←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 1 comments | 15 Dec 17 13:47 UTC | HN request time: 0s | source
Show context
blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]
Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #
kryptiskt ◴[15 Dec 17 17:58 UTC] No.15933656[source]
The major problem is that they installed an add-on without properly communicating what it was. A somewhat smaller problem but still a big problem is that was an utterly frivolous add-on that shouldn't have been pushed to people who didn't explicitly want it. But the biggest problem is that Mozilla seems to have trouble understanding why any of those two would be a problem, I want my browser vendor to be serious and not play silly games that can so easily backfire.

Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts both ways, this stuff undermines my and probably more people's trust in the browser.

replies(7): >>15933923 #>>15934093 #>>15934185 #>>15934482 #>>15934861 #>>15934910 #>>15935508 #
UmmNope ◴[15 Dec 17 18:54 UTC] No.15934093[source]
The major problem was building a feature into the product that allowed for pushing add-ons without users knowledge much less active consent in the first place, there is no benign use for this kind of functionality.
replies(3): >>15934146 #>>15934171 #>>15934553 #
TheRealPomax ◴[15 Dec 17 19:05 UTC] No.15934171[source]
you mean the automatic update process, which can change every single byte of every file in every directory under Firefox's control? Because unless you want to live in a world where your browser can't automatically apply security patches and upgrade critical components, the fact that the application can update itself is very much not the actual problem (and with the new web extension addon system rathern than the old XUL system, addons are actually way less security-compromising-in-potentio than updates to the actual browser itself)
replies(4): >>15935556 #>>15935863 #>>15937382 #>>15941172 #
1. michaelmrose ◴[16 Dec 17 19:00 UTC] No.15941172{3}[source]
Actually an application being able to update itself is a security issue and terrible design. Strictly speaking it should have only have write access to say its cache files and a directory where you store downloads.

Its also moronic to have a different update policy per app that is achieved in 35 different UIs.

This is the norm on windows because they were late to the party as far as a central source of software and further managed to make it an unattractive proposition and didn't get much buy in from developers.

Totally aside from the implicit security issue the ui flow is also terrible. Either each of 35 different apps runs their own update checker process in the background wasting your resources and prompting you at annoying times or when you run an app one out of n times it will prompt you to update whereupon you will ultimately have to stop doing whatever you were actually doing and let it update itself and restart.

It is truly amazing that people not only put up with this ridiculous situation but defend this as a feature.

Your system should periodically on a schedule you set update every piece of software you own and never bother you otherwise.