part why it requires Moz' signature now).

Most users, ie, the average user plus a significant amount, don't really care that they can't install random addons from outside the addon store.


Put the certs in the program directory. If malware makes it to that point then you will have lost the battle in any reasonable threat model.


What would prevent malicious software running on the computer from installing a malicious version of Mozilla? What's their attack model?


The attack model is largely that fairly normal software wants to install adware on the computer. The software isn't direct malware but will attempt to install and activate addons, redirect the users homepage and search engine as well as setting various other options on the user behalf that are ultimatively harmful to the user experience in Firefox.

Mozilla wants their branded Firefox to be something the user can trust and that means controlling what code with elevated privileges (ie, Addons) can run in the browser.

edit: It should be mentioned that in response to the first question; Firefox performs some binary verification and won't run or attempt to repair if it detects tampering.


This threat model appears to optimized for the argument giving control to mozilla. It assumes that your system is essentially compromised but the attacker has just exactly so many self-imposed restraints that they can be thwarted just as long as things are under mozilla's control. But if you give the user control then suddenly the balance tips and their already-compromised system will be used for bad things.

It's a really long-winded way of saying "we know better, you cannot be trusted, freedom is slavery".

The correct solution is to remove malware, not to play games with it that require freedom-reducing gambits.


There is plenty of software that adheres to these constraints. Most adware doesn't want to actively damage the system and doesn't worm too far in. In the past, adware would simply drop it's toolbar payload into the Mozilla and Chrome addon directories, which would after confirming it with the user, activate. Same thing with homepage and search engine settings (which still get modified).

I think it's a bit unfair to quote Orwell when the overall goal is to prevent the user from hurting themselves, not brainwashing them into thinking they don't need unsigned addons. If they need those there is the developer edition, which is officially supported by mozilla and allows installing any addon you like.

The default installs that most users will see simply have a different default setting. If you don't like that you can choose another edition or compile Firefox yourself.


And that’s as it should be. The average user gets signed addons and the “advanced” user can jump through some hoops for advanced functionality.


Requiring people to use a buggy beta (this is what betas are!) is not acceptable. I warned about this constantly before they jumped the shark in version 37 and was always downvoted here and ignored at Moz. Well, here's what you get. Another Apple product beholden to corporate power instead of for the user.


> Apple does the very same thing.

As my dear old mom used to say, 'if everyone else were jumping off a bridge, would you?' The fact that Apple constrain their users doesn't justify Mozilla doing the same.

My browser belongs to me, not to Mozilla and not to anyone else: I should be able to load any extension into it that I wish to, just as I should be able to load any program onto my phone or install any root cert in my operating system.


Also, Apple doesn't ground their existence in "we want software to be Free (as in Freedom) and we want you to be able to control your own device to do what you want". If anything, they want something that's mostly opposite.[1]

Mozilla does claim to live up to that standard.

[1] This isn't to say they're wrong; there are legit reasons to want a device with good defaults that are hard to bypass.


"if everyone goes off and gets vaccinated, would you?"

Apple constraints their users for certain reasons which they believe are good for the user (with some negative side effects that Apple also likes). Mozilla likely has a similar motive; doing good for their users.

It doesn't mean every user will be happy with that, the average user will however be better off. The non-average user can then install the developer or nightly edition of firefox or even compile it themselves too get unsigned addongs if they so choose. Choosing the branded release branch of firefox means that Mozilla wants to keep you safe to some extend. This means not allowing third parties to install arbitrary addons into your browser, for example. Users rarely know what they want or if they do, they go about it in destructive ways.

Install the developer edition and you get your "I want to be able to load any extension".


> Apple does the very same thing.

I understand that Apple does everything in its power to make the life of developers miserable (such as requiring a Mac to be used for iOS development), but Mozilla were supposed to be the good guys on the web.


I think you misunderstood there.

Apple's primary aim by limiting the access to the store isn't to make devs miserable, it's to have users trust the app store.

Mozilla's aim is (likely) the same. If a user finds an addon in Mozilla's addon store, then Mozilla wants the user to fully trust that this addon will not violate their privacy in unexpected ways or install malware on their computer or otherwise interfere with them.

Similarly, Apple spends a lot of money on making sure the PR image of the app store is clean. People should be able to fully trust Apple's app store, in Apple's opinion.

That doesn't mean there won't be addons you don't like, it just means that malicious behavior is not allowed. If the user doesn't like it they can remove it without consequence.


But what about the whole "give users control of their machines again"? What if I have an extension originating elsewhere -- say, because I'm a sympathetic person Mozilla claims they encourage learning to code -- and I want to bypass the usual protections.

They still won't let me install it.


You can install it if you use the developer edition or unbranded version, this is fairly well documented.


Sure, if you're willing to forgo the updates and have to manually install each time, or have the updates convert you to the branded version:

https://blog.mozilla.org/addons/2016/07/29/extension-signing...

(Good luck compiling it yourself.)


I compile a unbranded version of Firefox for each released version on my private repository for AUR packages, automated and without the need of intervention at all.

I'm currently running the branded release but I could pick unbranded, beta, dev or nightly editions of Firefox if I wanted. It's not hard to automate and especially with the unbranded version you have permission to distribute the binary that results, a permission you don't have with the branded edition.

You can also use the Nightly or Developer Edition of Firefox as well.


Yes, you could. What about the person Mozilla claims to want to get into coding? They have to choose between getting the regular updates vs being able to tweak their addons.

And do you plan to set that all up in the middle of your workday when a forced update disables your extensions?


Again, you can also use the developer edition, which also allows unsigned addons and has automatic updates but also doesn't disable your extension. It's specifically meant for people getting into coding.

Plus, there is more ways than developing FF addons to get into coding that Mozilla wants to stimulate, developing the browser itself or websites is also an alternate goal you can join in addition to trying out making your own addons.


It is not reasonable for a user-freedom-oriented browser like Firefox to require you to install a separate version to install unsigned extensions. Hiding it in about:config behind a "this is dangerous, are you sure" warning would be the right thing to do here.


I think it's fairly reasonable for a user-freedom-oriented browser that also markets itself as a safe and fast alternative to Google Chrome. This exists to some extend to protect users who will click on any button as long as it makes them able to do what they want no matter how dangerous (which is, for example, why HSTS doesn't have a "Add Exception" button).

Mozilla focuses on maximizing the user's freedom to browser the web without being hindered by harmful addons.

And at the end of the day, Firefox is a Mozilla brand, using the Firefox browser associated with their Brand means to some extend that Mozilla will want to ensure that the average user has a certain experience with that brand. The average user is perfectly fine not installing unsigned addons, which is arguably something the more advanced and above average user might want, who has the full freedom to use a edition of the browser that is explicitly marketed to them, no?


> Mozilla's aim is (likely) the same.

Nothing prevents me from compiling my own binaries and running them on my Mac.

But the issue here (AFAICT) is that Mozilla won't even let you sideload your own stuff on your browser. This is horribly broken.


>But the issue here (AFAICT) is that Mozilla won't even let you sideload your own stuff on your browser.

There's no way to allow that that doesn't also allow crapware / malware installers from injecting stuff into Firefox.


You can install unsigned or foreign-signed addons, you simply need either the developer editino or you use a unbranded version of Firefox (ie, any Firefox binary that isn't branded for Mozilla). It's a compile option.


>That doesn't mean there won't be addons you don't like

But it certainly guarantees there won't be any apps Apple doesn't like and haven't paid the appropriate fee.

It's incredibly naive to think the primary reason for Apple is trust and security. At least as far as their mobile ecosystem is concerned, their control over what the user can run is a major revenue source.


You are aware there is a difference between "primary" and "only", yes?

I'm not saying Apple's intent is pure but there is a primary driving factor behind it, that to my knowledge, seems fairly pro-consumer. Doesn't mean it has other, anti-consumer motivations.


Let's see if I got the hang of this: The average iPhone user can only install software approved by Apple, and their primary motivation for that setup is an anti consumer one.


> Apple's primary aim by limiting the access to the store isn't to make devs miserable, it's to have users trust the app store.

It really isn't. It's to prop up their own services through anti-competitive blocking, to maintain a level of terrifying censorship, and to rent seek on what remains.


That is a good side effect for apple but it's not the primary aim/goal of controlling the app store. They already control the ecosystem by virtue of not allowing sideloading easily so controlling the app store serves little additional effect other than cleaning it up and increasing trust.

It's still bad overall though.


Not sure where you are getting your information, as Apple has publicly stated to its investors that the first and last of those 3 were their actual purposes behind the restrictions on the app store.


[flagged]


That's an entirely separate decision from deciding to control what goes into the shop and by that not really part of the discussion, isn't it? And Apple asking for a fee to allow uploading apps is also a separate issue, after all, Mozilla is doing it without a fee by using volunteers to screen apps.

Both points are true and a problem but it's distracting from what this is about, no?


These arent separate, situations do not exist in a bubble.

These are Apple taking aggressive measures toward developers. Squeezing them and potentially blocking them from perfectly legitimate apps.


They don't exist in a bubble, correct, they are however separate, but again, this is not what this is about.

It still means you can separate the good ideas that apple has from the bad ideas. Not everything Apple does is inherently bad or evil because they do some evil or bad things, no?

And this is simply extracting the good part of apple's store policy; patrolling and checking apps so that users can trust what is in the store.


I develop for iOS on a secondhand Mac mini and commodity keyboard, mouse and monitor. Total cost well under £600, let alone “multi-thousands of dollars”.


That sounds like a potential solution to me.

Still costs more than any other development. Where'd you get your's second hand?


Just eBay.


You can use qemu to run macOS. It's probably agaist ToS, but it works. But it's best to just ignore Apple if you can. It's their problem anyway, if they want to discourage cross-platform developers that don't own or have interest in their HW.


> I understand that Apple does everything in its power to make the life of developers miserable

All XCode projects are automatically code signed on every build. If you have a developer membership with Apple, it uses a certificate issued by Apple. If not, it's just a locally-generated certificate.

If you use make or call Clang directly, obviously there is no signing process, but there is a command-line tool that you can use and integrate into your non-Xcode build process just fine.


How do I run XCode on Linux? Or do I have to spend $2k on a machine that will only be used to run a single build? Speaking of, how do I integrate that mess with my automated build systems? Also, how can I get it to sign stuff without forking over $100 every year?


[flagged]


Please stop breaking the guidelines:

> Please don't impute astroturfing or shillage. That degrades discussion and is usually mistaken. If you're worried about it, email us and we'll look at the data.

https://news.ycombinator.com/newsguidelines.html


>usually the last option means compiling it yourself

The last time I did this it took so long I was able to write my own HTML parser while I was waiting (and I had never written a parser for a context free language before.)


It gets faster after the first run when most components are already compiled or only need minimal recompiling. ccache also helps.


You can use `<profile folder>\chrome\userChrome.css` for that, perhaps. https://www.userchrome.org/


Have you thought about just using Firefox containers? You can maintain containers that have completely separate login sessions with their own icons and colors. I use it to develop and test out 5 different user roles (or whatever) for different web applications, it's very useful.

If interested check this plugin out:

https://addons.mozilla.org/en-GB/firefox/addon/multi-account...


Why must it be online? Can't you package it with the theme? (I have no experience creating themes, but I can package images with an extension. I only have to upload it for Mozilla to sign them, but after that I can download the signed package and load that locally.)


You can use the Developer Edition, Nightly or Unbranded Builds: https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded...


Waterfox should be able to do it: https://www.waterfoxproject.org/en-US/


Cursory reminder that using Waterfox is very risky[1] because it takes a huge amount of labor (more than Waterfox has) to secure a browser and because forks tend to be behind the latest patches.

1. https://www.howtogeek.com/335712/update-why-you-shouldnt-use...


You could potentially grab the source and comment out said bullshit and build it yourself, right ;-) That's the promise of free software no?


Yes, I was livid when they did this because there was an extension (Pentadactyl) where I had to maintain compatibility myself by recompiling it.

I wrote this Hitler parody about it: https://www.youtube.com/watch?v=taGARf8K5J8

Text version: officers tell Hitler that he has to upgrade FF because of bugs but warn it breaks his extension again. He dismisses the importance until they break the news he can't install the recompiled extension even if he says it's okay in about::config. Hitler goes ballistic about how that defeats FF's mission to give control back to users.

Climax: "If every tweak must be personally approved by Mozilla employees, why not just shrink-wrap the browser and make me buy it from Microsoft at Best Buy?"

Epilogue (real-life): Mozilla has now broken extensions so badly that you can't recover some of Pentadactyl's functionality, like customizing key commands. (At least, they won't take effect while on a tab until that tab's JS has loaded. Seriously?)

But hey, at least I get Looking Glass forced on me with a cryptic message that makes me think I've been hacked. That's worth the tradeoff, right?


While this is extremely dubious behavior from Mozilla, and reminds me why I stopped donating to them (the moment Firefox started requiring _their_ signature in order to load addons), Mozilla still has the "automated signing API" in place. Supposedly, this API allows to get an XPI signed as long as it passes a series of automated checks. So it's worth a try.

This was the excuse they used anyway when trying to justify their signature requirements were "not a walled garden". I didn't believe it of course.

You can also just mark the addon as "not listed in AMO" when submitting it to addons.mozilla.org and it will not be listed on the store, but it will be signed. More details in https://developer.mozilla.org/docs/Mozilla/Add-ons/Distribut...


I've recently been experimenting with creating an extension, and the automated signing was literally one of the first things I did when I followed the Hello World tutorial. It's very easy to obtain an .xpi that you can distribute to your users yourself.


How do you do this without leaking your code to mozilla?


Out of curiosity, under what circumstances would you consider distributing an extension bundle to be leaking its code? Unless I'm misunderstanding, isn't this the same file you'll be distributing to your users? At first bluff it seems similar to worrying about leaking your website's frontend (I've got news for you...).


It could be a private extension developed by a company internally, and only distributed to internal users.


If it's for an entire company, then it's easy enough to compile your own copy of firefox that accepts extensions signed with the company signature rather than mozilla.


It's really not. Small businesses exist.


If you have the resources to develop an internal company addon, you have the resources to build a firefox that accepts a different signature.


Respectfully disagree - having to rebuild each time patches come out, on multiple OSes and versions, which have a patch to allow unsigned extensions is a massively more time expensive than developing a browser extension, and requires extra knowledge on the behalf of the persons responsible


Luckily it's not necessary: you can still enable a flag in ESR releases that allow installation of unsigned add-ons, so that solves it for company-internal tools.


off-topic: the phrase is, "at first blush"


I don't think you can have Mozilla sign it without letting them see the code.


Aren't extension written in Javascript? Then the source is always visible to users.


They are referring to an internal company tool


"Leaking your code to mozilla"? What do you think they are going to do with it?


Doesn't matter. When developing an internal company tool, it can become a blocker due to policy or legal reasons.


Luckily,when it's internal you can use the ESR release and set a policy that allows it to be installed anyway.


> dubious behavior

When you criticize someone this strongly, it pays to at least acknowledge the reasons they've given for making the decisions they made, even if you don't like those reasons. Here they are: https://blog.mozilla.org/addons/2015/04/15/the-case-for-exte...


The worst bit here is that they aren't explaining exactly which part of the ToS is being violated, and what needs to be done to fix it...


A large part of corporate platform power is due to the ambiguity in decision making arising from the absence of clear and transparent processes or accountability regarding how the rules are applied.

That's just a giant gateway for despotism.


It's unlikely that there's a corporate decision behind this. I wouldn't even call this a corporate platform. Let me copy-paste a comment from further below that deserves more attention:

https://news.ycombinator.com/item?id=18568302

> Here is what the creator actually said

> >One of the community reviewers removed it from the store claiming it violated the ToS, which is BS. The ToS never mentions the word paywall once. Please support me in appealing! https://wiki.mozilla.org/Add-ons#Getting_in_touch

> Which sounds more like a zealous community member than Mozilla taking a position.


I didn't want to imply a corporate decision behind this specific case.

Corporate power arises through the capability alone, not necessarily its frequent execution.

I think that Mozilla is actually a great company to demonstrate how responsible platforms could operate. Past examples might be Pockets non cloud based recommendation engine or their encrypted user account setup.


Aren't they? The only real info I'm finding here is the terse comment from the dev in this thread claiming it was removed for vague "violated the ToS" reasons, but they have not shared the actual wording from the reviewer. It also looks like they have not even initiated voicing this objection to the ruling on the add-on developer forum. Directing your Github issue readers to spam the add-on support channels without providing them any real context seems pretty over the top, to me.


According to an issue for a different/similar addon[0] that got removed:

> "It appears that your Add-on violates the Firefox Add-on Distribution Agreement and the Conditions of Use. Both prohibit Add-ons that violate the law. Your Add-on appears to be designed and promoted to allow users to circumvent paywalls, which is illegal. ... > We are responding to a specific complaint that named multiple paywall bypassing add-ons. It did not target only your add-on.

[0]: https://github.com/nextgens/anti-paywall/issues/109#issuecom...


This would not be an issue at all if Firefox had not jumped the shark in version 37 by implementing anti-user features like requiring Mozilla approval (signed) to run add-ons.


The idea is to protect users, not hurt them in any way. Anyone can sign and run their own add-ons, or offer those add-ons for others to use. The only thing being restricted now is who can distribute their addons via addons.mozilla.org, which seems more than fair.


The idea might be good. The execution is harmful to users, and they refuse to roll it back. That's all that matters. Mozilla has shown this pattern consistently - they have an idea they think will be good for people, and when it ends up being hurtful and damaging not only the core product but the userbase - driving more people to alternate browsers - they steadfastly refuse to see what's going on around them.

Frankly, those of us who went to Pale Moon may as well have been the last rats off a sinking ship.


Firefox is still a terrific browser. Compared to forks like PaleMoon I would even say that it is now much better given the continuous improvements we've seen with quantum and others.

I definitely do not agree with Mozilla on everything, but stating that they are harming their userbase based on your single point of view is moot, to say the least.

And Firefox, a sinking ship with not even rats on board anymore? Come on now.


> The idea might be good. The execution is harmful to users, and they refuse to roll it back.

Howso? I've been using FF forever and I didn't notice this change…


The fact that this benign comment is so downvoted says a lot about the sort of people who are brigading this thread.


I'm glad that all of the addons you use are the ones they've approved of and which haven't been made incompatible by any of the major breaking changes they've introduced in the last few years.


Those seem like two entirely unrelated issues


I don't know the whole story, but I'm inferring that the signing change affected the ability for people to sideload plugins.


That had nothing to do with the move to WebExtensions and the associated compatibility issues though...


I feel that Mozilla's misdirection is one very large issue encompassing many problems.


> The execution is harmful to users

Do you have a source for that? Moz has a ton of data about how harmful to users it was to have an ecosystem full of trashy spam extensions. The leap from "this solution has some downsides" to "this solution's downsides outweigh its upsides" is skipping the most important part of the question.


> Moz has a ton of data about how harmful to users it was to have an ecosystem full of trashy spam extensions.

I wish that this data were available somewhere—not this specific data, but in general. Mozilla's response to community push-back is always "trust us, the data show that this is what's best". If you trust them already, then that might be good enough; but, when this is always their first, and often their only, response to push-back, it's hard to distinguish it from the empty response of someone with no data who wants to avoid questions.


That's fair, but I want to highlight the world of difference between "dubious behavior" and "it would be nice if we had your data to check your conclusions." I'm not with Mozilla, but when I've been in a similar position, it's deeply frustrating to read stuff like this on the internet. (So the healthy thing is really to just stop reading it, which is a shame.)


I consider the fact that they're hiding the data and using it as a smoke-screen to do whatever the corporate side would like to do at the time or an excuse to play with whatever side project the head dev en vogue was playing with, regardless of what the userbase wants and needs to be 'dubious' from the start. So the world of difference is a non-starter in my book.

Frankly, there needs to be more community input, more opportunity to speak & act against wrongheadedness. It's part of why I prefer Pale Moon. If something is asinine, I can talk to the head dev and the team. They'll either show the community their sources for making a change or put it to a vote of the active users.


I can download an arbitrary exe file and run it with a few clicks. It can do anything, install rootkit in my BIOS and of course completely replace Firefox.exe or anything else. What's the reasoning to forbid me to download and run addon? I can already shot myself, very easily. Additional protection does not do any good, only harms users.


People don't seem to understand how dangerous browser add-ons are. Protecting people from eg. malicious add-ons emptying their bank accounts is probably one of the reasons for restricting add-ons.

However, restricting add-on installations to a community-moderated app store model is not a secure enough way to do it. It's hard to prove that it helps at all, but it sure is annoying.


What prevents malware from injecting itself into Firefox process, hook few functions and empty bank accounts? Browser addons are dangerous, sure. But everything is dangerous. I'd say that malware is more dangerous than browser addons. Yet I'm living in a world where it's ridiculously easy to run an arbitrary exe file. Why Firefox wants to make it different for addons? I could understand those measures for iOS Firefox version. May be Firefox could mimic macOS behaviour (need right click to run unsigned app). But making walled garden in the world where everyone can just jump over that fence does not make any sense for me.


If it was just distribution through the add-on app store, that would be one thing. As of Firefox 48 however, in stable builds of Firefox, unsigned addons (which haven't gone through Mozilla's review process) cannot be installed. Period. The about:config setting meant to override signature checks (and allow third-party extensions), `xpinstall.signatures.required`, is plainly ignored in stable versions from this point forward, so it's AMO or bust.

The only way to install an unsigned extension is to install the Beta or Developer builds of Firefox, which still honor the above setting. Or, I suppose, to use one of the many forks of the Firefox codebase that restore user choice.


Let's dial back on the unwarranted outrage. Mozilla expects that people who develop their own extensions will be using the Developer edition. It also expects that people who aren't especially computer-savvy will be using the stable edition. The people crying foul about requiring signing for add-ons on the stable edition are living in a bubble where they don't realize that most people will completely fail to understand the importance of vetting browser extensions, while also failing to appreciate the potentially disastrous ramifications of installing a malicious extension.

Browser extension malware is a big, big problem in a way that some otherwise tech-savvy people in here apparently don't understand. Why are people so quick to ascribe malice when nobody can come up with even a single potential malicious motive for Mozilla requiring signing of add-ons? There's no profit motive or perverse incentive here. Mozilla doesn't make money from this process. Frankly, they'd make a lot more money if they didn't run AMO at all and didn't bother hiring any stuff to run it and vet extensions.


You skipped over a part:

> Anyone can sign and run their own add-ons, or offer those add-ons for others to use.

And this is consistent with what Mozilla says here: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Dis...


The specific pain point we ran into was a security consideration: my company needed to sign and distribute a private internal extension whose code betrayed the layout of an internal API. The signing process for stable Firefox requires uploading the extension to AMO, which our management was not crazy about. Sure, anyone can technically do it, but the dependence on a third party service is still there. Ultimately we decided to do it anyway, figuring that the cost of having our support floor run a non-stable browser outweighed the risk of a code leak at Mozilla. But the whole process left a bad taste.

I get where they're coming from, really I do. Malware is a huge problem and the average user has zero clue how to vet extension code. I dunno, I have mixed feelings about the solution. I'm not sure if there's a middle ground to be had.


> figuring that the cost of having our support floor run a non-stable browser

Firefox Developer Edition is stable but supports unsigned addons.

But I can certainly see your point.


Probably better so. Toolbar shit can't install their crapware anymore this way.


I don't want to subscribe, I also don't want to see ads or be tracked. I wish there was a universal micropayments way of paying for what I read.


If you mean automatic micropayments when reading articles then you'll still be tracked, because the payment provider has to track what you read to make the payments and even has to be able to provide a log of it in case there is a payment dispute, so they will store what urls you visit and when.

Without a proper log payment disputes can't be resolved legally.


if there was something like anonymous payments (cryptocoin-based maybe?) then it would be possible without any tracking. In the few cases where you ask your penny cash back because something happened, most companies would just give it back without questions asked assuming they dont get tons of cashback requests from your IP.


That's why they need a log, because there will be cashback requests which people could abuse. And this will not necessarily be only pennies. A penny for a single page, for example, but if you visit many pages of the same site then the amount will be much higher and a user could claim then he has never visited that site and wants his money back.


something similar is happening with ads nowadays. There is tons of fraud in ads and all earnings / payouts are approximate. yet the system works, even approximately. My guess is fraud will be a small percent, certainly tolerable


Seems like there has to be some method to solve this? Maybe the transaction is part of the page load? You don't get the page until you pay via anonymous cryptocurrency. No need for any post-transaction verification and reconciliation? The problem there will be if the page fails to load, how can I safely get a second attempt without creating some kind of "double-spending" problem.


There is.

You can do tracking in such a way only the person browsing has a log. In the case of a dispute, the log file can be revealed to the website so they can determine how to resolve the dispute.

In the undisputed case, the website wouldn't see the log.


> if there was something like anonymous payments (cryptocoin-based maybe?) then it would be possible without any tracking

Taxes mess that up. A large number of jurisdictions charge a sales tax or VAT on sales to people in their jurisdiction and require the seller to collect. Some tracking is necessary in order to figure out what the tax is and where to send it.

That tracking doesn't necessarily have to be at the content provider. The service handling the micro-payments could also incorporate tax handling. The buyer would have to give up personal information to the payment service, but they probably already did when funding their micro-payment account.

It could also be handled by having content providers sell through aggregator sites, with the aggregator sites being the seller to the end user as far as taxes are concerned. Then the buyer only has to give up personal information to the aggregator site, instead of every content provider site that they buy an article from.

Aggregator sites would also help with the costs of dealing with taxes. An aggregator would have enough sales in each jurisdiction for the costs of filing to not be excessive. That's not necessarily true when individual content providers sell on their own sites. Some jurisdictions, for example, require tax collection and payment if you have more than 200 transactions in the past year in that jurisdiction, regardless of how low the total dollar amount is. Sell 200 articles for $0.05 and you've earned $10...and will be paying way more than that in quarterly filing fees.

My prediction is that if we move away from the ad model for funding content providers, we will see a big move toward aggregators for all but the major newspapers and magazines. The websites of smaller newspapers and magazines will just be summaries, and when you click to get the full text it will take you to some third-party publisher that the paper has licensed the full article to, and it is from that publisher that you will buy full access.

I think the aggregator market will end up concentrated in a very small number of aggregators that together have pretty much all of the "professional" content on the web, except for a few major newspapers and magazines that are big enough to justify consumers maintaining separate subscriptions just for them.


GNU Taler solves some of these problems - https://taler.net

> Private

> When you pay with Taler, your identity does not have to be revealed. Just like payments in cash, nobody else can track how you spent your electronic money. However, you obtain a legally valid proof of payment.


Also I'm pretty sure the credit card companies sell your transaction data.


I believe this is the idea behind the Brave browser and their Basic Attention Token https://basicattentiontoken.org


What Brave is doing is highly unethical.

If you don't want to see ads then fine it's your computer.

But Brave is hijacking ads by force then strong-arming websites to sign up to their own shitty crypto currency if they want to be paid. It's basically an extortion scheme, or a mafia stye "protection scheme"


I wonder who's more unethical: The guy who comes in, smashes your stuff and leaves or the guy who comes in, smashes your stuff and leaves a check for you at his place.

I bet that's a common battle ground between consequentialists and idealists.

Fun aside, I don't think the comparison holds up very well. I don't think that anyone has a right to execute code on my devices just because I'm browsing a website. In this concept, "hijacking" ads is completely void of any ethical meaning.

Braves platform attempt is still not very good. A good solution for paying content creators would need to be open, decentralized and accepted by the stakeholders involved.


If you consider the page code, you requested it and it’s bundled in there. Same with CSS and JS used for features.

In that case, you requested the page and allowed them to.


Requesting the code doesn't mean I'm obliged to run all of it. If you serve data to my computer I am free to do whatever the hell I want with it, if you don't like that, don't serve me the data.


I requested _this_ page, then requested the CSS/JS. I then blocked future requests.


When a user views a website using an ad blocker, that website doesn't get paid.

When a user views a website using Brave, that website doesn't get paid.

There may be extra ethical concerns due to Brave's model, but there's no way you can claim that Brave is "strong-arming" websites.


I've read a few threads on this and while I don't want to be absolutist and say you are wrong, I believe it's a lot more nuanced than what you described. My understanding is that the Brave injected ads are strictly opt-in at this point for the user, not the default, which makes it a lot less of a racket imho, but I dislike Brave simply because I don't need it, which seems like a good enough reason to grumble about it.


The economics and game theory of this suggests that newspapers should be forced to cooperate with each other.

Cartelize on-line journalism. Make the 4th estate official. Create a pseudo-governmental entity like the US post office, Fannie Mae, or the Fed. If you have an Internet connection, you have the option, through your ISP, to pay $X towards journalism on the web. Your ISP will then cryptographically vouch for any request that goes from a paying subscriber to a cartel member site, such that the member doesn't know exactly who the subscriber is. If you're on a foreign network provider that doesn't participate, you'd have to get crypto keys and a standalone program (or browser add-on) directly from the cartel (that could make you identifiable), or go through a VPN that participates.

If a request comes in with valid crypto, the response is the requested article, with no tracking, and a cartel-fixed standard for ad content. If it does not, it is up to the publisher as to what to do with the response. Deny. Inject intrusive ads. Infect with tracking malware. If you didn't pay, you get what you get. Cartel members are paid from the common fund via analysis of the server logs, targeting X% of the total amount paid out as potentially lost to fraud (so as to not overspend on analysis and fraud detection). Baseline income is determined by quantity of eyeballs. The cartel can then dole out bonuses for quality--if one of your writers wins the Pulitzer, your paper gets extra money. And it's no big deal if bots are visiting sites, because each bot has to pay in order for its requests to count towards the circulation-based distributions.

I'm sure there are a lot of people out there willing to pay $10 a month or more for online journalism, but they don't want that whole budget to get sucked up by one newspaper, only to get locked out by all the others. And there are plenty of sites out there that can't seem to manage online subscriptions or micro-transactions very well.


It so happens I designed a scheme a lot like this: clients send an opaque payload which the service provider wraps and forwards to an authenticator. The authenticator simply replies with a yes/no statement of whether the user is a legitimate participant in the scheme. The payloads are compared offline to validate that the versions of events given by the user and service provider are the same. There's a lot more needed to make it trustworthy, though.

It took me most of 5 years to obtain a patent on it: https://patents.google.com/patent/US9853964B2

To me the primary advantage would be to open up an untapped segment. There are readers who will never pay, they see ads. There are readers who love a source so much they will pull out their credit card and deal with the hassle of having yet another subscription. In the middle is a large, untapped group who would pay if the transaction costs (pulling out the card, hassle of multiple subscriptions, worrying about how much they're spending etc) were approximately nil.


That sounds like you could just paraphrase it as "Spotify for newspapers".


If you insist on reducing a perfectly readable story to just a three-word sentence, journalism is already doomed.


Journalism is already doomed.


Or "Pravda"


I'd take static image ads without the tracking.


Perhaps a popup prompting for you CC# each time you access an article? Because that seems convenient.

Seriously though, perhaps a "read in" app (perhaps instapaper) which reconciles payment is what you want.


Flattr set out do that, many years ago. They still exist. Brave is trying to address that. There's patreon, and many others. Have you tried them ?


We need something integrated directly into the browser with microtransactions for each page load (or X amount of pages) paid for anonymously via cryptocurrency.


i dont agree with the tracking that goes along with all of them. i shouldnt be recording my action to a bunch of unrelated companies just so i can give a few cents to a website.


Brave records that data locally, none of it is actually sent to any servers. The only thing they know is an amount of money must go to the websites that your browser viewed. They don't record IP addresses or any personal data.


correct, brave is excluded


AFAIK, all tracking (in both Brave and Flattr) happens locally on your device.

Some level of tracking _is_ strictly necessary for a system like this, because otherwise there's no way for the system to know which sites to give your money to.


Your idea is going to be pretty much impossible to legally do in the US, where you need to have some idea of who your money is coming from to operate.


Well... If you can think of a solution, make it because there are lots of other people who also want this.

But without a 3rd party payment system, it seems like you're screwed.


some cryptocurrencies come to mind. unfortunately none has caught up


Google has the ability to get us halfway there, if not more.

The previous version of google contributor was almost a solution.

But it used a bad payment allocation algorithm, it never guaranteed adsense ads would be blocked, and the new version is just a way to subscribe to a handful of sites.

But they also run youtube red, which has the model they need. They just need to copy their own idea.


One way to make this happen is to vote with your eyeballs and attention. If you and other internet users that feel the same way don’t consume from sites without micropayments, they will be encouraged / forced to offer a new way of monetization.


Sometimes I wonder if people actually believe this, because it sounds more like nobody should read anything on the web that is monetized with a subscriber or ad-based business model.

Not even sure how newspapers would be able to figure out that all those readers they are not seeing is because they don’t take micropayments.


> Not even sure how newspapers would be able to figure out that all those readers they are not seeing is because they don’t take micropayments.

By interacting with their users. I’ve written to newspapers in the past asking about their subscription. I remember one ocassion I did it with 2 newspapers. One replied they’d look and I never heard back. The other didn’t reply.

If I write asking if there’s a way to use micro donations and there isn’t or they haven’t heard about that, it might be a good idea to research it.

Another is following news about competitors. ‘We’ve increased readership by x% since we added micro donations’. Or following industry conferences where it might be discussed.


How does that square with not even spending your time or eyeballs or money on a particular site till they support micropayments? That was half of my point.

Do the contents of your letters read “I like your website but I cannot in good conscience support you till you support this specific business model in which I might give you a penny, or perhaps as much as a nickel every time I read an article to support your operations and salaries?”

This particular idea has been kicking around for at least a decade that I know of, and since I don’t tend to hear about most ideas when they’re new, most likely much much longer than that. At this point I’ve been forced to conclude the industry as a whole has probably looked into it and come to the conclusion it just isn’t worthwhile. Understandably, they would need some critical mass of readers and enough papers that matter supporting it and a particularly friendly credit card processing agreement in which the processor would need to be happy with a micropayment of a micropayment. Services like Spotify have somewhat paved the way as well and are demonstrating what the long tail of micropayments actually looks like.


I have found that lowering my threshold for bullshit* has also increased the signal ratio of the content I read by a huge margin. I believe there is correlation.

* includes crippled without JS, ads, paywalls, poor accessibility, etc.


publishers don’t like micropayments because (a) they don’t work, and (b) what people read doesn’t correlate with what’s important.

It becomes a lot harder for journalists to justify spending months on a subject when the business side has hard data showing it brings in barely more than reprinting the soccer scores.

What’s potentially workable is a Spotify-style subscription model.


> (b) what people read doesn’t correlate with what’s important > It becomes a lot harder for journalists to justify spending months on a subject when the business side has hard data showing it brings in barely more than reprinting the soccer scores.

This is already true with the current advertising model.


It doesn't work, since people faced with paywall moe to competition that only has ads. If adblocking is common enough will try harder to make micropayments just work.


> what people read doesn’t correlate with what’s important

What people read does correlate with what's important for them, by definition.


And that's why we have clickbait. Letting people cherry pick exactly what they want is seriously going to hurt quality content. Subscriptions to a wide range of stuff like Netflix and Spotify are perfect. There's something in there for everyone's taste.


It depends on how you define 'the quality'. Letting people cherry pick exactly what they want is the only moral way to provide the news actually.


You don't understand the problem of clickbait. What people say and what they do are two different things, and you need to choose which to listen to.

This is one of the reasons clickbait was so prevalent on facebook a few years ago - people clicked on these so much that they were ranked very highly. But in user surveys, the same users claimed they hated clickbait and wished it wasn't there. So what do you do?


I think it depends on your particular morality.

Is it moral to allow people to only consume the things they believe they need, even if the things they believe they need are only that because they are addictive and potentially harmful?

If allowing cherry picking exactly what they want is the only moral way to provide the news, does that mean all prior forms of broadcast news publication were immoral (e.g. television & radio news broadcasts)?


You are reading this comment. The are billions of lines of text on the internet you will never read. Is this comment strictly more important to you than every single other text on the internet? A comment that includes a nonsense paragraph of just “banana”, repeated over and over?

Banana Banana Banana Banana Banana Banana Banana Banana Banana Banana Banana Banana Banana.


I would love to know more about this definition.

If doing my taxes were as exciting as my reading list I would get much more out of my paycheck.


If the endorphins you get reading the content from your list is more important for you, so be it. You decide what's important for you, and that's the definition.


So your definition would be "Everything someone does is good for them"?

That reminds me of Austrian praxeology.

Behavioral patterns that lead individuals away from their goals do exist. Such irrationality is what most of behavioral economics policy advice is all about.

It's easiest to explain with the difference in long term goals and short term decision making. There it gets obvious very fast that peoples immediate preferences do rarely reflect their stated and consistent long term preferences.


And if the list just makes me upset because the headline lied?

If a site evades my ability to disapprove and stay away from it, it should not be rewarded.


Have you tried the Brave Browser? You basically just requested the 3 primary features it advertises:

https://brave.com/features/


This is a cool add-on, but it does have the side-effect of making cookie-consent and GDPR popups/boxes appear for every page loaded.

Can anyone recommend an add-on for automatically hiding/dismissing such popups?


The following two solutions hide cookie messages.

Fanboy's Anti-Cookie Filters (for uBlock Origin, etc.):

https://www.fanboy.co.nz/

I don't care about cookies (extension):

https://www.i-dont-care-about-cookies.eu/

https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

Here's an interesting discussion about the second solution:

https://github.com/gorhill/uBlock/issues/909


Here is what the creator actually said

>One of the community reviewers removed it from the store claiming it violated the ToS, which is BS. The ToS never mentions the word paywall once. Please support me in appealing! https://wiki.mozilla.org/Add-ons#Getting_in_touch

Which sounds more like a zealous community member than Mozilla taking a position.


yes!!! people don't realize that volunteers review the addons and that sometimes they make mistakes. They start acting as if Mozilla sent an internal memo to kill something when it is usually not the case.


> that volunteers review the addons

I don't think that makes it better. In fact, it's worse.

Why is Mozilla Corporation, a company with gross revenue of $562 million, delegating an important security role to unpaid and apparently unaccountable volunteers?


Thats not how it works. To become an addon reviewer there is a process and it is not like all the reviewers are the same. Again please, don't treat volunteers who are donating their time and effort as unaccountable or as if they don't know security, they are accountable and there is also a staff team working on there. There are a ton of volunteers who are very good with security. Whatever happened between this addon author and the review this is kinda private to them.

I really dislike when people assume that because you're a volunteer that you're unaccountable or less capable technically or security wise than an employee. That is simply not true.

There are volunteers in all places at Mozilla and personally, I think this is great. Also treating Mozilla as a company is not really the ideal mindset. Mozilla is at best a NGO, a foundation, who owns a company for legal reasons, who is also a community, who builds a ton of stuff. It is quite a complex entity to be summarized as "a company should handle this different".


I don't understand what point you are trying to make. First you agree with the OP that the reviews being done by volunteers who can makes mistakes somehow makes Mozilla less culpable, then you jump in to say that these volunteers are just as accountable, technically capable and security wise as an employee would be.

You only seem interested in letting Mozilla off the hook rather than acknowledging the systemic issues that gave rise to this situation.

> Also treating Mozilla as a company is not really the ideal mindset. Mozilla is at best a NGO, a foundation, who owns a company for legal reasons, who is also a community, who builds a ton of stuff.

Except the Mozilla Corporation is the entity that develops Firefox and is a company. That company may be wholey owned by a non-profit, but it is still a company.


Why is Google, a company with gross revenue of much more than that, not doing it at all?

Obviously, the Mozilla Corporation's only stake holder is the non-profit Mozilla Foundation, so they can't pay out much of their revenue to anyone other than their employees (and to those in wages that are comparable with the rest of the industry; they have to publish their finances for that), so they certainly can afford to spend more money on things like that, but they're still trying to avoid spending huge amounts of money on something that can be done just as well in 99% of cases at a fifth of the cost.

As far as I know, they have a system where at least two independent volunteers have to approve an extension and some employees will occasionally check up on things, too, and can revoke volunteers that make mistakes too often or are plain malicious.

So, most of the time, this system will fail on the side of things being disapproved that should have been approved. It will much less often be the case that for example malware will get approved (especially since they also have automated malware scans, which is something that Google has, too).


If you read correctly, it was removed 15 days ago, and we have no idea what's the status since then.


The project creator doesn't appear to have been active for twelve days, and it took fifteen days for a press outlet to notice and report on it. Many things could be causing a delay, it's a busy season and I doubt this is anyone's priority.


Did you try reaching out for the team in IRC or the mailing list?


As a process, that is a flat out awful one.


Thats not the process, that is just a way to reach out for a team as apparently they've been unable to communicate with them. If you think about it it is great that you can actually use some channel to talk to people involved in a product you use. That is not that common.

There is a process, it is through the AMO developer hub page for their addon. What I've been saying here is about ways to contact the team if they want to talk to them directly. From the Addon admin page, from the "review history" page, they have a form to message their review team. Usually, if something happen and by any reason your addon is rejects, you can use that form to escalate and find out why it happened. There is also an email address for escalating this stuff which I am assuming they've emailed already.


If anyone is interested in installing this extension, I uploaded the .xpi file and instructions to install it in an issue on the git repo a few days ago [https://github.com/iamadamdev/bypass-paywalls-firefox/issues...]

Hopefully the maintainer puts the .xpi file somewhere it can be accessed.

edit: someone has replied in the bottom of the git issue thread with a direct install link. use that instead


After reading all these comments, perhaps its time to branch Firefox to something else?

This situation feels like the old Mozilla vs Firefox issue that happened a decade and a half ago. Perhaps the fact that the Mozilla Foundation is treating their browser like an Apple device is the final impetus to move elsewhere?


Unfortunately, with the size and scope of a browser and the sheer numbers of features constantly being added, this is a difficult task. What would be ideal is a company (preferably with financial incentive to do so) maintaining an embeddable, highly configurable form of FF (ala CEF[0]) and then the rest of us can build UI around it.

[0] - https://bitbucket.org/chromiumembedded/cef


you can sign and distribute xpi addons without putting them on the addon marketplace


Meanwhile in useless podcast ads they try to paint Firefox as the parangon of virtue for users privacy.


We need easy to use, non subscription micro payments. I was hopeful Bitcoin would do this but sadly it was never adopted as a mainstream payment platform.


Bitcoin does not scale to micropayments. Lightning could probably help, but the next problem is that Bitcoin's value is way too volatile for broader acceptance (which, I realize, is to a certain extent a chicken-and-egg problem).


Unfortunately, the very design of Bitcoin doesn't lend itself towards micropayments, due to the limited block size requirements. Variations (BCH) and addons (Lightning) attempt to address this, but BTC itself suffers from design flaws that restrict this.


Stellar seems like a good platform for this. I'm investigating myself about implementing this, and it would be awesome.


Hi All, You can reach out to addon reviewers in #addon-reviewers in Mozilla IRC server or shoot an email at amo-admins AT mozilla DOT org.


What I want is something that blackholes links to paywalled sites from search results, hackernews, and social media.


Waiting for the day when news sites start blocking your IP when you circumvent the paywall--to bad there isn't an add-on for that right?


Thank you Mozilla I didn't knew about this very helpful extension.


Is it a matter of liability on part of Mozilla's?

Could they be have been sued?


Boy, ungoogled chrome and brave are looking mighty appeasing at the moment. Im not sure how long I can continue to support mozilla.. Why do they keep doing these things? They can't just be satisfied with what they were?

Profit over all, always and forever.


In your mind, how is this decision one that was made to increase profit?


Now I want it.


HN mods: title is incorrect and misleading, should at least read "Bypass Paywalls add-on removed from Firefox add-ons store". The use of "Mozilla" in the title has caused a lot of confusion in this thread from people who haven't clicked through the link.


Distinction without a difference, IMO. Mozilla has chosen to require this level of curation on Firefox against all complaints in the name of "safety", so they can also take the heat when their process results in an outcome like this. Their browser, their addon site, their decision, their fault.


The idea that AMO shouldn't be curated is baffling. Browser extensions are the biggest malware vector since email attachments named `importantstuff.txt.exe`. The title saying that Mozilla "pulled" this extension is not merely incorrect, it is blatant misinformation.


>The idea that AMO shouldn't be curated is baffling. Browser extensions are the biggest malware vector since email attachments named `importantstuff.txt.exe`.

This is a strawman, the GP did not say AMO shouldn't be curated. [Edit: added missing "n't"]

> The title saying that Mozilla "pulled" this extension is not merely incorrect, it is blatant misinformation.

Mozilla selected, manages and empowers the reviewer who made this decisions. Since organizations are not people, delegating authority like this is the only way that organizations can ever do anything. Therefor to claim that Mozilla did not do this is spurious at best.

Now, Mozilla can disown the decision by saying the reviewer did not follow the appropriate process in making the decision. If that claim is shown to be true, only then would the title possibly be incorrect or misleading. Until then, Mozilla is as culpable for the authorized actions of its agents.


The hard truth is someone has to pay for content in the end. It's either ads or some kind of paywall or micropayment.

It's okay to say no to ads, but then we shouldn't circumvent paywalls. Free content is free only as long as someone somehow still pays for it.


Publishers should take some basic control of the ads on their site, just like it used to be with newspapers and broadcast. Serve them from their own domain, restrict their format (no moving parts or sound, no Javascript at all), vet them for basic decency before publishing. My uBlock Origin setup wouldn't block that.


Good idea, but they are not tech companies, so they likely lack the ability to do so.

I guess they could upscale in tech, but how would they pay for it when they can barely earn enough money to fulfill their primary function?

I don’t think publishers have a problem. I think users do. I hate online news as much as everyone, but I still want deep, intelligent and critical journalism, so I subscribed to a paper which sells it.

It’s one of the most successful news papers of my country, financially, and up until April this year they didn’t have a website. They do now, but it’s basically just a digital version (also available in audio from apps) that you can still only access if you subscribe.

I couldn’t be happier, and they earn money. So maybe the whole free content thing isn’t really a good way to go for either the user or the publisher?


Good idea, but they are not tech companies, so they likely lack the ability to do so.

They'd best gain the ability, then, or fade into irrelevance and die.

And honestly, we're talking about serving a few images from their own webserver. It's not rocket science.


Technically, serving few images is not a problem.

The question arises, what images to serve. Someone has to sell advertisement, find clients, persuade them to advertise with the given site, etc. That's something they are getting with ad networks for free.


Yes, but you can implement all the parent's suggestions without giving that up. Route all the ad requests through trusted intermediate provider on the same .xyz.com domain, where you have all the what-to-serve logic and analytics. Advertisers can then be sure that the numbers of views are legit.


> That's something they are getting with ad networks for free.

Its also not a new problem. Newspapers have always had to have their own add sales department or outsource add sales.


You could easily outsource ad sales while still serving the images unobtrusively from your own server.


Who owns a server today? Even publishing platforms are outsourced or behind nicely packaged SaaS today, not to mention infrastructure services. There is no more "FTP your site to XYZ".


The problem is there are many smaller publishers on the net where a handful or only one or two people maintain a site. They don't have the capacity to look for advertisers or vet individual ads. That's why they use an ad provider which does this for them.

What you say may work for big news portals and stuff, but if this becomes the norm then it will kill the small publishers resulting in further concentration of net content in the hands of the big guys.

So this direction would hurt the little guys and help the big guys, because they have the resources to adapt.


It is indeed unfortunate, although in general the internet will still have lowered the barrier to publish.


actually, google should do that. Review all their ads and give them a rating, then allow publishers to pick only high quality ones. But i guess they don't have the money to do that (/s)


Google will continue to try to track me across unrelated websites, so I'll keep blocking them. I crucially specified "serve the ads from the website's own domain".


I don't disagree, but that's a normative argument about what addons we should choose to use.

My concern, however, is Mozilla putting themselves in the position of making that judgement for their users. Even if we agree that this isn't a good addon, does that mean it's fine for it to be censored by Mozilla?


The guidelines outright state that "Any add-ons, or add-on content, hosted on Mozilla site(s) must conform to the laws of the United States." The issue is that this addon falls in the murky category of neither being clearly legal nor clearly illegal. I suspect that the addon reviewer (who most likely does not work for Mozilla and is only a community volunteer!) felt that an addon advertising its purpose to get around copyright controls would have pushed it over the edge to illegal, even if it's only taking actions that are themselves legal.


What if I accept ads but reject paywalls?

znhy 3 months ago [flagged]

Mozilla shooting themselves in the foot again? Really, these people can't take a break.

What's worse is that both Google and Mozilla are equally vile, so what browser am I supposed to use? In the end I guess I'll go with Brave.


You're kind overreacting here. Addons are reviewed by volunteers. Someone thought this violates the policies and acted. There are many ways to verify what is happening, including talking to the AMO team on IRC or other communication channel. It is not like you can't ask for clarification, it might all just be a honest mistake.


Addon security is vital to the security of the browser. The fact that addons are reviewed by volunteers, instead of employees, is even more ludicrous.


The idea that Google and Mozilla are equally vile is so ludicrous that I wouldn't even know where to begin refuting it.


A lot of my friends have moved to qutebrowser.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: