Hacker News new | past | comments | ask | show | jobs | submit login
All Tridactyl installations might get removed by Firefox on Aug 21 (github.com)
114 points by anoopelias 65 days ago | hide | past | web | favorite | 86 comments



Oof, looks like Tridactyls "fixamo" disabled the URL checking for addon installation in firefox, by writing into the user.js prefs:

    user_pref("extensions.webextensions.restrictedDomains", "");
I can see why they'd get yanked over that. I would definitely not expect installing a random addon that makes my browser have vim controls to change a relatively sensitive setting like that.

The developers are now whining about being asked to revert that change, on the grounds that touching the file is a breach of trust (which, they've already done)


The thing is, users that ran this command know what it did. Maybe not in all its detail (I certainly didn't know exactly what it did, although I could have looked for it). That's because for this command to be of any use to the user, they first have to enable the "native client" to enable reading Tridactyl's RC file, which is explicitly stated to weaken the security model Mozilla tries to enforce on extensions.

This isn't a "random plug-in" playing with your security settings. It's a well designed extension which tries its hardest to allow power users to do what they want : control their browser the way they best see fit, without restrictions. If you want to stay safe, just don't enable those settings : they're not necessary to get a good out-of-the-box experience, but they allow some very powerful fine-tuning to turn your browser into your browser, with your commands.


It's explicitly stated that it will weaken the security model, but it's not explicitly stated that it will modify user.js. Now the author is claiming that reversing the change would be improper because it involves modifying user.js without explicitly saying so, but that's literally exactly what they did already.

They are not claiming that the problem is being forced to strengthen the security model without explicitly asking. They are claiming that the problem is specifically being forced to modify user.js without explicitly asking.


> it involves modifying user.js without explicitly saying so, but that's literally exactly what they did already.

We have never modified firefox settings without a user explicitly opting in.

All the documentation for the `fixamo` function named the two firefox settings (as viewable in about:config) that `fixamo` would change.

`fixamo` was an opt-in feature that users were only going to find by reading our help files or asking us on our support channel.

Disclaimer: I am one of the authors of tridactyl.


I've certainly read somewhere that running `fixamo` would modify my user.js. I was fully aware of this fact prior to running the command.


Did they? I just looked up the documentation for this command, and I have no idea why users would have the expectation that it did this.


This is the documentation we provided:

"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."

And

"Simply sets

"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""

in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."

You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a

The only way this hurts you as a user is if all of the following occurs:

1. You manually install Tridactyl

2. You manually install our native messenger

3. You manually fun a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read it because it does things you might not like; and then you don't read or edit it

4. You also manually install a malicious addon

5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org

6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).

My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.


I feel like vim browsing is better off with a browser designed for it like luakit, and that's coming from someone who uses vimium and tridactyl.

They both get in the way as often as they help. Mirrors my experience with vim-mode plugins for non-vim IDEs/editors too.


I used to be a Vimperator user, then Pentadactyl user, and after that, Vimium user. In all three cases I eventually gave up on 'em because they kept breaking and like you said, they got in the way as much as they helped.

But on the Vim-emulation for IDEs front I would like to send a shout-out to JetBrains for the IdeaVim plugin. IdeaVim combined with the CLion IDE, also by JetBrains, and language specific plugins, help me so massively much when I work on any project that spans more than a handful of files.

In several cases there are projects that I work on with ease in CLion that I could not imagine trying to do with plain old Vim, and there is no other IDE that I have enjoyed using as much as CLion, not even by a long shot.

I have nothing but good things to say about CLion and of JetBrains. Unless they do something drastically weird to CLion they likely have a customer for life in me.

IdeaVim is not a complete emulation of Vim, but it is a complete emulation of the parts of Vim that I use and expect, so I am very satisfied with it.


Whining developer here.

The documentation was this: https://github.com/tridactyl/tridactyl/blob/32ac11fe9d432190...

A fragment of that documentation would have been displayed in our tab completions as fixamo was typed.

As many other replies have mentioned, it was only ever run if users installed our native executable, and ran `fixamo` themselves.


Thanks for developing Tridactyl.

It's sad how Mozilla killed Vimperator with the transition to WebExtensions. And how many of its features still cannot be replicated in Tridactyl, which I otherwise love, despite all your efforts.

Due to the new addon model, addons don't get the chance to run till the page finishes loading. So e.g. a 404 or a slow page force you to revert to standard keybindings which ruins the immersive Vim user experience.

Mozilla should perhaps create an API for privileged extensions. I know the userbase is small. But it's a very important userbase to keep the platform healthy.


There is some prior for this in that they actually already have a "God mode" permission [1] that they grant to some of their own extensions such as the screenshot tool (which might not be an extension any more). I don't think they'd let us have it, though. It would be really nice to work on PDFs again!

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1456485


I should probably also point you to this comment - https://news.ycombinator.com/item?id=20719678 - some interaction before pages load would be possible if that keyboard-api was brought up-to-date and merged into Firefox.


Thanks. I had heard about keyboard-api somewhere in Tridactyl issues page I think. Probably in the issue linked in that comment.

I'd love to see Mozilla helping a bit by enabling APIs that are necessary to make Tridactyl as immersive as Vimperator was.


And mouse, gestures have to have such garbage responsiveness right now.


And don't work on "privileged" pages.


This was never done automatically.

In fact, I did it manually to enable umatrix and tridactyl on AMO as I hate not being able to use my regular keybindings everywhere.

I'm doubly pissed at Mozilla here. I'm tired of being baby-sitted. Quantum killed half of what I was using before. And trydactyl still cannot do half of what previous extensions could do.


[flagged]


If that's the best argument Tridactyl can marshal, there isn't much controversy here: Tridactyl will lose, and be blocked by Firefox.


The arguments made by tridactyl developers to Mozilla are published in the linked thread. There is no need to speculate.

We don't complain about walled gardens.


In that thread there's stuff like 'Add-ons before WebExtensions could access the AMO fine and the sky did not fall in' and similar sentiments expressed in the issue post itself. It also seems like a thoroughly unwinnable argument, you're basically saying Mozilla's security policies are pointless because things were just fine as they were. They obviously disagree profoundly and aren't going to be convinced by this.


This is a misrepresentation of our argument.

The very next sentences are:

"I am happy to be corrected on this. If you have any specific explanations you would like me to provide to our users, I would be happy to pass them on."

We also supported Mozilla's choice to move away from the XUL API.

I and most of the other core contributors are in favour of of capabilities-based security with explicit permission granting, not just in Firefox, but in general.

We believe that it should also be possible for users to have their software do what they want it to do. Part of that is letting people make their own decisions about what level of risk they are willing to accept.

We are reasonable people. We have been told in non-specific terms that something is unsafe that we think is useful and reasonably safe. So we have asked Mozilla (several times) to explain how it is unsafe so that we can update our beliefs if necessary.

We are asking because we know from experience that Mozilla employees generally have a lower tolerance for risk than us (the developers of tridactyl) or many of our users. Fundamentally, that is OK, but here Mozilla is asking us to do a bunch of work and change our code in ways we don't really want to do so that it more closely matches their risk tolerance than ours.

They can choose to manage their ecosystem how they like, but we in the ecosystem rightly also get a small say.

So we are asking them to say why and trying to negotiate a compromise that will be acceptable to all of us.


This is a misrepresentation of our argument.

It's a quote from your own devs in your own thread, and there are other similar ones. I don't know what your exact argument is but what's there sounds adversarial and reads more or less like telling Mozilla, Morrie Kessler-style, that they're being an unconscionable ballbreaker. There's probably some better, clearer way to present whatever it is you have in mind. Morrie didn't win the argument either.


The devs in the thread are those with [member] in their name. Which might just be me and bovine3dom.

None of the dev team believe that Mozilla are acting unconscionably. We believe roughly what I put in the post above.

E: and sure, it is a quote, but the immediate context matters.


I refer primarily to depriving us of XUL extensions, not of Tridactyl's particular situation.


It looks like you had to run the command explicitly to do that though, and that it wasn't done by default, so it seems pretty kosher to me if they had appropriate warnings (and I think the issue says they did...)


As far as I can tell from a brief check, it just says it "fix tridactyl on addons.mozilla.org".

But it's overriding a fairly useful setting, one that we use internally: By preventing webextensions from running on "sensitive domains", which includes AMO by default (since that could allow an addon to install more addons and bypass or hide the user prompts, I gather), but it would also include any other domains you've marked as sensitive.

I don't use Firefox at work unfortunately (because of https://bugzilla.mozilla.org/show_bug.cgi?id=963354), but we generally want to allow users to install addons on non-sensitive sites.

Internal domains that are much higher risk, and may have regulatory requirements around who can receive data on them (eg, because of GDPR). So we'd use a setting like this (or the equivalent in Chrome) to restrict addons on those very sensitive sites. Having addons like Tridactyl that undermines that is a big red flag.

I admit I don't fully understand all the nuances here, but it seems like Mozilla's stance closely aligns with what I'd expect here.


Disclaimer: I am one of the authors of Tridactyl.

We did actually set another firefox setting that means that webextensions cannot access the privileged JS environment on AMO (to my knowledge).

We have invited Mozilla several times to provide some text for us to share with our users explaining what the issue is and they have demurred.

I think for 99% of users, if a webextension can run on all pages (which many do) it can hurt them a lot more by stealing credentials (which is quite easy) than by installing other addons (which is hard).

Sure, we could have included some more warnings but 1. we did document clearly what we were doing if anyone wanted to check up (we were just automating the advice given in several blogs); 2. I think I talked to some mozillian's about it at the time, and they were unconcerned, but maybe not, could have been a similar other issue; 3. last time I looked there was no good explanation of why this is actually dangerous anywhere.

For reference, the exact messages provided to users were:

"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."

And

"Simply sets

"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""

in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."

---

You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a


Fundamentally, Firefox is forcing the addon vendor to overwrite the users.js file without the users permission. What's more, these users only got this overwrite by explicitly allowing it.

So on one hand the reviewer is saying modifying the users.js setting without explicitly saying what it does, even though it required a separate process, was a bad thing to do. And their way of rectifying that is to do the same thing, only this time without any user interaction.


IIRC the reason AMO is sensitive is because the browser injects a "control the browser" object into the page. The first pref Tridactyl sets is to remove this privilege escalation, the second (in top comment) is to remove the restriction on addons accessing AMO. Perusing the original bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1415644) the main concern overall seems to be stealing browser history through Firefox Accounts. But as the reviewer says, "I'm not really clear what we're protecting here, feels like a bug in search of a problem."


The fact that third-party addons can even touch sensitive settings in the user.js prefs is a massive security flaw in Mozilla's implementation of the WebExtensions API. Addons should be sandboxed/containerized or require privilege escalation before touching files on the disk.


It uses native messaging with a Python script: https://github.com/tridactyl/tridactyl/blob/master/native/na...

I don't think anyone who uses Tridactyl is worried about its security, it has a permissions list 15+ lines long.


This. The whole point of this security feature is to prevent extensions from interfering with Mozilla pages. What's the point of this when addons can bypass turn it off themselves?


Only extensions that have a native messenger can do this (which requires users to accept a scary sounding permission and install a separate application on their computer)


and it wouldn't. You explicitly have to install the native messenger and run fixamo, which in the rc file for tridactyl explictly mentions what it's about to do


"Users should not ever do this"

Overall authoritarian tone aside, that's the one phrase from the reviewer that really pisses me off; what happened to Firefox being the browser that "puts users in control of their online experience" (or whatever the variants thereof which have appeared numerous times in the Firefox marketing material/slogans)?

Instead, it seems now that Mozilla have built their walled garden, they are reluctant to let it go and have really acted against the principles upon which it was founded and gained much of its user/fanbase, all in the name of "security". The demand reads more like it came from an Apple app store reviewer, not Mozilla.

It is almost exactly 4 years ago when Mozilla started to build the walls of their garden, and some of the comments on the discussion there are well worth reading: https://news.ycombinator.com/item?id=10038999

The saddest thing about all this is that today's browser "choice" is really between the even more restrictive Chrome-clones and Firefox, and the latter is slowly edging in that direction too.


The problem, as usual, is one of user education. Some users fully comprehend every detail of the consequences of their actions, some users blindly do whatever anyone tells them, or even just flip every switch the opposite way around to see what happens, and there are millions of users at every point on the spectrum between those extremes. It's not practical to ship different browsers tuned for different points on the spectrum, and even if it were, you couldn't guarantee that people would download the browser most appropriate for them, they'd download whatever looked nice at the time.

So you have one browser distribution, with one set of defaults, and on one hand you want educated users to be able to configure things to their liking, while on the other hand you want to prevent uneducated users from screwing themselves over by accident, or because somebody told them to open the secret Developer Console and paste a funny-looking string to see a picture of a bunny.

There aren't really any good answers.


It's not practical to ship different browsers tuned for different points on the spectrum

For the longest time, that's how it was. The browser at one end was called Chrome, and the one at the other was called Firefox.

while on the other hand you want to prevent uneducated users from screwing themselves over by accident

As the saying goes, "Freedom is not worth having if it does not include the freedom to make mistakes."

The whole "protect the users" mentality is IMHO misguided and dangerous, because it's basically one individual or a small group making the argument that taking away individual freedom (and thus giving more control to those in power) is "better for everyone". The road to hell is paved with good intentions. Incidentally, that's how a lot of dystopian sci-fi looks like...


> The browser at one end was called Chrome, and the one at the other was called Firefox.

Firefox was originally the simplified, cut-down version of Seamonkey; Firefox has been on this trajectory of simplification since before Chrome or WebKit were invented.

> The whole "protect the users" mentality is IMHO misguided and dangerous

It's definitely dangerous - good intentions, dystopian sci-fi, etc. etc. - but I'm not sure if it's misguided.

I don't mind being forced to follow road rules, even if I find them inconvenient, because I benefit more from other people following them (personal safety, etc.) than I would from being allowed to do what I want.

I don't mind being forced to install security updates, even if I find them annoying, because I benefit more from other people installing security updates (more reliable infrastructure, fewer tech-support calls from family members) than I would from being allowed to do what I want.

I expect browser security is similar - I don't have exact numbers to hand, but it wouldn't surprise me if I'm better off being a bit restricted than I would be if everybody did what they wanted.


> some users blindly do whatever anyone tells them, or even just flip every switch the opposite way around to see what happens

So... let them? It's not like they typically wind up harming anyone other than themselves in the process. I don't understand why it is considered okay now to run the whole adult world like a kindergarten.


Using computers is essential to the jobs and social lives of huge swaths of people, and providing safe tools to accomplish those goals is a very valuable social good. In particular, most people who use a computer don't have the time or the interest to really learn the details of computer security or how the internet/their web browser works, nor do they really have a choice as to whether they use these technologies in the first place. The upshot of this is that any time a browser vendor takes time and good-faith effort to try and keep the metaphorical gun pointed anywhere other than firmly at the user's foot, we (as folks who /do/ understand computer security to some degree) should honestly be celebrating it.

It's not running the world like a kindergarten, it's building good and useful tools using sound engineering practices--something admittedly foreign to most web developers, but the rest of the adult world embraced the idea millennia ago.


By treating all users as hopelessly incompetent we are making great progress towards a society that is less tech literate than 10 or 20 years ago.

Nice work guys, keep it up!

Seriously: it is one thing to add airbags, seatbelts and all kinds of crash protections but at the point where you are geofencing the cars, weld the hood and limit max speed to 60km/h you know it isn't about safety even of each of those can be proposed as a safety feature for smaller or larger parts of the population.

It is about control. Or I'm tempted to say it could also be about software designers who are more nannies than engineers and user advocates.


Please don’t lose sight of the fact that this discussion is occurring in the context of Mozilla reprimanding an extension developer for not putting a big enough warning label on what they view as an extremely dangerous—but ultimately allowed—action.


> Using computers is essential to the jobs and social lives of huge swaths of people, and providing safe tools to accomplish those goals is a very valuable social good. In particular, most people who use a computer don't have the time or the interest to really learn the details of computer security or how the internet/their web browser works, nor do they really have a choice as to whether they use these technologies in the first place.

What business do those people have "[flipping] every switch the opposite way around to see what happens", then? I think expecting users to have some humility when using technology they don't understand, or to be prepared to take responsibility for the consequences if they don't, is rather different from and much more reasonable than expecting them to "learn the details of computer security or how the internet/their web browser works".


Tridactyl is a wonderful piece of software. My problem is the assumption that it’s unacceptable for an extension (which has a native messenger) to have the capability to modify Firefox when explicitly told to by the user. I use tridactyl, and plenty of people do, but realistically, the entire audience of an extension that gives you vim keys is highly technical, and can be expected to read the docs. Making the software edit personal files on disk when not asked to explicitly by the user is a breach of my trust model. It’s not as though fixamo is run on startup, it’s something you have to do explicitly. I’ve never run it, nor do I use the native messenger. This reviewer is totally out of order as far as I’m concerned.


If anyone’s looking for a browser with deeply integrated vim key bindings then check out qutebrowser. I’ve been using it for about a month now and it’s pretty great. Only downsides for me are lacking support for my yubikey, and questionable security. I’m not saying the security is necessarily bad (I think the actual browser is based on chrome), just that I don’t have as much confidence in it as I would in stock chrome or Firefox.

https://qutebrowser.org/


The adblocking/script-blocking capabilities (described in #9 and #10 in their FAQ: https://qutebrowser.org/doc/faq.html) are extremely weak and inconvenient (and their claim about the negative impact of adblocking is outright false).

Those are probably the two most important capabilities for security, so the lack of them definitely means I'd never want to use it for general browsing. I'd much rather deal with weaker keybinds than sacrifice that much on the security and privacy side.


I know it's a pain for new browsers to support, but I can't imagine myself running any browser right now (even experimentally) that can't install UMatrix and UBlock Origin.

If you want me to try out your browser, you have to support the WebExtension API -- you can support other APIs in addition to that, but WebExtensions are a minimum requirement. I guess Chromium doesn't bundle them, so it's harder for smaller browsers to add the same capabilities?

I'm not sure how Vivaldi and Brave handle it.


There's https://gitlab.com/jgkamat/jmatrix https://gitlab.com/jgkamat/jblock and https://gitlab.com/jgkamat/jhide - not the real thing™ but probably coming close.

Supporting WebExtensions isn't possible without QtWebEngine (the library qutebrowser uses) doing so. That might happen some day, but will probably still take a while.


It's easier to claim that a real adblocker is a net negative for performance while implementing in a slow language than admit that they can't realistically do better this decade due to the complexity of the task and the fact that it's basically one guy's part time project.


Looks like U2F works for most sites with Qt 5.12.4 (though I haven't tried myself yet): https://github.com/qutebrowser/qutebrowser/issues/3043#issue...

As for security, see point 8 at https://github.com/qutebrowser/qutebrowser/blob/master/doc/f... for some thoughts on that.


You can argue for or against `fixamo` as a command, but Mozilla's position seems to be that even documenting the ability to turn off restrictedDomains anywhere is not allowed.

Among other things they're asking the author to censor the command from his personal dotfile. That's not justifiable and makes me really disappointed in Mozilla.


The "personal dotfile" that's lives in the same repo as the extension and is recommended as an example in its documentation, and only documents these commends as "Add helper commands that Mozillians think make Firefox irredeemably insecure". If you want to signal to a reviewer you're not taking them seriously, that's the kind of thing to do when they ask you to remove code.


`fixamo` was first removed after an informal request via informal channels from someone on the Firefox security team. The comment wasn't intended as a jab at a reviewer who didn't exist at that time; I was just tickling myself as is my wont.

I'm sorry if it offended anyone. I'm generally really appreciative of the work reviewers do.


Ah, I had missed that aspect. That paints it in a different light.


In our defence

1. that's a perfectly sensible comment to suggest that you should probably look it up on your own if you care about security.

2. The command did document exactly what it did in the same manner (or more detail) as the blogs we got it from.

3. We invited Mozilla to provide text for us to comment it with and they didn't give us any.

Edit: And as bovine3dom says, this was done in response to an informal request by someone reasonably friendly to the project.


I can kind of understand why they want the developers to remove the line from people's user.js file, but why can't they tell the users when they do this? Why do they have to do it "without user interaction?"


I'd interpret as that they can tell users they did it, but they have to do it without the user doing anything.


Genuine question: can Mozilla prevent Firefox from allowing an extension to be installed _at all_, or is this more a matter of de-listing an extension from the Mozilla directory?


It depends on the version most release builds of Firefox require addons to be signed by Mozilla with the exception on Linux and developer versions. You can also change this by compiling yourself.


While I was initially pretty shocked that Mozilla would make a walled-garden move like this, doing it on the mainline release (for a primarily non-technical audience) and not holding the same requirement on dev and nightly builds actually feels like an appropriate balance, if that is indeed accurate.

Probably near 100% of Tridactyl users would be comfortable on at least the dev version of FF; it may be that an appropriate remediation would be to offer the `fixamo` functionality on an unsigned extension release only.


Vengefulduck's description is accurate:

1. Signing is required via a compile-time flag for official builds of Firefox and Firefox Beta.

2. Signing is optional in other builds of Firefox (Unbranded, Developer Edition, and Nightly), and follows the `xpinstall.signatures.required` user preference.

3. On Linux, add-ons installed in `/usr/{lib,share}/mozilla/extensions` are exempt from signing.

4. Add-ons manually loaded via "Load Temporary Add-on" in about:debugging are also exempt from signing.


It's accurate. Mozilla's intention was that Firefox couldn't be exploited by malware installing dodgy extensions, thus they want most people's installs of Firefox to reject unsigned extensions. But people who know what they're doing are free to download unsigned unbranded builds.


FWIW, I tried the dev edition (which is essentially Firefox beta) but I stopped using it as I kept running into bugs. A release that wasn't more buggy but allowed unsigned extensions would be nice.


I have been using exclusively dev and nightly for at least two years, and have only very occasionally run into issues. Of course, my usage is pretty typical web browsing, outside of using the dev tools.

It’s been long enough now that the normal colorful Firefox logo seems weird.


I wrote this to help with that exact same problem: https://github.com/A1kmm/enable-unsigned-firefox-addons


There's a built-in extension blocklist which also gets updated remotely.

https://hg.mozilla.org/mozilla-central/file/tip/browser/app/...


More on the policy for said blocklist: https://wiki.mozilla.org/Blocklisting (2008-11) https://support.mozilla.org/en-US/kb/add-ons-cause-issues-ar... (2012) https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO... (2019)

The expansion from "we block malicious add-on versions" to "we block add-ons with known stability or security issues" to "we err on the side of security" does not bode well for the future of hacking cool add-ons.


What about a fork that only differs in allowing a second more permissive addon store.


Settings change over time and maintaing any fork is hard. Maintaining a fork of a modern browser is a sisyphian task. Even compiling it is no joke.


This is more what I’m concerned about. Does this only affect mainline FF or dev/nightly as well?


Yes. All extensions have to be signed by Mozilla, even if they're distributed outside their directory. The only way would be able to install it is by downloading an unzipped version and sideloading it. However, it will be removed if you restart firefox, and you will have to re-add it.


I am one of the developers of Tridactyl.

This dispute is because Tridactyl used to provide a function that users could choose to run that would change two of Firefox's settings (the kind you find in about:config). Changing these settings allows addons to run on e.g. addons.mozilla.org and accounts.firefox.org where they otherwise cannot. The change we made is the same change that several blogs had already talked about and suggested.

Here is a relevant bugzilla thread that motivated the creation of the blacklist that we turned off, so you can see what Mozilla thinks: https://bugzilla.mozilla.org/show_bug.cgi?id=1415644

A mozilla employee informally asked us to remove this function for security reasons (and we did). Later, an AMO reviewer asked us to change users' Firefox config automatically to remove these settings. We would rather this were made an explicit choice for Tridactyl users and we're trying to negotiate a compromise with the reviewer.

This is the only plausible route to exploitation of this situation that I know of, assuming a user acting before we removed the fixamo command:

1. You manually install Tridactyl

2. You manually install our native messenger

3. You manually run a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read and customise it because it does things you might not like; and then you don't read or edit it

4. You also manually install a malicious addon

5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org

6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).

My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.

---

Some people have opined that our documentation for the command was not explicit enough. My opinion is that it's good enough and about on par with other resources that talked about the same settings. It would be better if it was more explicit about the security risks, but we provided fairly complete information about what we were doing and a link to the source code.

This is the documentation we provided:

In the "Webextension caveats" section:

"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."

In the docstring for fixamo, partially displayed if you type fixamo in the commandline and also included in the help pages we encourage users to use with e.g. `:h fixamo`:

"Simply sets

"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""

in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."

You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a

We also included a variant of the fixamo command in the exemplar .tridactylrc file (not used unless you have also installed the native messenger and also explicitly found, downloaded and installed the exemplar). This file includes this text at the top:

"Provided only as an example.

Do not install/run without reading through as you may be surprised by some of the settings."

And this text right above the fixamo line:

"Make Tridactyl work on more sites at the expense of some security"


Okay, so I presume that: - development of Tridactyl stops? - there is no way to run it on fresh/updated versions of FF on Win10?

That sucks.


No. Check the latest updates in the github thread.

1. We will release an update that we think is compatible with the AMO reviewers' demands. 2. You can just read the readme for the project on github for a non AMO but easy way to install it.


Well, perhaps the Tridactyl devs should move back to XUL and explicitly support Pale Moon & Basilisk. It would be a strong move since Firefox won't support them or their users.


FWIW, there's at least one (minor) change that was made to Firefox to help out Tridactyl - https://github.com/tridactyl/tridactyl/issues/792.

Mozilla also were happy in principle to allow us to intercept key presses on all parts of the browser last time we spoke to them a couple of years ago; we just need someone to write that extension to the WebExtension API - https://github.com/tridactyl/keyboard-api.

Rewriting Tridactyl in XUL is not something I would wish on anyone.


Have you considered working with either Pentadactyl or Vimperator?


I miss pentadactyl. I actually support everything about the WebExtensions move but it hurt to let go of my favourite extension.


If you're running an XUL browser and want this functionality, you should just use Vimperator: http://vimperator.org/vimperator

Tridactyl only exists to bring that functionality over into Quantum-branch Firefox.


It would be a poorly thought out idea with zero merit and lots of downside.

Edit: To be clear

- Tridactyl for xul already exists its called pentadactyl

- Rewriting Tridactyl in xul is basically creating pentadactyl from scratch. This is a lot of work for no reason.

- There are many legitimate improvements that have come into being between firefox 38 which is what Palemoon basically is and 70 which you would lose.

- It's highly unlikely that a fork of firefox 38 by a few acceptably skilled developers has the chops to keep up with what mozilla can do with millions of dollars.

- Your browser is the most dangerous app in your system running an old version means that anyone with access to the list of patched vulnerabilities for current firefox may well be able to trivially turn these into exploit vectors for old versions.


Responding with boilerplate at first because your comments are predictably wrong.

> - There are many legitimate improvements that have come into being between firefox 38 which is what Palemoon basically is and 70 which you would lose.

> - It's highly unlikely that a fork of firefox 38 by a few acceptably skilled developers has the chops to keep up with what mozilla can do with millions of dollars.

> - Your browser is the most dangerous app in your system running an old version means that anyone with access to the list of patched vulnerabilities for current firefox may well be able to trivially turn these into exploit vectors for old versions.

* https://forum.palemoon.org/viewtopic.php?f=4&t=21626 "Rumor: "Pale Moon is just a rebranded rebuild of an old Firefox version" Rumor: "Pale Moon is an obsolete and insecure version of Firefox" FALSE Pale Moon has been on a divergent path with its own code for a long time already. It was a rebuild in 2009, yes. It was a rebuild with minor changes in the Firefox 4.0 era, yes. But we've come a very, very long way since then with an increasing amount of different code being carried over each time it was re-based on later Firefox code. It's a true fork now, building on a completely independent fork of Mozilla code called the Unified XUL Platform (UXP) and has employed rapid development (as opposed to rapid release) to solidify this independent direction with its own focus and attempt at keeping the browser sane, lean, and offering users choice and stability - not corporate strong-arming or gadgeteering. At the same time, Pale Moon's strong focus on security/privacy and evolving networking standards has added features and kept pace with those developments in other browsers, by e.g. adding TLS 1.3 support the moment it was standardized, by keeping a close eye on encryption and the browser's security by continuing to port or re-implement security fixes that apply to Pale Moon as a browser and the underlying platform. It is neither old nor outdated, it is not a "rebuild" and it does not use obsolete technologies and does not have known security holes or vulnerabilities."

* "Rumor: "Pale Moon is a one-man show and does not have the manpower to keep up with Firefox/the modern web" FALSE Pale Moon is not "just me" and hasn't been for the majority of its life. There are some talented and dedicated people at work in our community to make Pale Moon what it is, and actually has seen support in many ways by many people over the years. Despite e.g. the WikiPedia article for Pale Moon just talking about "Straver this" and "Straver that", the fact that I am the one leading this project and holding the keys and making the overall major decisions about direction doesn't mean that no others are involved. That would be the same as saying that Bill Gates single-handedly wrote the Windows O.S. or that the Mozilla CEO is the only one working on Firefox. To name a few other people currently actively helping with the project's core development: Matt A. Tobin, Travis W. ("trava90"), "JustOff", "Ascrod", "kn-yami". Don't forget our beta testing team, or the people reporting issues while using the unstable channel builds, either. Or the people helping with extensions and extension compatibility or theme porting (thanks FranklinDM and Ryan C.!). Or even the community as a whole providing support to users. Also hats off to all the people doing translations for our language packs. I can go on. One man? I think not. Of course since it's crowdsourced, it's easy to forget the numerous people in the background who play their part, but please don't forget them."

On the other hand, the Pentadactyl discussion is valid.


Can you point out the end results of the rapid developmentby the Palemoon team.

Specifically what if anything it offers over firefox 38?


Well, aside from compatibility with certain web proposals and specs, a complete lack of tolerance for WebDRM/EME, and a couple basic things like that, I couldn't really tell you; because 99% of my web browsing could be in Lynx for all the garbage I don't download (ECMAScript, many images, ads, etc). Most of the development they do is for users with different use-cases than mine who want to do more things in their browser that aren't text and hypertext links.

The biggest upside, to me, is that what it offers customizability in the UI, that the settings actually feel like they mean something (when I turn something off, it stays turned off) and that addons/tools like Eclipsed Moon and Pale Moon Commander are made to actually protect my privacy. Oh, and there's the other big thing, that it's not taking money from Google or making money for Google. So, y'know, offering a Web Minus Alphabet is a good thing.

Oh. And it still runs in a single process on my 32-bit computer, so it doesn't seize up, cause my HDD to grind, and force a reboot every time it launches. Chrome, Electron-based programs, and e10s-Firefox all do that, and I've had some pretty spectacular crashes that required using a system restore when something I installed also tried to sideload Chrome with it. Thankfully I identified the culprit, went to a restore before the install, sent a nasty email to the people who wrote it, and went on with my life.


32 bit only cpus mostly died out in 2006 and even most and later all crappy intel atom cpus were 64 bit by about a decade ago. Unless you are running a computer museum I'm not sure what the point of this. New Firefox is actually faster than old firefox on hardware that people actually use.

If you want to really blow your mind either buy a $50 SSD or stop your antivirus "real time shields" from slowing down all filesystem access.

If you are force rebooting when you start it my best guess is that your intel atom with 2GB of ram is starving and thrashing.

The more them able ui is an artifact of sticking with older tech not specific work by Palemoon devs.

We are left with a front end for select settings in about:config and even less interesting extensions.

Underwhelming.


My dander's up over that indictment of my use-case, so this is probably going to sound like a rant, maybe even a counter attack. It's very nice of you to live in the future and dictate what my budget should be. For those of us living in the real world, in situations where we don't have a successful "upgrade budget" more than every 10 or so years, it's the way of the world. I don't care about keeping up with the bleeding edge, I just care about keeping up with what works for me on this particular hardware/software combo. I bought this machine used in 2011, when I upgraded from a WinXP machine which, although it's still working perfectly well for everything but "modern" internet use, for some stupid reason just isn't good enough anymore to connect to a server, download a couple lines of text, and render it. But it can still play video games, run software (office, graphics, audio recording and processing, etc), and give me something I can type on which doesn't waste ink or paper. It can load software to read PDFs & ePub files so I can read books. It can load VLC so I can play my DVDs. But it has trouble dealing with the Internet.

Come to think of it, I think that's going to be my daily driver again for all those reasons.

Older hardware and "tech", to me, is uniformly better in comparison to the latest and greatest nonsense that "web developers" want to push down the pike. All you want is to take more of my system resources and put them on the Internet. That's not acceptable to me in the slightest. Your "newest technology" is my newest horror and the reason I've most recently questioned the value of computers as a whole. Taking one iota of control away from the user is wrong. Giving the user a structure which can be 100% customized with emergent properties the developers might not have had the forethought to include is what all software with a UI of any kind should be looking to do. Simply put, you are not the NetHack Dev Team. You do not think of everything.

As I said, I don't use most of the features the browser includes. I don't care about them, and I know that I never will. The older I get, the more I see the value in the method Stallman uses of downloading a page, parsing it to clear out all the gunk, and then displaying it locally on a non-connected machine.

There's stuff in there I think is horrendous, like all the stuff for ECMAScript. There's stuff I like, such as the full choice of theme and function, the fact that my settings are mine - not yours, not Mozilla's, not Google's - mine. But I respect that it's got value to some people who want to turn it on. I'm not a person who's going to tell you what bleeding-edge new feature they're missing. I'm a person who can tell you that this program does a reliable and remarkably thorough job of displaying downloaded HTML in the way I desire to see it. It lacks any really good gopher or telnet support, but I cannot ask miracles.

My use-case is not the standard and I recognize that. You asked me a subjective question. I gave you a personal answer. And now you're telling me the only Internet-facing software I see being even marginally decent is 'Underwhelming'? Your seeming lack of understanding when it comes to the nature of real life is underwhelming to me. Try the software for yourself. If, after using it with an honest attempt, you prefer to be led by the nose by Google and its cronies, then by all means i cannot prevent you; nor would I want to. I'll lag back and wait to see the problems before they reach me.


Hey I sympathize with your use case. My only machine right now is a 2014/15 laptop I bought for $275 a year ago. My desktop from 2008ish gave up the ghost and the laptop I had before this one was a 32 bit machine I found in a thrift store for almost nothing. This post is as I type being composed in Emacs.

In order to deal with a constrained environment I ran i3wm instead of a complex environment. I adjusted some scripts/configuration that seemed OK on a faster machine but sucked on the underpowered one. I autostarted almost nothing in the background. I kept it to a minimum of tabs.

The problem with running an old version of Firefox as a strategy to deal with an older machine is that older builds are actually slower and the tabs are in effect javascript applications that in fact do have all the defects you ascribe to them regardless of which Firefox they are running on.

Yes in many way the modern web is moronic. We don't even disagree. I just don't think windows + palemoon is a great strategy to deal with it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: