Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings

An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.

Re:Let THE USER Decide

[Kremmy]

What, are you a malware author or something? Remove this backdoor garbage from official add-on repositories.

Security design-flaw in Firefox

It should not have been possible that an add-on can change security settings to begin with.

Re:Security design-flaw in Firefox

[bloodhawk]

Then the user should be asked and CONSENT to changing the security setting. Allowing any addon to do this without the users knowledge is most definitely a design flaw.

Re:Let THE USER Decide

[William+Baric]

I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.

Re:Let THE USER Decide

[paulatz]

The FA says you are still allowed to infect your pc with all the malware you want from the addon homepage. Did you try to RTFA but were stopped by ad popups?

Re: Let THE USER Decide

[bickerdyke]

The user CAN NOT decide if the probably unwanted stuff is slipped to him secretly.

It would be different if the user was warned during plugin installation "Hey, we're going to mess with your browser security setting and will install stuff that would trigger your virus alert, but - just to avoid that confusion - we will disable your antivirus while we're at it. OK?"

THAT would be "let the user decide".

Re:other browsers with Firefox-like add-ons

[sexconker]

It really is too bad that Windows doesn't really have a concept of an /opt directory or installing to user folders.

It does.

Programs that aren't written by morons should ask you if you want to install it for the current user only (no UAC required) or for the whole system (UAC required).

For the user, HKEY_CURRENT_USER\Software in the registry is like the opt directory.
But so is %USERPROFILE%\AppData\. And in AppData you have Local, LocalLow, and Roaming.

The %APPDATA% variable points to Roaming by default, while the Local directory is for shit specific to the PC (shouldn't roam), or is too big to roam. LocalLow is a "low integrity" directory. Allegedly things like plugins and add-ons should store their shit there and not be able to write to the Local directory.

For the system, you have HKEY_LOCAL_MACHINE and %ProgramData%.

The problems are:

1 - Morons write programs and demand full access to the whole system regardless of whether or not they need it.

2 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the registry, in both HKLM and HKCU. Even when it's documented, it's fucking wrong (I'm looking at you, Adobe).

3 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the the various %USERPROFILE%\AppData\ folders and the %ProgramData% folder .

4 - Morons write programs and store even more configs in the program's installation folder or other random places (like the Documents library).

Any one of these things alone is annoying, but programs often do all 4. This makes figuring out configs even harder - does the registry override settings.ini in the program folder? Or perhaps the profile in %AppData% wins out. What about the settings in %ProgramData%? Which registry settings are in HKLM vs HKCU? Why isn't anything in %AppData% or %ProgramData% or even the fucking registry cleared out when I uninstall?

It's a mess because developers are morons and Windows lets morons make a mess of things in several ways.