Slashdot Mirror
Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings (softpedia.com)
An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.
Please publish the names of the authors, so we know not to ever install anything written by them ever again.
Well, on the one hand, it's good to know that there was possible bad behavior, but on the other, the trend of vendors locking down their ecosystems is hurting those who do not wish to accept whatever they're willing to push through the needle.
What, are you a malware author or something? Remove this backdoor garbage from official add-on repositories.
It should not have been possible that an add-on can change security settings to begin with.
and youtube-dl makes this simple so you don't use insecure flash or html5. youtube-dl supports a ton of sites with videos and always downloads the best quality version of the video.
don't download the older versions of youtube-dl in your Linux repository, instead, just download the newest version @ youtube-dl website:
http://rg3.github.io/youtube-d...
When I read the first sentence, I thought to myself that reasoning behind this was some corporate/copyright bullshit. But looks like Mozilla did a good job on this!
If you post as an AC, don't expect me to spend a mod point on you.
"The add-on remains available through its homepage."
The user still can decide. Mozilla only removed it from their add-on marketplace, which is IMO the correct action and certainly not any kind of overreach. That's like saying Google is wrong for banning Android apps from the Play Store which root your phone - it's not, they have policies and those apps knowingly violated them; if you still want those apps side loading is available.
Shame of Mozilla for such shitty design that allows this kind of crap. If this was IE you could but your last dollareuropound there would be 500+ posts by now.
When I saw the summary say that they "banned" it, I understood that they completely blocked it from being installed in the browser.
Now I want it. Except without crippling my security.
Is there an alternative?
127.0.0.1
That's what will happen once mandatory addon signing is implemented.
As the smartest guy on the internet you probably already have my patented corporate overreach blocker installed. As you probably know it has been banned from freedom hating corporate repositories, meaning my elite followers are forced to download it from my exclusive website. What you may not know is that I just finished uploading the new version. The new version of the banned plugin can now shrink corporate overreach from the most powerful multi-nationals in the world down to the size of Donald Trump's fingers. It's really important that you and all your loved ones download the latest version NOW!!!! - My corporate spy team are telling me that the censors at google are about to delist my website, not sure when that will happen, it could be hours or days, but when it does happen I will be forced to move operations onto the dark web.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.
>lamefag: Tell him, Dont uninstall Firefox and Im not going to install malware.
>devel: Dont uninstall Firefox. I'll get rid of the malware.
>newsroid: malware in Firefuzz security, help is onthe way.
Mic Dundee (Anonymous Coward): tell them, why botnet?
>newsroid: i dunno, why bypass my security settings?
>devel: i dunno. Why did you install unsigned code?
>lamefag: i love you!
>devel: i love you.exe
>newsroid: ilovdyou.tif.com.bin.dmg.exe.apk
Mic Dundee (Anonymous Coward): *click
Who is in the right. This is JUST corporate overreach of the worst kind.
this is capitalization of the worst kind. you're emphasizing the word just, implying that mozilla is doing good.
They could do that too. They have blacklist functionality which I'm sure includes the ability to block apks. And who's to say they won't use it if the add-on is a malware vector.
The FA says you are still allowed to infect your pc with all the malware you want from the addon homepage. Did you try to RTFA but were stopped by ad popups?
this post contain no useful information, no need to mod it down
Currently it might still be possible to install it, but they are planning to remove that feature in firefox 46.
Even now you have to change settings in about:config to do so.
From their own wiki:
> Firefox 46: Release and Beta versions of Firefox for Desktop will not allow unsigned extensions to be installed, with no override. Firefox for Android will enforce add-on signing, and will retain a preference to permit disabling of signing.
The user CAN NOT decide if the probably unwanted stuff is slipped to him secretly.
It would be different if the user was warned during plugin installation "Hey, we're going to mess with your browser security setting and will install stuff that would trigger your virus alert, but - just to avoid that confusion - we will disable your antivirus while we're at it. OK?"
THAT would be "let the user decide".
bickerdyke
Try a Firefox clone like Palemoon http://www.palemoon.org/ . The flexibility of Firefox but without the would-be Chrome UI crap.
On my android pda, i use noscript, Videodownloadhelper, Save mht, and a few other firefox add-ons for authoring and editting javascript inline webpages etc.
Are there any other webrowsers that can use Firefox add-ons or have same functionality as what i described above? I have tried Opera, Dolphin, Arachne, Dillo, w3c webbrowser, and a few others but non can do what Firefox does. When someone make a crossover mechanism? NO I WILL NOT TRY CHROME. Opera is nice for offline reading
Classic opera can't use Firefox addons, but the 12.xx versions comes with so much included functionality (including opera dragonfly) that you really need only 2 extra addons : ghostery and adblock. Now chromeified Opera is as shit as Firefox so you've got no option if you want the lastest shinniest piece of shit browser.
Or you could just install Classic Theme Restorer, since palemoon isn't 100% compatible with firefox addons and made by amateurs.
Plus there's Firefox ESR which doesn't have the stupid 6 week realease cycle.
Haha, ok, well, that's the end of Firefox, then. I've just read the signing process and nope, nope, nope. I used to write and maintain extensions for a local site I was involved with and there is no way in hell I'm submitting shit to them and waiting for them to approve what already works and my users already trust me with.
Although I might just work out how to get everyone installing a developer certificate or recomend that they install one of the Firefox forks.
I totally avoid extensions as much as possible. Much of what helped the demise of Firefox was bad extensions that either were poorly done, or like in this situation were causing more harm than good. If it has to cripple security to work, you don't need it.
By apks u mean xpis?
DownThemAll is a must have add-on to me, and it's not available for Chrome (since long time, now): it was the primary cause that made me stick with Firefox over Chrome :P
I recommend Opera Mini over "normal Opera": it has a much minor size and memory footprint (by been very light, it works very well on old phones and tablets)
You have a very awkward security system. 'Your users trust you' is not a system I would trust. I prefer some extra protocols instead of somewhere on the internet there are people who trust that other person on the internet, so I'm pretty sure I can trust it too. This is what causes all those exploits of which you think how stupid people could be to trust these installers. No system is water proof, but having an authority like Mozilla banning ad ons from untrustworthy programmers is a slightly better system than what you seem to be doing.
Or you could just install Classic Theme Restorer, since palemoon isn't 100% compatible with firefox addons and made by amateurs.
From a security point of view, Palemoon failed even at step one, installation. Its Linux installer *requires* that the system is set up for gratuitous sudo. Anything that asks for a system password during installation is something I will not install. And a system password that for an account that is set up to have root access for any command when the account password is given? No, just no.
(And never mind that they can't be bothered to list the prerequisites either.)
I think downthemall.com is an unfortunate name. I thought it was for 14 year olds who wanted to hang out down the mall.
Fork you!
Sorry, that should have been, "Fork, you!"
As in, if you don't like it, feel free to take the source code, and fork it, or use one of the many forks that have already been made.
Enjoy!
I read it, at first, as "DamnThemAll" which is more appropriate it think. :-)
It's no secret that Firefox is seriously losing market share. Firefox is likely under 8% of the browser market now, across all desktop and mobile platforms! To put that number into perspective, note that desktop Chrome 48 alone has over 3 times the number of users that Firefox has in total, and Chrome for Android 47 has over 2 times that number. IE 11, iOS Safari 9.2, and UC Browser for Android each have about the same number of users as Firefox does. Firefox nearly has fewer users than even Opera Mini has! And Firefox has essentially no mobile presence at all. Firefox for Android is only at 0.04%!
Despite being one of the most popular browsers several years ago, I think that Mozilla has gone out of their way to alienate Firefox users as often as they can. They've trashed Firefox's UI, turning it into an awful clone of Chrome. They've injected unwanted shit like Pocket and Hello into Firefox by default. They even put ads into the browser itself, although rumor has it they finally realized how fucking idiotic this was and are removing them. They've removed useful options from the preferences window. And despite making all of these changes that users don't want, they never seem to get around to fixing the longstanding memory and performance issues that have plagued Firefox for years.
The mandatory extension signing bullshit they've got in the works, along with changing to Chrome's extension model at some point, will utterly destroy Firefox's usability I think. The inconvenience these changes will bring to Firefox's few remaining users and extension developers will likely be enough to push them away completely. Firefox's 8% of the browser market will likely drop to the low single digits far quicker than anyone will have imagined.
To make matters worse, Mozilla has wasted a huge amount of time and effort on the Rust programming language and the Servo browser engine. In my view, Rust is a totally failed attempt to replace C++ with a "safer" language. I think that all they've managed to create is a language with an ugly syntax (even by C++'s standards!), an impractical ownership system, a single slow implementation (which itself is quite buggy despite being written in Rust, a language that's supposed to avoid this!), a rather awful standard library, and a questionable community that's highly focused on codes of conduct and censorship in the name of "tolerance" and "diversity".
Servo, which is written in Rust, is abysmal in my experience. I tried it last week, and I think I'd get better results using IE 3 today. Hell, Servo wouldn't even render any page for me for more than a minute before it crashed! Despite all of the hype around it, it fails to deliver even a 1990s browser experience.
In my opinion, things are looking extraordinarily bleak for Mozilla. They've ruined Firefox for so many users already. The replacement is going absolutely nowhere. And now it appears that they're going to make the Firefox experience even worse for the few users who remain! It's unbelievably sad what's happening to Firefox and Mozilla.
Spoken like a true malware writer. Local site being a porn site? Hurrah?
Why not Chrome? I know everyone claims it spies but nobody has provided any kind of Wireshark logs or further information to prove it.
Only the State obtains its revenue by coercion. - Murray Rothbard
Stupid Americans...
I think this naming problem is is a consequence of o major problem, that relates to all open-source community: poor "marketing" decisions (it's not natural?)
A reputation built through a web of trust is the best possible system.
A single centralised decider of who counts as trustworthy - particularly one so incompetent and obviously lacking in decent direction as Mozilla - is the worst possible system.
So, you're the polar opposite of correct.
Its Linux installer *requires* that the system is set up for gratuitous sudo.
Heh, I guess you're not a Windows user or you'd be pretty used to elevating to Administrator during installs!
== Jez ==
Do you miss Firefox? Try Pale Moon.
Heh, I guess you're not a Windows user or you'd be pretty used to elevating to Administrator during installs!
That is predominantly to allow writing to the registry and a few locked folders during installation. These days the number of applications which actually require to be *run* as administrator are near enough to zero that it's not an issue.
However Linux never had this peculiarity in the first place. If you download a program that is standalone and doesn't have some deep hooks into the OS there's no reason you need elevated privileges on Linux, which makes me even MORE cautious when a Linux program asks for it.
Hmm, could it be that because it logs you automatically on all google sites (search, youtube, ad network and so on)?
With Firefox/Opera I can choose when I want to be logged in and when not.
They offer the source so you should DIY...isn't that the Linux way? The Palemoon team has ZERO to do with the Linux branch, its made by a volunteer using the source. if you don't like the way he does it? You are free to take the source and come up with your own installer.
ACs don't waste your time replying, your posts are never seen by me.
on my android I cannot seem to find any of the add-ons you describe, care to identify better them?
Oh that's cute, you still think you have anonymity online. Unless you're using a text only browser you've got invisible trackers tracking you, and if you are using a text only browser, trust me we know it's you. We also know your screen size, the last time you visited, how many devices you have used on the site, and more likely how many you have overall, plus your phone carrier...the internet knows everything about you. Stop being pretending to be naive and thinking they don't. Your browser doesn't matter and you know it. You also don't need to be logging into Chrome. It's a choice, same as Firefox.
the censors at google are about to delist my website
Your corporate overreach blocker can't block that? Garbage.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
It really is too bad that Windows doesn't really have a concept of an /opt directory or installing to user folders.
You're also free to use seamonkey, waterfox, iceweasel or any of the other forks that aren't 10 versions out of date.
Ignorant and condescending. That's a great combination!
Waterfox is available for Linux now? That's news.
It really is too bad that Windows doesn't really have a concept of an /opt directory or installing to user folders.
It does.
Programs that aren't written by morons should ask you if you want to install it for the current user only (no UAC required) or for the whole system (UAC required).
For the user, HKEY_CURRENT_USER\Software in the registry is like the opt directory.
But so is %USERPROFILE%\AppData\. And in AppData you have Local, LocalLow, and Roaming.
The %APPDATA% variable points to Roaming by default, while the Local directory is for shit specific to the PC (shouldn't roam), or is too big to roam. LocalLow is a "low integrity" directory. Allegedly things like plugins and add-ons should store their shit there and not be able to write to the Local directory.
For the system, you have HKEY_LOCAL_MACHINE and %ProgramData%.
The problems are:
1 - Morons write programs and demand full access to the whole system regardless of whether or not they need it.
2 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the registry, in both HKLM and HKCU. Even when it's documented, it's fucking wrong (I'm looking at you, Adobe).
3 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the the various %USERPROFILE%\AppData\ folders and the %ProgramData% folder .
4 - Morons write programs and store even more configs in the program's installation folder or other random places (like the Documents library).
Any one of these things alone is annoying, but programs often do all 4. This makes figuring out configs even harder - does the registry override settings.ini in the program folder? Or perhaps the profile in %AppData% wins out. What about the settings in %ProgramData%? Which registry settings are in HKLM vs HKCU? Why isn't anything in %AppData% or %ProgramData% or even the fucking registry cleared out when I uninstall?
It's a mess because developers are morons and Windows lets morons make a mess of things in several ways.
The mere fact that the address bar and search bar are the same qualifies.
You can't type in an address without it being sent off to Google to deliver suggestions when they're the same bar.
No, it won't. Users will always be able to install a Firefox without the requirement. Most of us just don't care to, because we're not idiots who think that having a malware magnet is the same thing as having the freedom to install any software we'd like.
Ignoring how inaccurate browser market share surveys are, 8% = hundreds of millions of users. People are free to flock to whatever crap they want, be it Chrome or Justin Bieber. It's funny you think people abandoned Firefox because of the UI changes--yeah, people left for Chrome because they didn't like Firefox's new Chrome-like UI. Or because of ads in the home screen they went running to an ad agency's browser out of protest.
By and large people are unsophisticated and just use default software and default settings. With Google's aggressive pushing of Chrome from many of its services (search engine, GMail) and bundling it in many software installers to automatically install unless you unchecked the box (just like sneaky malware or annoyances like Ask Toolbar used to do), it's not very surprising Chrome has a lot of users. It turns out all browser are pretty usable these days and most people will use whatever is in front of them. So what if only a few hundred million use Firefox? Who cares if in a few years it's only a million people that give a shit about their privacy or the open web and use Firefox? Sure it would be a shame because it's a good browser and others are missing out and Firefox's market share used to be huge, but continuing to serve millions is still an important job.
I don't want to seem an apologist for Mozilla--I have my criticisms. I just find your whining and doom-and-gloom annoying. Are you aging and can't deal with change? Australis was a shock at first but comparing it to Seamonkey's, the new UI is way the hell better. Pale Moon's is good too, it's frozen in time between the two. I also have Firefox Developer (46.0a2) installed and the UI is great with and without Tree Style Tabs. Their efforts to make the UI more responsive are paying off. If you want a traditional file menu for the rare time you need it, tap the 'alt' key.
The ads in the home screen were annoying, but easily toggled off. It's also annoying they have Yahoo as the default search provider when providers like DuckDuckGo exist which return vastly superior results and share similar missions as Mozilla. Pocket also seems unnecessarily bundled and a privacy concern. Hello (Telefonica) I have no real issue with other than the dumb name--a lot of people want videochatting and Hello bundled makes it very easy. I prefer it over Skype. The crux of all these issues is money--how to pay developers to continue improving the browser. I don't have a good solution. So I understand that they want to try out different things, I just think they need to listen to user feedback and be transparent about it (e.g. if Pocket paid them, just admit it). If Pocket didn't pay, and even if they did, it should probably be an installed-by-default add-on so it can be easily disabled, rather than integrated like it is.
It's strange you're so critical of Rust and Servo. Do you understand what research is? I think it's awesome that a company is willing to support essentially basic computer science research for many years without need for an immediate product. Part of it is they have a small team on each project so it's slow but steady work. I think the ideas behind Rust are very important and worth investigating. Look at it like research (which it is). It really doesn't matter if that lab specifically cures cancer or makes your dick longer or whatever, the goals are worth looking into and others are going to learn from the experiment and build off it. And Mozilla's end product might just be great. Swift has already borrowed some concepts from Rust and it's really easy to embed Rust into other languages. Concurrency sucks hard in most languages--I don't have a final verdict on Rust yet but it's worth checking out. There are also research groups trying to prove (or disprove) Rust's claims to safeness. This is cool shit, or do you think how the world was when you were growing up was the perfect world? We had perfect browsers and our understanding of math and computation then is all that's needed so let's not think about anything new or try to
n/t
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Even MSWind95 did that. When I installed Squeak and Python on MSWind95 there were no files installed outside the application directory, which I located in a custom place segregated from all system files.
The problem isn't that MSWind doesn't allow that, the problem is that it doesn't (didn't?) require that.
FWIW, I generally prefer /usr/local to /opt, but in either case the files should be those that you trust, and the locations should require root permission to allow installation. Files with any doubt as to their provenance should be installed in a place like /home/apps/ with write permission only to the apps user (not a real user) and execute permission as desired. If you can't control where it installs itself, don't trust it.
I think we've pushed this "anyone can grow up to be president" thing too far.
They don't allow it, really. They blocklist addons regularly, but it's rare for such a high-profile example to come around that proves that Mozilla's on the right track with their addons overhaul. People can no longer hide behind "muh freedom!" type of arguing when it comes to deriding Mozilla for wanting to improve their addon system, so making a stink about its current failings is important.
I like your rant and don't want to interrupt your bashing of Windows and developers, but honest question. Where are you saying the executable should be installed? For user-not-system installed software *everything* should go in %APPDATA% (or wherever, pick a place, one place, the exact location is of no concern to my question), executable and all? I'm trying to think if I've ever seen this done.
The benefit of executables going into C:\Program Files is that modifying those files does get the user hit with a UAC pop-up. So yes, on installs and updates the user sees a UAC but that way other programs aren't sneakily modifying the executables or dlls. There wouldn't be a UAC prompt when just running the program, though.
The last time I tried to use Seamonkey it wouldn't run. I didn't devote a whole lot of effort into trying to figure out why, but it did compile without errors (that I remember). I was trying to install it to use its html editor, but I found another one that looked like a fork and worked without problem. (Can't remember its name.)
I think we've pushed this "anyone can grow up to be president" thing too far.
That would actually be a good point if you were right about Mozilla not having good direction. I truly think people have jerked their knees about Mozilla's direction for so long now that they're unwilling to accept the good ideas and directions they're heading in. Overhauling the addons system so they're less fragile, better-sandboxed, and can be reviewed by real humans more efficiently is a fantastic idea. In addition, letting the people who have been doing this for a long time, volunteers and otherwise, has proven far more effective than Google's Chrome extension vetting system. I honestly fail to see what you're complaining about here. They're relying largely on volunteers, so it's not just Mozilla's interests being reflected here. They have an open process, where people can complain and harm Mozilla's reputation for abusing the system. They're not even forcing anyone to use this system, users or addon makers, but rather only if they want to be on AMO and not need users to opt into unreviewed and potentially bad addons.
I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.
I agree. They fuck with Java non-stop which I require for internal applications. Who cares if my Java is out of date when I use one specific browser on one applications. Stop disabling my shit Mozilla.
I've been frustrated with the fact I can't use anti-container (a wonderful extension to downthemall) on Pale Moon. It's the only reason I keep a copy of FF around. Chrome is right out.
Socialism: a lie told by totalitarians and believed by fools.
You need to read more carefully. For the kind of add-ons you mention -- that is, ones not hosted on Mozilla's servers -- the signing process is automatic. You can even use a commandline tool to automate submission of the file for signing, and generally get a signed version back within a few seconds.
But can your corporate overreach blocker do everything that hosts files can?
Socialism: a lie told by totalitarians and believed by fools.
And it will die in a few firefox releases. Mozilla deprecates (and removes) XUL and XPCom and addons as powerful as DTA will not be possible, the DTA author wrote he will probably need to discontinue it.
A sad news to me :/
If you are installing into the standard directories then you must use root privileges. That is the way Linux is designed. If you want to install it in your home directory I guarantee that it will not require it.
If you are installing into the standard directories then you must use root privileges.
Using root privileges to do something specific is not the same as granting a program gratuitous privilege escalation to root, or giving an installer a password.
That is the way Linux is designed.
No, it isn't. If the documentation states what it needs write permissions to, or the installation script reports problems and then rolls back, you can temporarily give the required access.
Either through group permissions or ACLs.
If it installs under, say, /opt/palemoon, it is FAR better to create that directory as root, and give the installing user temporary write access, and change the ownership/access of the directory afterwards. Similar for other directories it may want access to.
sudo isn't needed for this. Or for much else that sudo is abused for.
Let me get this straight. Are you saying that the install script is somehow giving the program root permissions that it can use after it has been installed? Otherwise in order to write to the /bin, /usr/bin, or any other directory that is not in your home directory you must have root permissions. You can temporarily give a user write permissions for a folder, but that also involves using root to give that permission.