Most active commenters
  • bwat49(3)
  • bigbugbag(3)

←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 26 comments | 15 Dec 17 13:47 UTC | HN request time: 1.606s | source | bottom
Show context
shak77 ◴[15 Dec 17 13:47 UTC] No.15931738[source]
This is what it looks like: https://imgur.com/a/mriUw

It scared the hell out of me! Are these guys losing their minds?

It was reported as a bug and the response thus far is indeed underwhelming for such a severe issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1424977

replies(2): >>15931793 #>>15931902 #
1. bwat49 ◴[15 Dec 17 14:15 UTC] No.15931902[source]
It wasn't supposed to be visible on the addons page
replies(2): >>15931947 #>>15932098 #
2. mark-r ◴[15 Dec 17 14:21 UTC] No.15931947[source]
I don't think that makes it better. Knowing that there's a way to get an addon installed invisibly is going to be more justification for paranoia.
replies(2): >>15931973 #>>15932176 #
3. bwat49 ◴[15 Dec 17 14:24 UTC] No.15931973[source]
You can disable these studies under Options | Privacy and Security
replies(3): >>15932013 #>>15932116 #>>15933206 #
4. _red ◴[15 Dec 17 14:29 UTC] No.15932013{3}[source]
I hate the fact that Firefox increasingly makes me jump through all sorts of hoops to find all the hidden options to turn off their various spyware attempts. Its the Win10 of browsers...
replies(2): >>15932079 #>>15936522 #
5. teddyfrozevelt ◴[15 Dec 17 14:36 UTC] No.15932079{4}[source]
Going through your browser settings really is quite the hoop.
replies(3): >>15932141 #>>15932148 #>>15933044 #
6. zzzeek ◴[15 Dec 17 14:40 UTC] No.15932098[source]
that would be worse
replies(1): >>15938424 #
7. falava ◴[15 Dec 17 14:42 UTC] No.15932116{3}[source]
You should opt in, not opt out
8. _red ◴[15 Dec 17 14:46 UTC] No.15932141{5}[source]
Yeah, its so intuitive for the average person to type: about:config in address bar and scroll through hundreds of oddly named parameters to turn off spyware.

Comments like yours are illustrative of a certain mindset. When you encounter the complexity of domains you are not intimately familiar with (court system, law, finance, etc), and those complexities are designed specifically to make it hard for you to protect yourself, I'm sure you are just as understanding as you are now.

replies(2): >>15932193 #>>15932306 #
9. linkmotif ◴[15 Dec 17 14:47 UTC] No.15932148{5}[source]
It is.
10. dahart ◴[15 Dec 17 14:50 UTC] No.15932176[source]
There almost certainly is not a way to invisibly install add-ons, unless you are part of Mozilla, and, you know, making Firefox. If paranoia is your thing, it might be worth considering that Mozilla can do anything it wants inside Firefox core, all of it is "invisible" to you.
replies(2): >>15932415 #>>15932871 #
11. ◴[15 Dec 17 14:52 UTC] No.15932193{6}[source]
12. bwat49 ◴[15 Dec 17 15:08 UTC] No.15932306{6}[source]
You're being hyperbolic, you don't need to go into about:config.

It's right in the main browser settings, under the Privacy and Security section where one would expect settings like this to be

replies(2): >>15935448 #>>15936535 #
13. bo1024 ◴[15 Dec 17 15:24 UTC] No.15932415{3}[source]
Yes and a big part of this entire issue is users deciding whether we can trust Mozilla with that power or not.
replies(1): >>15938406 #
14. kuschku ◴[15 Dec 17 16:22 UTC] No.15932871{3}[source]
And this is the point where even the most Mozilla-supporting users move away. For me, this is it, I’m going to Chromium.

Fuck this shit, in the past months we had CliqZ https://news.ycombinator.com/item?id=15421708, we had Mozilla adding new telemetry, we had Mozilla force-enable toolkit.telemetry.enabled, we had Mozilla say that, if you download Nightly, that is considered opt-in to tracking, we had Mozilla put Google Analytics into the Addons menu (because it’s loaded from addons.mozilla.org: https://github.com/mozilla/addons-frontend/issues/2785 ), and we had Mozilla say that, if we don’t trust Google, we shouldn’t use Firefox.

Fuck this.

replies(3): >>15933274 #>>15933605 #>>15936508 #
15. mynewtb ◴[15 Dec 17 16:43 UTC] No.15933044{5}[source]
How are you supposed to do turn the defaults to a reasonable level of privacy without launching Firefox once though?
replies(1): >>15934513 #
16. arprocter ◴[15 Dec 17 17:06 UTC] No.15933206{3}[source]
Preferences/Options -> Privacy and Security -> Allow Firefox to install and run studies
17. Danihan ◴[15 Dec 17 17:15 UTC] No.15933274{4}[source]
Great points, thanks for compiling these..

I was using firefox because I don't trust google. ;(

18. programd ◴[15 Dec 17 17:54 UTC] No.15933605{4}[source]
Regarding telemetry, take a look at the settings in about:config. There are several toolkit.telemetry.Ping settings which are set to true by default. In the spirit of charity I'm going to assume that those phone home pings - on startup, shutdown, update - are not enabled unless telemetry is enabled. But I have not checked...
19. takeda ◴[15 Dec 17 19:54 UTC] No.15934513{6}[source]
I remember it was asking if I want participate in studies when I installed FF for the first time.
20. JadeNB ◴[15 Dec 17 21:43 UTC] No.15935448{7}[source]
> It's right in the main browser settings, under the Privacy and Security section where one would expect settings like this to be

If you asked me "where would you go to change settings to prevent the browser from violating your privacy and infringing on your security?", then, yes, I would go to "Privacy and Security". If, however, you asked me "what would you expect to find under 'Privacy and Security'?", my answer would be that that's where I would go to protect myself from malicious websites, not from malicious browsers.

(I know that 'malicious' is quite, and almost certainly too, strong here, but the point is that I think, and am explicitly encouraged to think, of Mozilla as being on my side against the sites I visit, and I don't think it's natural to expect that I will start thinking of how I need to protect myself from Mozilla to use their products in the way that I, rather than they, intend.)

21. bigbugbag ◴[16 Dec 17 00:26 UTC] No.15936508{4}[source]
Alternatively you can give waterfox[1] a try.

Features

    Disabled Encrypted Media Extensions (EME)
    Disabled Web Runtime (deprecated as of 2015)
    Removed Pocket
    Removed Telemetry
    Removed data collection
    Removed startup profiling
    Allow running of all 64-Bit NPAPI plugins
    Allow running of unsigned extensions
    Removal of Sponsored Tiles on New Tab Page
    Addition of Duplicate Tab option
    Locale selector in about:preferences > General
[1]: https://www.waterfoxproject.org/
22. bigbugbag ◴[16 Dec 17 00:28 UTC] No.15936522{4}[source]
There's an extension for that called privacy settings[1] it exposes all the settings in one easy place.

I also recommend waterfox instead of firefox.

[1]: https://addons.mozilla.org/en-US/firefox/addon/privacy-setti... [2]: https://www.waterfoxproject.org/

23. bigbugbag ◴[16 Dec 17 00:31 UTC] No.15936535{7}[source]
If what you say is true, please point me to where I can find the following privacy settings in the main preferences:

  network.websocket.enabled
  network.IDN_show_punycode
  dom.event.clipboardevents.enabled
  dom.storage.enabled
  dom.indexedDB.enabled
  dom.battery.enabled
  dom.enable_user_timing
  dom.enable_resource_timing
  dom.netinfo.enabled
  layout.css.visited_links_enabled
  browser.safebrowsing.phishing.enabled
  browser.safebrowsing.downloads.remote.enabled
  browser.safebrowsing.malware.enabled
  browser.send_pings
  beacon.enabled
  privacy.donottrackheader.enabled
  privacy.trackingprotection.enabled
  dom.enable_performance
  datareporting.healthreport.service.enabled
  datareporting.healthreport.uploadEnabled
  toolkit.telemetry.enabled
  toolkit.telemetry.unified
  media.peerconnection.enabled
  media.peerconnection.ice.default_address_only
  media.peerconnection.ice.no_host
  media.eme.enabled
  media.gmp-eme-adobe.enabled
  webgl.disabled
  geo.enabled
  camera.control.face_detection.enabled
  device.sensors.enabled
  security.tls.unrestricted_rc4_fallback
  security.tls.insecure_fallback_hosts.use_static_list
  security.ssl.require_safe_negotiation
  security.ssl.treat_unsafe_negotiation_as_broken
replies(1): >>15938362 #
24. justinclift ◴[16 Dec 17 07:38 UTC] No.15938362{8}[source]
Errr... is "dom.enable_performance" really a privacy setting?

Doing someone online searching now, not seeing an explanation for it. There is one other HN post though, also mentioning it in a privacy context, but not further info either. :/

25. Sylos ◴[16 Dec 17 07:52 UTC] No.15938406{4}[source]
And he's saying that this occurence should have no effect on this decision, not in any rational mind.
26. Sylos ◴[16 Dec 17 08:00 UTC] No.15938424[source]
How exactly? Whether they push out code to you by just changing the binary or by installing an extension makes no difference. In fact, pushing it out as an extension, means they actually have less control over your browser, because are bound to the restrictions that extensions have.

Every browser vendor has this control over you when you use their browser. Some have even more, because they don't even need to tell you about it when they're closed-source.