Hacker News new | past | comments | ask | show | jobs | submit login

Quick note about the workaround mentioned in this article - the suggestion to download the last known good version of the extension and sideload it is a good one, but it has some problems on Chrome.

Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.

One could argue this is for security, but this change was implemented around the same time that Google disabled the ability to self-host extensions that install into Chrome. Really this is a mechanism to shut out independent extension developers from any potential plausible third-party distribution method that doesn’t rely on the Chrome Web Store (which Google controls and aggressively moderates.)

Use Firefox.




> Use Firefox.

Firefox has similar restrictions... you have to side load through Developer Options. If you’re not a developer, you will be questioning why you’re doing this and the less-technically inclined will simply never do it (like my wife)

And it is not entirely nefarious as you suggest. It limits the damage that sideloaded extensions did roughly 2010 and earlier. The WebExtension API was another assault on extensions. These days, chrome and Firefox have essentially closed a huge attack vector even though extensions are a shadow of their former selves. I was a skeptic for a long time (why should power users pay for the faults of everyone else?) but no more. Kudos.


Kudos?

Availability is part of security, and the most secure system is disconnected from the internet and powered off. Why are we cheering our software becoming less useful in the name of safety? The switch to WebExtensions was a monstrous loss of functionality!


Chrome sideloads extensions through a similarly obscure menu - My main quarrel is the prompt where the default option is to uninstall that appears on every launch. Firefox doesn't have that.

Firefox also permits self-hosting extensions signed through their store, providing more freedom for extension developers.


yeah i kind of hate it but i can't really blame them for doing it, since before they did that, if you installed software from questionable sources like, say, java from the oracle website, it would bundle an ask toolbar with it. and this was so common


> you have to side load through Developer Options

I'm not sure what screen "Developer Options" is referring to, but you can load add-ons directly from your hard drive with no fuss from the Add-ons page (though you must be running the Nightly or Developer version of Firefox). Click the gear icon right above your list of installed add-ons (this is also the menu that lets you disable auto-updates).


So you have to use an experimental version of Firefox. These nightly versions are less tested and can be a serious downgrade from any stable browser.

That's hardly what "Use Firefox" implied.


I can see why you'd think that but in practice I assure you that your concern is unwarranted. I've been using Nightly Firefox exclusively for almost ten years and I honestly can't remember it ever crashing (excluding the times when I was manually futzing with experimental about:config flags back in the electrolysis days).

As for the developer edition, it's literally the version that they expect web developers to use; it's not half-baked software by any means.


"Stable" doesn't necessary medan that it is secure, from an end-user perspective.


Do you have any stories or articles that corroborate that nightly is less secure?


You can use unbranded builds which are pretty much identical to the stable releases but let you use unsigned extensions.

https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded...


The Developer Edition is not a nightly build, it’s a beta build, so there has been some testing (Before I switched to stable, I only once had an issue). Your point stands though.


Installing extensions from a file is supported in the latest mainline FF (84.0.2), nightly or dev are not required. I currently have one installed. It just shows a confirmation dialog and then installs it.


This is true but misleading: the extension you install from file has to be signed by Mozilla in exactly the same way that extensions on the store are signed.


You can remove the signature requirement on stable by setting `xpinstall.signatures.required` to `false` in your user.js / about:config

(I wrote most the extensions I installed for my own bespoke use, built locally as zip files and installed via "Install Add-on From File...", and I don't have a problem trusting myself.)


I don't think this is is true for the official Mozilla builds (except for Nightly, Beta and unbranded). It's possible that your distro has a custom build that allows the setting. Arch builds Firefox with `--allow-addon-sideload` which could be the culprit.


Ah indeed. My distro also builds with `--allow-addon-sideload`


No promises that that's actually the right flag. I had a rummage around searchfox and it looks like that just enables extensions that have been placed in special directories (whether they must be signed or not is a different flag). There clearly is a setting somewhere though as the unbranded builds exist...


Signed XPIs are valid for eternity*, and you can just re-sign it for free if you really care about it.

* Unless it was explicitly revoked (updates do not revoke the signature) or Mozilla broke something that affects everything.


> Chrome will issue an ominous warning on every launch.

That's google's shtick. They do the same if you unlock bootloader on your android phone. Black nag screen with scary text on every reboot.


> Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.

I've been sideloading vimium and thegreatsuspender for years and I haven't seen this message ever. Not on Mac nor Linux.


You could download it and publish it yourself. I have a extension I wrote myself, and while I occasionally see something about having to pay $5 in the extension management panel, it never forces me to do so. If they closed that hole, perhaps it's worth the $5 developer registration fee to some.


When did you publish your extension? I'm an extension developer that makes a mildly popular extension used by a niche group (1-2k MAU) and the Chrome Web Store has tightened their policies over the years. It's possible that you're grandfathered in (and haven't hit any of the extra reporting requirements if you haven't updated your extension recently.)

Extensions these days go through a rigorous review process, and Google regularly shuts down / imposes arbitrary restrictions against extensions due to changing policies.

I understand the importance of strong moderation to protect users from malicious extensions, but I believe Google is using that as an excuse to further lock down their store, increasing barriers to entry and making it harder for developers to build software to extend the most popular browser in the world without Google's blessing.


I hadn't looked at it for a while, so I just did so.

You're right...it won't let me update it now without a lot of justifications on their privacy tab. However, it is still published. The status is "Status: Published - unlisted", so I can't search for it, but I can go direct to the store url for it.


Yeah, that matches up with what I've seen. They've at least been decent enough not to kick people off the store, but I don't think it's possible to just have them sign / publish something unlisted these days without a good deal of policy writing and justifications.

Yet the large actors still publish malicious updates to extensions. ¯\_(ツ)_/¯


They have this "private" feature now where you have to list the email addresses of people that are allowed to use the extension. I don't see why that couldn't be coupled with "no review required", so long as the list is relatively short. But, yeah, likely will never happen.

Fortunately for me, I can re-do my extension to use the JS postMessage api which won't require hardly any permissions, and thus, not much to review.


I'm pretty sure if you enable Extension Developer Mode, you won't get that nagging message on launch.


This sounds right. I've got Developer Mode on for my own custom written extensions and don't have mine disabled at all.


There is another problem by sideloading the extension: you don't have cloud sync anymore, thus forcing you to sideload on every computer you have.


I'd switch to firefox but it is noticeably slower loading facebook and twitter, the sites I go to most often, and I trust it only like 25% more than chrome. :/




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: