Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)

757 points shak77 | 1 comments | 15 Dec 17 13:47 UTC | HN request time: 0.286s | source

Show context

blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]▶

Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #

kryptiskt ◴[15 Dec 17 17:58 UTC] No.15933656[source]▶

>>15932880 #

The major problem is that they installed an add-on without properly communicating what it was. A somewhat smaller problem but still a big problem is that was an utterly frivolous add-on that shouldn't have been pushed to people who didn't explicitly want it. But the biggest problem is that Mozilla seems to have trouble understanding why any of those two would be a problem, I want my browser vendor to be serious and not play silly games that can so easily backfire.

Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts both ways, this stuff undermines my and probably more people's trust in the browser.

replies(7): >>15933923 #>>15934093 #>>15934185 #>>15934482 #>>15934861 #>>15934910 #>>15935508 #

UmmNope ◴[15 Dec 17 18:54 UTC] No.15934093[source]▶

>>15933656 #

The major problem was building a feature into the product that allowed for pushing add-ons without users knowledge much less active consent in the first place, there is no benign use for this kind of functionality.

replies(3): >>15934146 #>>15934171 #>>15934553 #

TheRealPomax ◴[15 Dec 17 19:05 UTC] No.15934171[source]▶

>>15934093 #

you mean the automatic update process, which can change every single byte of every file in every directory under Firefox's control? Because unless you want to live in a world where your browser can't automatically apply security patches and upgrade critical components, the fact that the application can update itself is very much not the actual problem (and with the new web extension addon system rathern than the old XUL system, addons are actually way less security-compromising-in-potentio than updates to the actual browser itself)

replies(4): >>15935556 #>>15935863 #>>15937382 #>>15941172 #

1. Zancarius ◴[16 Dec 17 03:41 UTC] No.15937382[source]▶

>>15934171 #

I'd argue there's a vast difference between an automatic update for something that was already manually installed, by the user, and automatically installing something without any indication to the user that it was installed. Worse, it's impossible to argue that this was even a useful extension.

I don't watch television, and I don't keep up with any popular modern shows. I had no idea what Mr. Robot was until looking through this thread, and the description text for the addon was, at first glance, suspicious. This was a terrible idea and isn't even remotely analogous to applying security updates automatically. If I have something I specifically installed, fine, I can expect those addons to be updated automatically. I don't expect them to side load something I don't even want. "Delight fans" my ass. You have to be a fan first, and I'm not even sure most people who are fans of Mr. Robot would think this is a particularly good idea.

Funny enough, the only thing I can think of that's even remotely similar to this is the "Hell, Dolly" plugin for WordPress, and that's installed out of the box as part of the distribution.

↑