Most active commenters

    ←back to thread

    Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

    (support.mozilla.org)
    757 points shak77 | 12 comments | 15 Dec 17 13:47 UTC | HN request time: 0.089s | source | bottom
    Show context
    blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]
    Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

    The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

    replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #
    kryptiskt ◴[15 Dec 17 17:58 UTC] No.15933656[source]
    The major problem is that they installed an add-on without properly communicating what it was. A somewhat smaller problem but still a big problem is that was an utterly frivolous add-on that shouldn't have been pushed to people who didn't explicitly want it. But the biggest problem is that Mozilla seems to have trouble understanding why any of those two would be a problem, I want my browser vendor to be serious and not play silly games that can so easily backfire.

    Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts both ways, this stuff undermines my and probably more people's trust in the browser.

    replies(7): >>15933923 #>>15934093 #>>15934185 #>>15934482 #>>15934861 #>>15934910 #>>15935508 #
    1. UmmNope ◴[15 Dec 17 18:54 UTC] No.15934093[source]
    The major problem was building a feature into the product that allowed for pushing add-ons without users knowledge much less active consent in the first place, there is no benign use for this kind of functionality.
    replies(3): >>15934146 #>>15934171 #>>15934553 #
    2. lenzm ◴[15 Dec 17 19:01 UTC] No.15934146[source]
    You could use add-ons to manage optional functionality a la Atom. Users can enable and disable add-ons to customize their browser and some come enabled by default. If you were migrating to this method of customization it would absolutely make sense to push an enabled add-on that replaces functionality you took out of the main app.
    replies(2): >>15935036 #>>15935871 #
    3. TheRealPomax ◴[15 Dec 17 19:05 UTC] No.15934171[source]
    you mean the automatic update process, which can change every single byte of every file in every directory under Firefox's control? Because unless you want to live in a world where your browser can't automatically apply security patches and upgrade critical components, the fact that the application can update itself is very much not the actual problem (and with the new web extension addon system rathern than the old XUL system, addons are actually way less security-compromising-in-potentio than updates to the actual browser itself)
    replies(4): >>15935556 #>>15935863 #>>15937382 #>>15941172 #
    4. TooFastIndeed ◴[15 Dec 17 19:58 UTC] No.15934553[source]
    Automatically updating an already enabled add-on is hardly the same thing as silently pushing a new one.

    Security updates were and still are configurable to be installed after prompting, also when they are installed automatically I am notified that this has happened. There is also an implicit trust in the vendor that only security-related functionality should be changed in a security update.

    5. akamaozu ◴[15 Dec 17 20:58 UTC] No.15935036[source]
    Why is this downvoted?

    It sounds like a valid reason for being able to auto-install add-ons.

    replies(1): >>15935140 #
    6. TooFastIndeed ◴[15 Dec 17 21:09 UTC] No.15935140{3}[source]
    Because this is not the scenario that is being denounced here. A brand new add-on with functionality unrelated to the product is being installed without consent or even notification - that's capital M Malware peddling.
    7. okasaki ◴[15 Dec 17 21:56 UTC] No.15935556[source]
    In Linux distributions you get it from the distribution repository, and automatic updates are disabled. So at least it's reviewed by a third party.
    8. bigbugbag ◴[15 Dec 17 22:39 UTC] No.15935863[source]
    The automatic update process fails because it does not have right to install software on my box. The power of setting permissions and not blindly trusting software just because it is floss.

    I would not want it to have this kind of power as the security patches and critical updates are provided by the kind people managing the distro repositories, and if it could update itself it would remove the third party patches required because mozilla has been refusing for 15 years to integrate correctly in my desktop environment but did integrate in the main competitor.

    9. bigbugbag ◴[15 Dec 17 22:41 UTC] No.15935871[source]
    Is this a thing ? History shows mozilla removing functionality but never replacing it. And then it's up to volunteers to make an extension to fill the gap, until mozilla breaks the extension or drops the extensions engine altogether.

    For exemple australis and classic theme restorer.

    replies(1): >>15938443 #
    10. Zancarius ◴[16 Dec 17 03:41 UTC] No.15937382[source]
    I'd argue there's a vast difference between an automatic update for something that was already manually installed, by the user, and automatically installing something without any indication to the user that it was installed. Worse, it's impossible to argue that this was even a useful extension.

    I don't watch television, and I don't keep up with any popular modern shows. I had no idea what Mr. Robot was until looking through this thread, and the description text for the addon was, at first glance, suspicious. This was a terrible idea and isn't even remotely analogous to applying security updates automatically. If I have something I specifically installed, fine, I can expect those addons to be updated automatically. I don't expect them to side load something I don't even want. "Delight fans" my ass. You have to be a fan first, and I'm not even sure most people who are fans of Mr. Robot would think this is a particularly good idea.

    Funny enough, the only thing I can think of that's even remotely similar to this is the "Hell, Dolly" plugin for WordPress, and that's installed out of the box as part of the distribution.

    11. Sylos ◴[16 Dec 17 08:09 UTC] No.15938443{3}[source]
    This is bullshit and you know it. If you want to shittalk Mozilla, then at least try to be honest.
    12. michaelmrose ◴[16 Dec 17 19:00 UTC] No.15941172[source]
    Actually an application being able to update itself is a security issue and terrible design. Strictly speaking it should have only have write access to say its cache files and a directory where you store downloads.

    Its also moronic to have a different update policy per app that is achieved in 35 different UIs.

    This is the norm on windows because they were late to the party as far as a central source of software and further managed to make it an unattractive proposition and didn't get much buy in from developers.

    Totally aside from the implicit security issue the ui flow is also terrible. Either each of 35 different apps runs their own update checker process in the background wasting your resources and prompting you at annoying times or when you run an app one out of n times it will prompt you to update whereupon you will ultimately have to stop doing whatever you were actually doing and let it update itself and restart.

    It is truly amazing that people not only put up with this ridiculous situation but defend this as a feature.

    Your system should periodically on a schedule you set update every piece of software you own and never bother you otherwise.