Most active commenters
  • Wowfunhappy(5)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 14 comments | 04 May 19 01:31 UTC | HN request time: 0.758s | source | bottom
Show context
Wowfunhappy ◴[04 May 19 02:12 UTC] No.19823890[source]
This is why users need to be in control of their own computers. Why can't I tell my copy of Firefox to ignore the certificate? Why can't I sign my own extensions?

Mistakes happen, it's okay. But users should be empowered to work around them.

replies(9): >>19823918 #>>19823919 #>>19823921 #>>19823930 #>>19824013 #>>19824265 #>>19824275 #>>19824334 #>>19824438 #
ehsankia ◴[04 May 19 02:19 UTC] No.19823919[source]
> Why can't I tell my copy of Firefox to ignore the certificate? Why can't I sign my own extensions?

The issue is that if you leave any sort of lever that reduces security, it will be abused by bad actors. This is why browsers are having ever decreasing ways to bypass security and have full access. It is annoying, but at the end of the day, protecting 99.999% of the users trumps what us power users want.

replies(4): >>19823956 #>>19823992 #>>19824076 #>>19825643 #
1. userbinator ◴[04 May 19 02:29 UTC] No.19823956[source]
protecting 99.999% of the users

It is horribly paternalistic to advocate for keeping users ignorant, unlearning, and --- dare I say it --- easily manipulated.

I will refrain from mentioning again that infamous Franklin quote. I am frankly very fucking pissed off by this authoritarian walled-garden trend, and vehemently oppose anyone who helps this industry put the nooses around the necks of others as well as their own.

replies(4): >>19823984 #>>19824236 #>>19824346 #>>19824781 #
2. macintux ◴[04 May 19 02:34 UTC] No.19823984[source]
I’ve been in software development and operations for 25 years.

I still don’t want to have to understand everything I ever touch, even if I could.

replies(3): >>19823998 #>>19824018 #>>19824143 #
3. Wowfunhappy ◴[04 May 19 02:37 UTC] No.19823998[source]
I'm not understanding the relationship. Of course users aren't going to understand all the underpinnings of how software works.

I do think that in the future, it will be imperative for everyone to have some level of technological literacy above what is currently the average. And I'd like to work to get to that point, instead of taking all the tools away because they're too dangerous.

Also, sensible defaults are good! Hiding dangerous settings is also good! What's not okay is making those settings completely unavailable. At least in Firefox's case you have the option to recompile the source code, but that should not be the only recourse...

replies(1): >>19824249 #
4. swiley ◴[04 May 19 02:41 UTC] No.19824018[source]
"don't run privileged code from people you don't trust." Is both critically important to understand for anyone using a network connected computer and not at all complicated.

If we're going to be authoritarian I would rather ban anyone who doesn't understand that from connecting to the internet then have a broken walled garden.

replies(1): >>19824115 #
5. datguacdoh ◴[04 May 19 03:03 UTC] No.19824115{3}[source]
> "don't run privileged code from people you don't trust." Is both critically important to understand for anyone using a network connected computer and not at all complicated.

That is absolutely complicated for the vast majority of the world's internet users. No one else is my family would understand what the hell "privileged code" means and shouldn't have to.

replies(1): >>19824260 #
6. mrob ◴[04 May 19 03:09 UTC] No.19824143[source]
>I still don’t want to have to understand everything I ever touch

If you don't understand it, don't touch it. The default settings should work for most users. There can even be a warning against touching without understanding, like with Firefox's about:config. The offensive thing is preventing users from touching even if they do understand.

replies(1): >>19827332 #
7. simcop2387 ◴[04 May 19 03:28 UTC] No.19824236[source]
The issue here is that this wasn't done in a vacuum. Other software vendors were secretly and deceptively installing extensions that were tracking everything users were doing online.
8. ◴[04 May 19 03:30 UTC] No.19824249{3}[source]
9. Wowfunhappy ◴[04 May 19 03:32 UTC] No.19824260{4}[source]
The statement can be simplified down to "don't run programs downloaded from random websites which ask for your admin password."

Adjust the qualifier at the end depending on your platform. On Windows, it might be apps that present a UAC dialogue—or maybe just remove the qualifier, since Windows doesn't do much sandboxing by default.

10. lvh ◴[04 May 19 03:56 UTC] No.19824346[source]
Most people do not know what a manifest.json is or what sort of permissions they're handing to a random WebExtension.

If you want your freedom from reviewed extensions: fine, get an unbranded Firefox, or Developer edition, and you get that.

replies(1): >>19826819 #
11. shstalwart ◴[04 May 19 06:22 UTC] No.19824781[source]
Completely agree. Using firefox feels more and more like using an iThing.
12. Wowfunhappy ◴[04 May 19 14:58 UTC] No.19826819[source]
A Developer Edition is unstable, so I wouldn’t want to use that.

If you can recommend an fork that allows extension sideloading but is kept up to date, please do so, I’ve been looking...

replies(1): >>19826972 #
13. Wowfunhappy ◴[04 May 19 15:20 UTC] No.19826972{3}[source]
Okay, figured it out. Thank you for giving me the search term "Unbranded Firefox"—I didn't realize this referred to something specific.

Unbranded Firefox is actually a specific version of Firefox distributed by Mozilla, which allows you to disable extension signing requirements. I am very glad to see that they offer this, and I will be using it from now on.

https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded...

14. sfink ◴[04 May 19 16:14 UTC] No.19827332{3}[source]
The difficulty is in how to keep them available to end users while keeping them unavailable to malware and bad actors who post "helpful" advice or publish temporarily useful addons that get updated to malware.

I'm not disagreeing with you, but the right mechanism is not straightforward to figure out, and you'll always be in a game of cat and mouse. One that sucks resources from whatever other useful stuff you might be spending your (or Mozilla's) time on.