Slashdot Mirror
Mozilla To Drop Support For All NPAPI Plugins In Firefox 52 Except Flash (bleepingcomputer.com)
The Netscape Plugins API is "an ancient plugins infrastructure inherited from the old Netscape browser on which Mozilla built Firefox," according to Bleeping Computer.
But now an anonymous reader writes: Starting March 7, when Mozilla is scheduled to release Firefox 52, all plugins built on the old NPAPI technology will stop working in Firefox, except for Flash, which Mozilla plans to support for a few more versions. This means technologies such as Java, Silverlight, and various audio and video codecs won't work on Firefox.
These plugins once helped the web move forward, but as time advanced, the Internet's standards groups developed standalone Web APIs and alternative technologies to support most of these features without the need of special plugins. The old NPAPI plugins will continue to work in the Firefox ESR (Extended Support Release) 52, but will eventually be deprecated in ESR 53. A series of hacks are available that will allow Firefox users to continue using old NPAPI plugins past Firefox 52, by switching the update channel from Firefox Stable to Firefox ESR.
These plugins once helped the web move forward, but as time advanced, the Internet's standards groups developed standalone Web APIs and alternative technologies to support most of these features without the need of special plugins. The old NPAPI plugins will continue to work in the Firefox ESR (Extended Support Release) 52, but will eventually be deprecated in ESR 53. A series of hacks are available that will allow Firefox users to continue using old NPAPI plugins past Firefox 52, by switching the update channel from Firefox Stable to Firefox ESR.
Thanks Trump
ESR releases are only all 7 releases. So the one after firefox 52 will be 59.
I must be an idiot. I read TFA and I have no idea if AdBlock Plus, Ghostery, NoScript, etc. will continue to work.
What will break? What will continue to function normally?
"We have announced today that we will be dropping support for all plugins, except the one that's really the problem judging by the security advisories. You can expect your specialty software to stop working immediately, while the security-hazard that is Flash will continue to work for several, pointless version number bumps."
If it weren't for mistakes the Mozilla Foundation wouldn't be good at making any fucking thing.
Blocking NPAPI, *execpt* the worst of them all, security ala mozilla, like we know it for years. Running out of ways to piss off every single admin on the planet, are we...?
Which is the absolute champion in vulnerabilities exploited by hackers, tracking, malware and every possible kind of crap, including banners, which is the only reason it is still exist and pushed by the browser vendors.
How do I tell which plugins are NPAPI? It really doesn't say under the plugins tab.
5 years ago, part of my job was keeping an NPAPI plugin running on the Mac. Apple had transitioned their support to a new graphics and event model and it was a lot of work refactoring our plugin. And of course, that ended up being wasted time we should have spent transitioning to writing a Javascript version of our app.
When Google Chrome pulled support for plugins on the PC, I had to use Mozilla Firefox for a Java app that my business bank uses for check deposits at home. Looks like that is going away. It'll be interesting to see if the business bank will move away from Java or keep it. I'll have to download the app on my iPhone.
just pick a low performance html browser to obscure it's name as MyCompProgr, and just keep writing your main shit in C as an application server to dish out to clients.
websites were supposed to be a compeying standard similar to Portable Document Format so whatis all this shit graduating to Java and AppleScript anf Flash?
1.1 Drop feature
1.2 Drop feature
...
1.(n-1) Drop feature
1.n Drop product altogether
2. ???
3. Profit!
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Flash Player is the one to ditch first. Everyone is doing it, but not the ever slow (and not so free) Firefox.
JavaScript can at-least becustom-handled by NoScript, but Flash is the Secure JavaScript mode so needs an outside engine to run the shit without interference.
and remember: never forget that tge crap we call media presentation in Flash or Javascript was all derived of a branch known as APPLEscript.
All this nonunix shit problems werent from Macrosh1t Wangblows N1ggert Exploder but actual Apple Computing inspirations. Netscape and it's neighboring Mosaic engine browsers just need to cut out Javascript from descending as a 3rd testicle.
There really is no benefit in replacing native plugins with a strictly inferior technology - Javascript instead of the language of your choice and then removing the former. This is just another closing down of an ecosystem for the sake of nonexistent "security" under the obviously dubious presumptions that the developers of the base technology are more competent about security than plugin developers and that users need to be constantly patronized. Instead, they should open a native plugin technology to as many languages as possible and let people decide what language to use and which developer to trust.
But you can see this trend everywhere. Less power to users and third-party developers and more control to the people who run the "platform".
Flash only has so many security vulnerabilities discovered and fixed because its so popular. The other add ons are similarly insecure, they just don't get used by the malware authors because there is too few users to target.
And the idea with flash is to move it to use PPAPI (project mortar) and then continue to work towards its deprecation.
To much IT hardware needs java for management. LIke switch admin, IPMI's, others.
As a general principle, anything that tends to disable large amounts of good working software is a bad idea. Even if a particular mechanism must be retired, surely it isn't beyond Mozilla's ingenuity to find some way of letting existing plugins go on working somehow. A shim layer of some kind?
I am sure that there are many other solipsists out there.
I certainly don't disagree that Flash should be taken out and shot on security grounds; but it is pretty much the last NPAPI plugin that you are likely to piss users off by dropping support for. iOS got away with it; but Safari continues to support it(though grudgingly); Chrome killed NPAPI; but the 'Pepper' plugin interface appears to exist primarily to support Flash; Edge also whitelists Flash; and Flash on Android died mostly because Adobe couldn't make it work very well; not because Google shoved them off the platform.
Given Mozilla's less-than-commanding presence in the browser market; I suspect that they can't afford to take a hard line on flash right now.
USE THIS: ghostery-5.4.10-sm+an+fx.xpi Link: Version 5.4.10
USE THIS: snap_links_plus-2.4.3-sm+fx.xpi Link: Version 2.4.3
Guess we'll be keeping old versions of firefox et al around so we can continue to access management interfaces to enterprise devices/processes.
Yeah...you obviously don't understand malware authors. At all.
Malware authors will use any and every attack vector available to them in order to get their payload installed on your system, period. The fact that they're "not as popular" doesn't enter into the equation.
But hey, I'm willing to prove you wrong using the garbage you spouted out of your own mouth. The other addons are "similarly insecure," are they? Please cite your sources. Go ahead, mention one plugin with as many vulnerabilities as Flash and post links to those vulnerabilities. I'll do what you won't, here's a fairly comprehensive list:
https://packetstormsecurity.co...
Over 400 results, on one website that tracks vulnerabilities, for Adobe Flash. Over 400 security advisories for Flash itself, distributions and software that make use of it.
Your turn. Or are you just talking out of your ass like the rest of the low ID lusers that the moderation system is bumping to the top these days?
The Mozilla _Corporation_ does all the software stuff. It is owned by the Foundation, but the latter is a smaller group of people doing educational programs and such. It has nothing to do with the software. Almost every time you hear talk of "Mozilla," it's the corporation.
No, this is good news. Flash isn't the only bad plug-in out there, and by only supporting just that one they can more heavily sandbox it like Chrome does. Flash vulnerabilities typically are mitigated in Chrome anyway, only being of much danger to Firefox and IE users.
Adobe Reader, Java and numerous anti-virus plug-ins are all just security nightmare crap that are long overdue for deprecation. Unfortunately a lot of people still like Flash but at least once (now?) most sites have moved to HTML5 for video it can be made click-to-play, mitigating drive-by attacks and annoying ads. Since putting out a browser that doesn't support Flash would be considered "broken" by a lot of users (well, at least 3 of the 5 remaining ones) this is the best possible option at the moment.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I said discovered and fixed, not existing. I didn't dispute that Silverlight had less security vulnerabilities discovered and fixed.
I've been using Firefox since the early versions and it is only in the last couple of years that it has given me any problems. The most frustrating is strange crashes on mainstream websites, on multiple platforms. By far the worst Firefox version is on Android which really pisses me off. I like checking in on several websites on my Android tablet of a morning and Firefox crashes more than once a day and I am really sick of that stupid sorry message...
I also use Firefox on Linux and Windows - both have problems - and the only reason I keep using it is the support for plugins and extensions that I want and that Chrome does not support on Android. If Mozilla screws with those, there is no reason to just move to Chrome and forget about Firefox. While I do not think that Mozilla will care about the loss on one user, I suspect there are more people in a similar position which is why Firefox has been losing market share for a while. Maybe someone will fork Firefox and Mozilla will just fade away.
Chrome is the only browser I use on my work PC and is used at home for Netflix on Linux. It isn't terrible, just lacking some of the extension I have on Firefox that make it inconvenient to use.
How do you enforce such an exception? By filename? By some kind of digital key?
And why pick Flash? I don't use it (there is no FreeBSD-variant), but I do use the Java-plugin to control an old (but still nicely functional) network switch. Did Adobe pay the Mozilla Foundation to retain the exception — while Oracle refused to pay for Java?
Anyway, hopefully, it will remain possible to disable the "feature" at compile-time...
In Soviet Washington the swamp drains you.
Left flash enabled? Gah, that's like the worse plugin of all. Should disable it and leave everything else alone.
Safarion macOS supports Flash with a lot of questions like, "Are you really sure you want to install this?" The last time I needed Flash, I had to give admin privs to install the plugin, then turn on plugins generally in Safari (all NPAPI plugins were off by default), then allow Flash specifically to work on whitelisted sites (or allow for all sites). Apple made it a pain to open your box up to attack via Flash. Mozilla should have emulated macOS: ship with NPAPI off by default, allow plugins to be turned on, and whitelist sites with access to plugins.
Adobe Reader, Java and numerous anti-virus plug-ins are all just security nightmare crap that are long overdue for deprecation.
Java could be configured to only run signed code with whitelisted signatures and addresses and didn't even run applets by default in recent versions. It was safe for internal applications and a passable solution when you needed full access to the local system from a "website" .
Adobe Reader still beat the built-in of Firefox on low powered devices last time I checked, of course any native PDF readed was infinitely more responsive than whatever code monster mozilla devs created.
Will ilo/idrac for gen7/8 servers be possible to remote control with any browser now? I don't think so, chrome already dropped support and Dell/HP doesn't update their ilo/idrac firmware anymore. It's essentially impossible to reinstall such servers now, because won't use IE6 and my HP machines cannot boot on "big" usb sticks that are required for any modern OS (win2012r2).
ghkdyjryjrsyjsrj
It's decisions like this that make me believe in God with an absolutely pure, inviolable faith. Divine intervention is the only explanation for this decision - it had to come straight from God, since no one on earth could have thought of it.
Actually, I haven't been able to fathom the decisions coming out of Mozilla for some time now. The current version number almost says it all. How can you get excited about a new Firefox release with any feature, when it's just another rapid release. It could have true hard AI and no one would notice any more. It would get lost in the staggeringly mediocre array of non-features nobody wants, forced UI changes, broken addons, ripped out plugins, and developers that decide they know more about what people want than the users do.
Firefox adopted Google's rapid release cycle on a project that it was neither technically nor culturally suited for. One has to actually admire their dogged persistence to holding this course in the face of what is an almost a completely unified chorus of "WHAT THE FUCK PEOPLE?!?!?".
I recommend Palemoon. A fork of an earlier Firefox LTR, it has refused to add features unless they make sense, it is compatible with most addons, and has a growing body of its own native addon developers that are quite loyal to the project for the simple reason that the project remains loyal to them. That's not to say that it's a static browser. Just one that took the best of what Firefox was and decided to continue in the direction of sensible goals and not alienating its user base.
"Flash only has so many security vulnerabilities discovered and fixed because its so popular."
It has seemed to me that Flash has so many security vulnerabilities because Adobe Systems is selling vulnerabilities to secret U.S. government agencies.
You can use any programming language you want, so long as you have access to a compiler to compile it into JavaScript. Treat JavaScript as an object code format, not the source code. That's what asm.js was supposed to be about: a subset of JavaScript that the JIT engine can convert trivially for which things like Emscripten can generate code.
Recent Java versions prompted users to enable an applet before it was run, flash still doesn't.
Yes it does, at least for the past several years. There used to be a Firefox extension called Flashblock that prompted users to activate each SWF object on a site that the user hasn't added to the extension's whitelist. Nowadays, Firefox itself includes click-to-play for Flash Player. But no matter how activated, SWF click to play behavior used to be an effective plausibly deniable ad blocker until the iPad took off and ad networks got the "mobile first" hint.
Pale Moon is a long-established fork of Firefox that, among other things, is maintaining NPAPI support.
not quite, Adobe and Flash are in a class of their own, the sheer extent and severity of vulnerabilities far outstrips any other piece of software including those with much larger user bases.
I like Firefox since it isn't a mystery box like Chrome. I use a bunch of plugins like adblock, too. I've never really looked into alternative browsers since Firefox just kind of showed up along with an operating system installation some years back and hey, this works well so good enough for me.
Since I run Centos I don't imagine there's any rush to change to anything else in the near future, but what's the best non-intrusive web browser to use that isn't going to try to take over my life or computer?
elinks works for some things but it's not very pretty and doesn't work with numerous modern websites.
If you're a zombie and you know it, bite your friend!
I still have to interact with Java applets for my bank and my employer, so this move will basically kill Firefox for me.
in the head, twice, just to make sure.
Also, as browsers start to emulate the extra functionality that used to be provided by plugins, it is logical to assume based on past performance that they will probably start to suffer from related security issues as well.
But let's not let facts get in the way of bashing web technologies more than a year or two old and promoting replacement technologies that aren't necessarily as capable as the old ones, because that would totally spoil all the fun.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I notice you failed to address my challenge to you in any way. I assume that is because I was right and you were wrong. Why? I asked you for evidence to back up your claim and instead, you posted a two-sentence argument over semantics. I, on the other hand, actually presented evidence to support my claim.
So it's obvious at this point that yes, you are talking out of your ass. Typical. I won't waste any more time on you, you're participating in a discussion that you aren't intellectually qualified for.
If you'll excuse me, there are intelligent people in this thread to discuss with. You aren't one of them. Go back to reddit.
Flash only has so many security vulnerabilities discovered and fixed because its so popular.
Now that is an amazingly backwards attribution of causality. Yes, there is a higher incentive to exploit software that is more popular - but incentives do not predict results.
Thanks for the suggestion. I'll try it.
Anyone know if SeaMonkey will be maintaining plugin API compatibility?
Over how low the user population will have to go before Mozilla realizes it is on the wrong path?
Pale Moon no longer supports Ghostery.
I forgot to mention: Tab Mix Plus
No only the Mozilla Foundation, but many technology organizations are poorly managed. Any theories about why that is so?
I still have some older management interfaces (networking stuff for example) that rely on a java interface.
Either do it for everything or nothing.
I notice you failed to address my challenge to you in any way.
because you "challenged" him to something he wasn't arguing.
If you add the plugin.load_flash_only preference to about:config (and then turn it off) you will temporarily re-enable NPAPI plugins in Firefox 52. This is useful because you can turn it on in normal (pre-version 53) Firefox, and then update to 52 ESR once that is released, to keep people on a supported version until 2018 while you migrate away from plugins.
Thanks for saying that. Apparently you mean Firefox is moving to extensions and away from add-ons. I don't know the difference. I only know that there have been add-ons, exensions, and plugins, 3 names for what seems the same to users.
It's amazing how bad Mozilla Foundation is at communicating.
The Classic Theme Restorer author is saying we will be forced to use the new Firefox theme.
"A series of hacks"
Nope, these aren't hacks, they are simple settings.
And there is a much easier way. Download the f*cking ESR-Release, unzip it and use it instead of the normal release. This even works coming from a newer version (nobody will guarantee you a smooth downgrade, but normally it works without major problems).
And on the other hand, the ESR will only delay the change. ESR is similiar to stopping upgrading firefox, but guarantees you security patches until the next ESR superseedes the current one.
This move from Mozilla foundation is consistent with what we have seen happening with Chrome, Edge. It has been initiated long by Apple which decided to drop flash support on their mobile device.
The motivation of these move are well known: less battery usage, more security. For general public it is justified.
However there are a whole range of corporate application that relied and still rely on plug-ins. Not just flash. So deep down, by not providing at least a supported version of browser with plugin, the industry is building a monolithic platform ...again. Single language, single platform. Its about control not user choice.
The argument that HTML5 is now mature enough does not fly very far. Mature enough for common web app sure. But it you start using advanced feature such as WebRTC, you'll start seeing glitches and incompatibilities that pushes some service to advertize "please use Chrome" ...
The fact is that now people in general (users, developers and software editors) are techno racists. They want security and despite technology that is not 'like them'. So the prefer to slam the door and drop the plugins and by decree ban any foreign technology from our beloved HTML / JS free platform.
This is unfortunately consistent with the behavior of the political world of today ...
Disconnect looks good. It works with Pale Moon. Ghostery doesn't.
... This Squarespace ad on this page taking up 1/3rd of the vertical screen space, with persistence as I scroll down, is way the fuck too annoying. I won't even read the other comments on this story. And no, I won't click on the side square that seems to be a collapse button. Too many experiences with doing that acting like a click elsewhere.'
Please require your ads to be a little less intrusive, Slashdot!