←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 2 comments | 15 Dec 17 13:47 UTC | HN request time: 0.526s | source
Show context
blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]
Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #
xg15 ◴[15 Dec 17 17:23 UTC] No.15933342[source]
> If someone distrusts their add-ons, why trust their browser at all?

"Well, I'm your bank. You already gave me authority to reinvest all your savings. Why are you mad now that I invested everything into bitcoin futures?"

What exactly does "trust" mean? We might have given mozilla such a widespread access exactly because we trust them not to abuse it. Stuff like this undermine that trust.

replies(4): >>15933437 #>>15933473 #>>15933491 #>>15933526 #
jasonkostempski ◴[15 Dec 17 17:44 UTC] No.15933526[source]
Before, we didn't need to trust them, because we didn't have to. We had all the code, we could verify the code we can read is the code in the binary we use via checksums. Now the code contains the ability to go fetch arbitrary code behind our backs and run it against our will. Firefox is now malware and it's a real damn shame.
replies(1): >>15933894 #
roywiggins ◴[15 Dec 17 18:28 UTC] No.15933894[source]
> Now the code contains the ability to go fetch arbitrary code behind our backs and run it against our will.

How is that not what automatic updates are?

replies(1): >>15933916 #
1. geofft ◴[15 Dec 17 18:31 UTC] No.15933916[source]
Right. I trust my browser vendor to send me automatic updates without me reviewing because I believe that's net good for my security. I'd prefer to live in a world where I don't have to question that.
replies(1): >>15933980 #
2. roywiggins ◴[15 Dec 17 18:40 UTC] No.15933980[source]
There are definitely situations like corporate networks where automatic updates need to be quarantined and tested before rolling them out to all the machines, but since I don't pay a dedicated sysadmin to run tests on all my software on my personal computer before I receive updates, I'm content to trust my browser to update itself and hope it doesn't break anything.

It's disheartening when the update is a marketing tie-in.