Most active commenters
  • (11)
  • DoctorOetker(9)
  • inferiorhuman(5)
  • conanbatt(4)
  • megous(4)
  • fjsolwmv(4)
  • bilbo0s(4)
  • robolange(4)
  • nanis(3)
  • DangerousPie(3)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 186 comments | 04 May 19 01:31 UTC | HN request time: 4.372s | source | bottom
1. rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
2. brador ◴[04 May 19 10:31 UTC] No.19825596[source]
What is Normandy?
replies(2): >>19825604 #>>19825613 #
3. xvector ◴[04 May 19 10:32 UTC] No.19825603[source]
Thanks. This must be terribly stressful to you.
replies(1): >>19825634 #
4. megous ◴[04 May 19 10:33 UTC] No.19825604[source]
https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout
replies(1): >>19825619 #
5. LaurentD2 ◴[04 May 19 10:34 UTC] No.19825612[source]
Meanwhile, as the "partial fix" is deployed, here is what I think fixed the issue for me: in the Preferences, under "Privacy & Security", check "Allow Firefox to install and run studies" (then wait for the current hotfixes to appear in about:studies then restart the browser).
6. ◴[04 May 19 10:34 UTC] No.19825613[source]
7. chinathrow ◴[04 May 19 10:36 UTC] No.19825619{3}[source]
So is that a backdoor into my prefs? How can I check if Normandy is active on my installation?
replies(2): >>19825625 #>>19825696 #
8. user17843 ◴[04 May 19 10:37 UTC] No.19825623[source]
Thanks! Do you know how many active users were affected by this certificate error and subsequent addon disabling? I guess most users were spared due to the timing and short duration of the error.
replies(1): >>19825774 #
9. verdandi ◴[04 May 19 10:38 UTC] No.19825625{4}[source]
Type about:config in the address bar and search for 'app.normandy.enabled' flag.
replies(3): >>19825647 #>>19825659 #>>19826386 #
10. dageshi ◴[04 May 19 10:40 UTC] No.19825631[source]
Is it weird that this problem only happened to me (add ons all being disabled) roughly 10 minutes ago?

I was browsing fine this morning for maybe four hours and now all my plugins/addons are gone.

replies(3): >>19825650 #>>19825660 #>>19825663 #
11. tripzilch ◴[04 May 19 10:41 UTC] No.19825634[source]
Meanwhile, having to browse the web without an adblocker has been nothing but relaxing for everybody else.
replies(3): >>19825898 #>>19829308 #>>19834224 #
12. DoctorOetker ◴[04 May 19 10:45 UTC] No.19825647{5}[source]
here the flag is true but the extensions are still unsupported
replies(1): >>19825801 #
13. lawl ◴[04 May 19 10:46 UTC] No.19825650[source]
The check is done every 24 hours and it seems for you these 24 hours were over roughly 10 minutes ago.
14. inferiorhuman ◴[04 May 19 10:48 UTC] No.19825659{5}[source]
Well that's interesting. I see Normandy enabled, but if I go to the "Privacy and Security" section of the preferences page I see all the data collection and use stuff disabled. There's no obvious way to disable the Normandy back door.

Oh well, at least we don't have another season of Mr Robot spam to look forward to.

replies(3): >>19825777 #>>19825846 #>>19826202 #
15. db48x ◴[04 May 19 10:48 UTC] No.19825660[source]
No, because the browser only checks for updates to your addons every day or so, not every five seconds.
16. jwildeboer ◴[04 May 19 10:49 UTC] No.19825663[source]
No. That’s not weird. The validity check runs once a day.
17. inferiorhuman ◴[04 May 19 10:49 UTC] No.19825665[source]
pushed it out to users via Normandy (this should be most users)

Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users? What about a UI knob to disable it?

replies(6): >>19825685 #>>19825686 #>>19825716 #>>19825995 #>>19826440 #>>19826786 #
18. daleharvey ◴[04 May 19 10:56 UTC] No.19825686[source]
> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

It will even be documented for them: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

> What about a UI knob to disable it?

app.normandy.enabled

replies(5): >>19825728 #>>19825732 #>>19825745 #>>19825755 #>>19825842 #
19. bo1024 ◴[04 May 19 10:56 UTC] No.19825685[source]
Agree with this concern.
20. megous ◴[04 May 19 10:58 UTC] No.19825696{4}[source]
Something with a public wiki page describing what it does exactly is hardly a backdoor.

Also here's the code for the server: https://github.com/mozilla/normandy

replies(1): >>19825812 #
21. DoctorOetker ◴[04 May 19 11:00 UTC] No.19825705[source]
I read at https://discourse.mozilla.org/t/certificate-issue-causing-ad...

>12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and nightly users. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps.

>In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

>You can disable studies again after your add-ons have been re-enabled.

>We are working on a general fix that doesn’t need to rely on this and will keep you updated.

I refuse to enable studies, even temporarily. This comes very close after the IE6 conspiracy revelation, where ends justifies the means.

Please provide a link to the certificate file, and step by step instructions for installing it, without enabling and conflating with mozilla studies...

replies(3): >>19825894 #>>19825895 #>>19825921 #
22. nanis ◴[04 May 19 11:03 UTC] No.19825716[source]
This is the first I hear about Normandy[1]. Firefox has been my main browser for a long time, only because I could use uBlock origin. Now, all of a sudden that is disabled, and with the recent version they got rid of my ability to always prevent autoplaying of videos.

Apparently, there is no one associated with browsers can be trusted in the least.

[1]: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

replies(2): >>19825720 #>>19825926 #
23. daleharvey ◴[04 May 19 11:05 UTC] No.19825720{3}[source]
In the recent version we added the ability to always prevent autoplaying of videos, in the next version we will be adding further UI to let the user disable all (not just muted) videos from autoplaying - https://bugzilla.mozilla.org/show_bug.cgi?id=1543812
replies(1): >>19825756 #
24. VMG ◴[04 May 19 11:05 UTC] No.19825721[source]
some info on the mozilla.org landing page would be useful
25. inferiorhuman ◴[04 May 19 11:07 UTC] No.19825728{3}[source]
app.normandy.enabled

That is not what I meant by a UI knob, and I sure hope you knew that. By UI knob I mean something easily discoverable and self-explanatory. Rooting around a gated (with a mighty strong warning, I should add) config section for something called "normandy" is not intuitive, and it's not self-explanatory.

And I sure hope that by disclosed to users I did not mean some Hitchhiker's Guide-esque disclaimer on a wiki page. Something as (potentially) insidious as a preferences backdoor should absolutely be disclosed to users with the same level of visibility as the stories nonsense.

Perhaps "normandy" is entirely harmless, but you guys lost a metric fuckton of credibility by using your backdoors to spam people[1]. Playing coy does nothing to improve your credibility or reputation.

1: https://www.theregister.co.uk/2017/12/18/mozilla_mr_robot_fi...

replies(1): >>19826411 #
26. oAlbe ◴[04 May 19 11:09 UTC] No.19825732{3}[source]
> app.normandy.enabled

I fail to see both the "UI" and the "knob" part of this. Why is this not a checkbox in the preferences? Why do so many people not know about Normandy?

replies(1): >>19825766 #
27. Krasnol ◴[04 May 19 11:11 UTC] No.19825744[source]
https://ftp.mozilla.org/pub/firefox/candidates/66.0.4-candid...
28. lawl ◴[04 May 19 11:11 UTC] No.19825745{3}[source]
The UI knob is

    Options -> Privacy & Security > Allow Firefox to install and run studies
They're using the studies system to push this hotfix faster for those that have it enabled.

Edit: Source:

See: https://discourse.mozilla.org/t/certificate-issue-causing-ad...

> In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

Normandy seems to be the internal name for this system: https://github.com/mozilla/normandy

replies(5): >>19825762 #>>19825773 #>>19826186 #>>19826841 #>>19828213 #
29. nanis ◴[04 May 19 11:13 UTC] No.19825755{3}[source]
>> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

> It will even be documented for them:

That sounds like you do not think the concern is warranted. I've used Firefox since the first time it was available, and Netscape starting with the first ever betas. At no point was there a dialog that said "Do you want us to be able to change your browser settings remotely?"

>> What about a UI knob to disable it?

> app.normandy.enabled

That is not a "UI knob" by any stretch of the imagination. Looking in about:config revealed:

app.normandy.logging.level

Is there a way to find out what is being logged and why?

So, the question can be rephrased as "is the fact that Firefox has been logging all users' entire browsing history despite the fact that the user has not chosen to set up a Firefox account going to be disclosed?"

replies(1): >>19825792 #
30. inferiorhuman ◴[04 May 19 11:13 UTC] No.19825756{4}[source]
That does nothing to mitigate the wholesale disabling of already trusted plugins like uBlock.
replies(1): >>19825798 #
31. inferiorhuman ◴[04 May 19 11:14 UTC] No.19825762{4}[source]
No, it's not. This Normandy nonsense and stories are two separate, yet creepy features. I've already disabled stories but it looks like Mozilla still retains control of my preferences (without disclosing it).
replies(1): >>19825943 #
32. ◴[04 May 19 11:15 UTC] No.19825766{4}[source]
33. IceWreck ◴[04 May 19 11:17 UTC] No.19825774[source]
Their system runs a check every 24 hours. So a lot of users were affected. They've rolled out a partial fix via their Normandy thingy, and according to them it will fix the issue for most people over the next couple of hours.
34. ◴[04 May 19 11:18 UTC] No.19825777{6}[source]
35. Yoric ◴[04 May 19 11:23 UTC] No.19825792{4}[source]
> So, the question can be rephrased as "is the fact that Firefox has been logging all users' entire browsing history despite the fact that the user has not chosen to set up a Firefox account going to be disclosed?"

Chill out, this preference only determines what is logged locally (never sent to the server). It's a debugging tool.

Sources: - https://searchfox.org/mozilla-central/source/toolkit/compone... - https://searchfox.org/mozilla-central/source/services/common...

replies(1): >>19828628 #
36. Yoric ◴[04 May 19 11:24 UTC] No.19825798{5}[source]
Well, if you follow the OP, you'll realize that it's a bug and people are working to fix it :)
replies(1): >>19827554 #
37. Yoric ◴[04 May 19 11:26 UTC] No.19825801{6}[source]
It may take a little time for the partial fix to be distributed.
38. tssva ◴[04 May 19 11:29 UTC] No.19825812{5}[source]
The wiki entry evidently doesn't describe what it does because according to the wiki entry it allows for the enabling and disabling of preferences. The updating of a certificate is beyond what is described in the wiki.

Mozilla should follow up with a post describing exactly how Normandy works and the full capabilities it gives them.

replies(2): >>19825915 #>>19831678 #
39. tinus_hn ◴[04 May 19 11:30 UTC] No.19825813[source]
I don’t like you editing my preferences. How can I switch to this new certificate manually?
40. gpm ◴[04 May 19 11:31 UTC] No.19825820{5}[source]
I'm nearly certain Normandy does not log all of your browsing history for what it's worth.

I agree Mozilla approach to stuff like this is... less than ideal.

replies(1): >>19829184 #
41. tssva ◴[04 May 19 11:39 UTC] No.19825842{3}[source]
From the wiki entry.

> Normandy Pref Rollout is a feature that allows Mozilla to change the default value of a preference for a targeted set of users, without deploying an update to Firefox.

Rolling out a new certificate goes beyond changing the default value of a preference which rightly raises questions about what else Normandy allows which is not documented.

42. AsyncAwait ◴[04 May 19 11:41 UTC] No.19825846{6}[source]
> There's no obvious way to disable the Normandy back door.

???

It's a publicly documented feature with a publicly documented way to disable it.

replies(1): >>19825860 #
43. brynjolf ◴[04 May 19 11:46 UTC] No.19825860{7}[source]
With an obscure name and no correlation to all the other spying and backdoor ING Mozilla are doing. Is this really the best option tog etaprivacy focused browser? I think this is all very worrying.
replies(3): >>19826424 #>>19826457 #>>19827328 #
44. DangerousPie ◴[04 May 19 11:56 UTC] No.19825894[source]
> This comes very close after the IE6 conspiracy revelation, where ends justifies the means.

What?!

replies(1): >>19825924 #
45. Vinnl ◴[04 May 19 11:56 UTC] No.19825895[source]
The last sentence you quoted literally said that they will provide you with the option to fix this without needing to enable studies.
replies(1): >>19825933 #
46. conanbatt ◴[04 May 19 11:57 UTC] No.19825898{3}[source]
There is a before and after with adblockers. Its a real pity they are the worst privacy-vioolating tools ever.
replies(1): >>19826195 #
47. alskdj21 ◴[04 May 19 11:59 UTC] No.19825905[source]
I've deleted my extensions thinking it was the extensions' issue. I'm trying to download again but it's telling me I don't have internet connection. Any work-arounds?
replies(1): >>19825979 #
48. XORcat ◴[04 May 19 12:04 UTC] No.19825921[source]
JSON response from the `normandy` API here: https://xor.cat/assets/other/random/2019-05-04/normandy_sign...

hotfix-update-xpi-signing-intermediate-bug-1548973: https://storage.googleapis.com/moz-fx-normandy-prod-addons/e...

From the looks, it installs the above plugin, and changes `app.update.lastUpdateTime.xpi-signature-verification` to `1556945257`

I can't get it to work in ESR 60 though. Getting file not found on "resource://gre/modules/addons/XPIDatabase.jsm"

edit: The linked XPI definitely seems to add the new certificate, whatever mechanism used to reverify the signatures just doesn't seem to work in 60.

edit2: Restarting Firefox appears to have forced the reverify... Possibly a flag that I twiddled with though, hard to be sure. Either way, the above should help people get everything running again without having to enable studies/normandy.

replies(5): >>19826115 #>>19826755 #>>19827210 #>>19827215 #>>19827221 #
49. DangerousPie ◴[04 May 19 12:04 UTC] No.19825922{5}[source]
> now I find out all my browsing history has been logged to Firefox servers.

Where are you getting this from?

replies(1): >>19829703 #
50. DoctorOetker ◴[04 May 19 12:04 UTC] No.19825924{3}[source]
you probably missed this story: https://news.ycombinator.com/item?id=19798678
replies(1): >>19825949 #
51. ◴[04 May 19 12:05 UTC] No.19825926{3}[source]
52. DoctorOetker ◴[04 May 19 12:07 UTC] No.19825933{3}[source]
correct, and I am emphasizing and pointing out my choice to wait such that others can make the same informed choice if they so wish.

(I would have wanted to read my comment if someone else had written it, so by the golden rule I make the comment I wish I had read)

53. tssva ◴[04 May 19 12:10 UTC] No.19825941{7}[source]
Users shouldn't have to search and then be able to understand the code found for such a feature. When a remote capability such as this exists it is Mozilla's responsibility to document how the feature works and the exact capabilities it gives them. Instead of doing so they have produced a wiki entry which appears to falsely describe the capabilities of this remote feature by stating it is used to change default preference values.
replies(2): >>19826026 #>>19826726 #
54. vesinisa ◴[04 May 19 12:11 UTC] No.19825943{5}[source]
I sure wonder how people so suspicious of Mozilla dare use their browser.
replies(3): >>19826006 #>>19826206 #>>19826278 #
55. DangerousPie ◴[04 May 19 12:12 UTC] No.19825949{4}[source]
I actually did read that story but I don't understand what that has to do with anything being discussed here.

Yes, Youtube put up a banner asking IE6 users to move to a more modern browser 10 years ago. How is that in any way related to Firefox pushing a hotfix in 2019 to fix a certificate issue? Are you worried there is a big evil conspiracy to use this mechanism to uninstall Internet Explorer from peoples' computers?!

replies(1): >>19826040 #
56. Kaladin ◴[04 May 19 12:19 UTC] No.19825979[source]
https://www.reddit.com/r/firefox/comments/bkcjoa/all_of_my_a...
replies(3): >>19826008 #>>19826272 #>>19829602 #
57. ◴[04 May 19 12:23 UTC] No.19825995[source]
58. neilv ◴[04 May 19 12:24 UTC] No.19825998[source]
I've been through all of Firefox `about:config` a few times in the past, fixing preferences to, e.g., try to disable umpteen different services that leak info or create potential vulnerabilities gratuitously, but this is the first I recall hearing of Normandy.

Apparently I missed `app.normandy.enabled`, because I think I would've remembered a name with connotations of a bloody massive surprise attack.

Incidentally, `app.normandy.enabled` defaults to `true` in the `firefox-esr` Debian Stable package. Which seems wrong for an ESR.

For personal use (not development), I run 3 browsers (for features/configurations and an extra bit of compartmentalization): Tor Browser for most things, Firefox ESR with privacy tweaks for the small number of things that require login, and Chromium without much privacy tweaks for the rare occasion that a crucial site refuses to work with my TB or FF setup.

Today's crucial cert administration oops, plus learning of yet another very questionable remote capability/vector, plus the questionable preferences-changing being enabled even for ESR... is making me even less comfortable with the Web browser standards "big moat" barrier to entry situation.

I know Mozilla has some very forthright people, but I'd really like to see a conspicuous and pervasive focus on privacy&security, throughout the organization, which, at this point, would shake up a lot of things. Then, with the high ground established unambiguously, I'd like to see actively reversing some of the past surveillance&brochure tendencies in some standards. And also see some more creative approaches to what a browser can be, despite a hostile and exploitive environment. Or maybe Brave turns out to be a better vehicle for that, but I still want to believe in Mozilla.

replies(6): >>19826214 #>>19826496 #>>19826548 #>>19827134 #>>19828158 #>>19840411 #
59. hyeonwho4 ◴[04 May 19 12:27 UTC] No.19826006{6}[source]
Setting preferences really should not be shocking, given that they have the capacity to run automatic updates. I'm more surprised that they can push code without certificates.
replies(2): >>19826649 #>>19827358 #
60. alskdj21 ◴[04 May 19 12:27 UTC] No.19826008{3}[source]
Thanks!
61. flizzers ◴[04 May 19 12:35 UTC] No.19826040{5}[source]
Okay, so, youtube targets a small subset of users, and changes their experience capriciously, and to suit their own purposes.

Firefox, it turns out, has a built-in telemetry system that defaults to enable exactly the same behavior: changing your system, to suit their desires.

You’re words “a big evil conspiracy to use this mechanism to uninstall Internet Explorer from peoples' computer” are misleading. No one would propose that the intent is an attack on Microsoft applications. Rather, the intent is to blindfold users on a whim, should a Firefox component prove inconvenient to the providers of Firefox. Ostensibly, in the event that some add-on or extension threatens the bottom line for major backers of Firefox’s funding.

replies(2): >>19826374 #>>19826429 #
62. rndgermandude ◴[04 May 19 12:54 UTC] No.19826115{3}[source]
Yes, this is broken on ESR, but only somewhat broken.

The hotfix extension does two things:

1) Install a new certificate for "CN=signingca1.addons.mozilla.org/emailAddress=foxsec@mozilla.com", effectively replacing the old certificate that expired. This should work.

2) Then it tries to import the internal "resource://gre/modules/addons/XPIDatabase.jsm" module and calls XPIDatabase.verifySignatures().

This does not work on ESR, as "XPIDatabase.jsm" is a new-ish thing that isn't present in ESR yet. In ESR the function is still in "resource://gre/modules/addons/XPIProvider.jsm" (XPIProvider.verifySignatures()). Thankfully, the non-existing module is imported using ChromeUtils.defineModuleGetter, which only lazily loads the module on first of the imported property, so after the certificate-adding code has run.

63. greendestiny_re ◴[04 May 19 13:07 UTC] No.19826178{7}[source]
All code is available – as a tar.xzipped archive of Firefox source code containing over 150k files and measuring over 1GB in size when unpacked.
replies(1): >>19826748 #
64. SilasX ◴[04 May 19 13:08 UTC] No.19826186{4}[source]
Why is it supposed to be reassuring that their “studies” can override the cryptographic infrastructure?

Edit: rephrase for clarity

replies(2): >>19826237 #>>19826435 #
65. feanaro ◴[04 May 19 13:10 UTC] No.19826195{4}[source]
> Its a real pity they are the worst privacy-vioolating tools ever.

What do you mean?

replies(1): >>19830778 #
66. rectang ◴[04 May 19 13:11 UTC] No.19826202{6}[source]
Presumably the logic is something like:

    if (studies.enabled) {
      if (normandy.enabled) {
        ...
      }
    }
67. phyzome ◴[04 May 19 13:11 UTC] No.19826206{6}[source]
Easy: There's a difference between static, shipped code and a capability to modify software at a distance (which could even by hijacked by an attacker who infiltrates Mozilla's infrastructure.)
replies(1): >>19826756 #
68. robolange ◴[04 May 19 13:13 UTC] No.19826214[source]
I too use Debian's Firefox ESR. I noticed the "Allow Firefox to install and run studies" option in Privacy & Security Preferences a long time ago. It was unchecked and greyed out (i.e., unclickable), and a label below it says "Data reporting is disabled for this build configuration", so I gave it no further thought. This morning I woke up and launched Firefox, noticed this headline, and then noticed my extensions were still running. I looked in about:config and lo and behold, app.normandy.enabled=default [true]. I'll be filing a bug with debian to disable this in the build configuration.

Edit: There are some questions about whether Normandy is really enabled in Debian Firefox ESR even if the about:config setting defaults to true. I've filed a bug report, and I'm sure once a Debian maintainer has a chance to look at it we'll find out the answer.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928433

Edit2: It should go without saying, but please do not spam this bug report with "me too" and its ilk.

replies(6): >>19826340 #>>19826689 #>>19827160 #>>19830076 #>>19831023 #>>19831131 #
69. bilbo0s ◴[04 May 19 13:19 UTC] No.19826237{5}[source]
Thank you.

I happen to be one of the users with Normandy disabled, so I'm foobar'd anyway. That said, the reason I disabled it is because it is a security hole you could drive a semi-truck through. And now they want us to enable it to provide a "fix" for the secure way in?

I thought I was the only one who saw a problem with that. Your post is evidence that I'm not completely off in my thinking.

replies(2): >>19826313 #>>19827304 #
70. Maken ◴[04 May 19 13:23 UTC] No.19826272{3}[source]
Works like a charm!
71. bilbo0s ◴[04 May 19 13:24 UTC] No.19826278{6}[source]
Because Mozilla is easier to lock down than Chrome.

I guess "easier" isn't the word really, because Chrome can't really ever be locked down. It's pretty much always, effectively, an open book to Google.

You can lock down everything in Firefox. The drawback being, of course, times like this, when you can't get the fix unless you leave Normandy enabled. (Which I didn't.)

>:-(

Grrrr.

72. SilasX ◴[04 May 19 13:29 UTC] No.19826313{6}[source]
And thank you for assuring me I wasn’t alone in worrying about that!
73. bilbo0s ◴[04 May 19 13:34 UTC] No.19826340{3}[source]
I had mine disabled. So let's think about this for a second. If I disable a security hole that you can drive a semi-truck through, I remain foobar'd. If I run my "secure" firefox configuration, with the security hole enabled, then they un-foobar me first. Before anyone else. So I could effectively get rewarded, for always keeping a security hole open. But I didn't keep it open, so... yeah... they'll get around to me sometime.

?

>:-(

Grrr.

I'm just getting old and curmudgeonly maybe? I've decided though, I'm starting an animated security blog to show people the ludicrousness of all this kind of stuff in plain language. I'll be Statler, and I just need someone to be Waldorf. Because this stuff really is getting Statler and Waldorf level ridiculous.

replies(6): >>19826394 #>>19826427 #>>19826599 #>>19826656 #>>19826695 #>>19826715 #
74. dralley ◴[04 May 19 13:40 UTC] No.19826374{6}[source]
> Firefox, it turns out, has a built-in telemetry system that defaults to enable exactly the same behavior: changing your system, to suit their desires.

An example of the typical use of this system: say Mozilla wants to enable video hardware acceleration in Firefox but they don't know if bugs in video drivers or in Firefox will make crashing more frequent. So they enable hardware acceleration for 1% of users instead of 100% and compare the reported crash rate between the two to determine if it's ready to be pushed out universally.

replies(1): >>19826539 #
75. yabatopia ◴[04 May 19 13:44 UTC] No.19826386{5}[source]
Not so in Firefox for Android. No normandy to find.
76. fjsolwmv ◴[04 May 19 13:46 UTC] No.19826394{4}[source]
Yes, that's right, if you install software that had a bug, then if you give someone permission to modify your software, you can get a bug fixes faster.
replies(1): >>19826412 #
77. neilv ◴[04 May 19 13:49 UTC] No.19826412{5}[source]
There are already channels for bug fixes, and some of the friction on those channels is intentional, such as for visibility and oversight/approval.
replies(1): >>19826693 #
78. dbrgn ◴[04 May 19 13:49 UTC] No.19826411{4}[source]
I'm sorry to break it to you, but a fuckton is not actually part of the metric system...
replies(2): >>19827172 #>>19827604 #
79. yabatopia ◴[04 May 19 13:50 UTC] No.19826421[source]
How do you enable Normandy on Firefox For Android? There's no Normandy in the about:config.

This is such a gigantic mess, even for a very loyal Firefox user it's to swallow.

80. awful_waffle ◴[04 May 19 13:51 UTC] No.19826424{8}[source]
Can you elaborate on what 'other spying' Mozilla does? Do you mean their telemetry?
replies(1): >>19827611 #
81. TeMPOraL ◴[04 May 19 13:52 UTC] No.19826427{4}[source]
> I'm just getting old and curmudgeonly maybe?

You're not. You just have standards.

We need people with standards in this industry, because that's the only source we have of market signals that prevent the market from going full user-hostile.

82. Filligree ◴[04 May 19 13:52 UTC] No.19826429{6}[source]
> Okay, so, youtube targets a small subset of users, and changes their experience capriciously, and to suit their own purposes.

They added a dismissable banner. That falls far short of "changing their experience", in my mind.

83. fjsolwmv ◴[04 May 19 13:53 UTC] No.19826435{5}[source]
If you don't trust your software provider, "studies" don't matter. The same but could come through a regular update. If you don't want to be on bleeding edge, that's fine, and if the UI for Normandy is bad, that's an issue, but it's nonsense to accept updates and then say you don't want updates.
84. RpFLCL ◴[04 May 19 13:53 UTC] No.19826440[source]
One result of this, when I use firefox from now on, I'll be disabling "Normandy"
85. fjsolwmv ◴[04 May 19 13:55 UTC] No.19826457{8}[source]
It's named after a world famous beachhead of an invasion. The name isn't that obscure for a feature that invades the userbase with a takeover.
86. fjsolwmv ◴[04 May 19 14:02 UTC] No.19826496[source]
ESR means extended support, not "never changes". As long as it is supported (and it is: the bug got fixed), it's appropriate for ESR.
replies(1): >>19826538 #
87. neilv ◴[04 May 19 14:09 UTC] No.19826538{3}[source]
As I said elsewhere: There are already channels for bug fixes, and some of the friction on those channels is intentional, such as for visibility and oversight/approval.
replies(1): >>19826733 #
88. betterunix2 ◴[04 May 19 14:09 UTC] No.19826539{7}[source]
At some point in the next five-ten years we will see this "feature" abused. Maybe Mozilla will use it to "soften" commonly used ad blockers to enable "acceptable" ads for Firefox users. Maybe Mozilla will be hacked by some government that wants to enable MITM attacks against its citizens, and Normandy will make that happen. Or maybe Mozilla will just cooperate with the government trying to do so.

You say it is "typically" used for benevolent purposes, but why should we trust Mozilla? Mozilla does not have a stellar history with this sort of thing and in my experience they do not take security as seriously as they should if we are to trust them with such a feature.

replies(1): >>19826883 #
89. taxatu ◴[04 May 19 14:11 UTC] No.19826548[source]
Can we get a clarification:

Unchecking "Allow Firefox to install and run studies" in the UI does not change "app.normandy.enabled" to "false".

Then, does unchecking "Allow Firefox to install and run studies" really disable Normandy, or not?

replies(1): >>19826638 #
90. taneq ◴[04 May 19 14:18 UTC] No.19826599{4}[source]
> So I could effectively get rewarded, for always keeping a security hole open.

That's the way it always works, isn't it? Security and convenience are opposing concerns.

replies(1): >>19827053 #
91. vesinisa ◴[04 May 19 14:25 UTC] No.19826638{3}[source]
As explained on Normandy's wiki page, they are related but two different things:

> Preference rollout is meant for permanent changes that we are sure of. Shield is meant for testing variations and figuring out what, if anything, is the best thing to do.

https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout#...

replies(3): >>19826763 #>>19826797 #>>19826803 #
92. vesinisa ◴[04 May 19 14:27 UTC] No.19826649{7}[source]
> I'm more surprised that they can push code without certificates.

Where are you getting this from? AFAIK all Mozilla code / prefs they can push should be signed -- this very issue seems to stem from the cert used to sign AMO extensions expired.

93. ◴[04 May 19 14:28 UTC] No.19826656{4}[source]
94. teddyh ◴[04 May 19 14:34 UTC] No.19826689{3}[source]
> noticed my extensions were still running.

Reportedly, Firefox only checks the date once per day, so if it hasn’t yet checked for you today, this will be the result.

> I looked in about:config and lo and behold, app.normandy.enabled=default [true].

I would assume that the config setting only has any effect if the feature is available in the build. Which it isn’t in Debian.

replies(1): >>19827749 #
95. bilbo0s ◴[04 May 19 14:36 UTC] No.19826693{6}[source]
Exactly.

Why even have an official channel, providing visibility and official oversight, if when it comes down to it, you're just gonna push remote code updates through the same side channel a potential hacker would use?

People are saying it's for convenience. OK, but then they have to understand that doing things in that fashion is a really bad look. And now your users are set up to believe that, at least some of the updates coming from the side channel are "trust"-able.

replies(1): >>19826730 #
96. pedrocr ◴[04 May 19 14:36 UTC] No.19826695{4}[source]
>If I disable a security hole that you can drive a semi-truck through, I remain foobar'd. If I run my "secure" firefox configuration, with the security hole enabled, then they un-foobar me first. Before anyone else. So I could effectively get rewarded, for always keeping a security hole open. But I didn't keep it open, so... yeah... they'll get around to me sometime.

That's needless drama. They will be rolling out the fix in a point release. Whatever way you use to update your browser will install that and get the fix. So the worst case is just going back to the old days where you'd have the issue until your distro issued a new package or you manually updated the browser version on Windows or OSX. What exactly would you expect that's not exactly what's happening?

97. shawnz ◴[04 May 19 14:38 UTC] No.19826715{4}[source]
Automatic updates aren't a security hole. They are a security enhancement
replies(1): >>19827090 #
98. megous ◴[04 May 19 14:40 UTC] No.19826726{8}[source]
Hacker News

I think people here can be expected to read some code if they are interested in how something works.

99. pedrocr ◴[04 May 19 14:40 UTC] No.19826730{7}[source]
This is a piece of code downloaded from Mozilla servers to re-enable extensions, which are other pieces of code you download from Mozilla servers. If your threat model includes not trusting Mozilla servers then you've presumably disabled browser extensions (or sideloaded them) and this issue is irrelevant to you. If you do use extensions and get updated versions from Mozilla I don't see any way in which this increases your attack surface.
100. shawnz ◴[04 May 19 14:41 UTC] No.19826733{4}[source]
And this is another channel. How can you be sure this one has less friction than the others?
101. megous ◴[04 May 19 14:43 UTC] No.19826748{8}[source]
grep -iR normandy

I expect code related to normandy to be ~1k LOC in size and probably written in JS. I haven't checked though, because I don't really care today.

replies(1): >>19828332 #
102. gpm ◴[04 May 19 14:45 UTC] No.19826755{3}[source]
Hey, if you just click on that storage.googleapis.com link it installs the hotfix directly without having to enable normandy ;)
replies(6): >>19826795 #>>19826847 #>>19826887 #>>19827014 #>>19827736 #>>19828312 #
103. calcifer ◴[04 May 19 14:45 UTC] No.19826756{7}[source]
If your threat model includes the hijacking of Mozilla's infrastructure, I assume you read and verify the entirety of the Firefox source with every new version before using it, right?
replies(1): >>19836545 #
104. pynabi ◴[04 May 19 14:46 UTC] No.19826763{4}[source]
That doesn't answer the question: does Normandy get disabled by the UI option or not?

One can guess based on the wiki page that the answer is "no", but that's just a guess.

105. jillesvangurp ◴[04 May 19 14:48 UTC] No.19826769[source]
It seems to have worked. My extensions reappeared.
106. ◴[04 May 19 14:48 UTC] No.19826772[source]
107. oldjokes ◴[04 May 19 14:53 UTC] No.19826786[source]
I have spent ~10 years using Firefox daily, tweaking the config and getting the addons set up the way I want. I was a professional web developer for most of those years.

This is the first I have heard of Firefox changing my config settings invisibly in the background. This is obscene. Who on earth thought this was a good idea? The security ramifications are limitless.

I understand all too well that most companies have decided to start A/B testing things on subsets of users, but that doesn't mean you should force that mode of thinking into everything. What a horrible decision. I don't recall ever seeing any news or notifications or checkboxes about studies or "Normandy" at any point.

Are there some other good open source alternatives to Firefox? I remember hearing about Brave but also that it was tied into some cryptocoin nonsense, so I'm not sure what else to look at.

replies(2): >>19826830 #>>19826939 #
108. option_greek ◴[04 May 19 14:54 UTC] No.19826795{4}[source]
This should be sticky comment somewhere on the top of the comments. It bought all the addons back for me.
109. robolange ◴[04 May 19 14:55 UTC] No.19826797{4}[source]
"Explained" is perhaps too generous a word. I'm a software engineer and I found that page to be confusing. It seems to be written for internal Mozilla employees, not for the general public.
110. stefan_ ◴[04 May 19 14:55 UTC] No.19826803{4}[source]
Except as we have learned "preference rollout" is also "installing extensions". So this is much the same as studies, but studies was disgraced, so now this is studies 2.0, no option to disable this time around.

And if you look at the big normandy JSON, hey, it's all the same Pocket and heartbeat shit we've seen from studies.

111. syshum ◴[04 May 19 15:00 UTC] No.19826830{3}[source]
>>This is the first I have heard of Firefox changing my config settings invisibly in the background.

you must not have been paying attention the last 3 or so years

Mozilla is doing all kinds of, IMO, unethical things with FireFox that goes against the core value of the mission statement of the Mozilla Foundation.

They are too busy trying to replicate Chrome to care about privacy, security, or basic user rights

replies(1): >>19826929 #
112. syshum ◴[04 May 19 15:02 UTC] No.19826841{4}[source]
They are using the Studies system in a complete violation of the way they said they would use the studies system for when it was announced. This is not surprising since Mozilla is becoming about as Trust Worthily as Google or Facebook
113. jwalton ◴[04 May 19 15:02 UTC] No.19826847{4}[source]
It does, but it didn't fix anything for me. All my extensions are still gone. :(
replies(1): >>19826864 #
114. gpm ◴[04 May 19 15:05 UTC] No.19826864{5}[source]
You might have to reinstall them unfortunately, on the system I figured that out on Firefox had decided to uninstall them (I think because I had to update the browser from the ancient version the user was using first).
115. jwalton ◴[04 May 19 15:07 UTC] No.19826878[source]
I got the update through studies (I can see it in about:studies), but it didn't fix anything for me.
116. Certhas ◴[04 May 19 15:08 UTC] No.19826883{8}[source]
The level of paranoia throughout this thread is truly through the roof.....

Mozilla has had several "PR nightmare" decisions that a vocal set of users didn't like, and sometimes were genuinely ill advised/bad/shitty. But as far as I can see they do not have a bad track record when it comes to security/privacy. Do you have any examples of actual serious security/privacy fuck ups by Mozilla/Firefox? I mean that stood up to scrutiny beyond the sensationalist headlines?

Their defaults might not be your defaults, but they are even working on bringing Tor into mainstream Firefox. None of this means they are above criticism of course, but... context!

The sum total of their actions points towards an organisation that has some internal problems but that is genuinely pursuing privacy and an open web as a goal for as many users as possible.

replies(4): >>19827247 #>>19828663 #>>19830148 #>>19830341 #
117. ◴[04 May 19 15:09 UTC] No.19826887{4}[source]
118. oldjokes ◴[04 May 19 15:14 UTC] No.19826929{4}[source]
I read all about the DRM stuff but I figured that was just the awful standards boards being awful standards boards.

I didn't realize what a true mess Mozilla had become.

replies(1): >>19826961 #
119. jammygit ◴[04 May 19 15:15 UTC] No.19826939{3}[source]
The way that Firefox needs 5-10 privacy extensions to be usable isn't just inconvenient when the certs fail, but you also have to trust all these strangers and their extension code.

I've been using brave because of that: all of that is baked in so my only extension is my password manager

replies(2): >>19827208 #>>19827762 #
120. syshum ◴[04 May 19 15:18 UTC] No.19826961{5}[source]
Not just DRM

Looking Glass, Pocket, Banning Plugins based on Political ideology, Backdoors like Normandy, and the STUDIES system, their creation of what amounts to Mozilla version of the Ministry of Truth, Their partnership with Cloudflare to send everyone's DNS to Cloudfare over HTTP, and whole host of other things

121. classichasclass ◴[04 May 19 15:25 UTC] No.19827014{4}[source]
Just tried on Android. Hooray!
replies(1): >>19827192 #
122. tempodox ◴[04 May 19 15:30 UTC] No.19827050[source]
I still get “Download failed. Please check your connection” when attempting to re-download the add-on you took away without asking me. That thing was pretty much the only reason I used Firefox at all.
123. hedora ◴[04 May 19 15:31 UTC] No.19827053{5}[source]
Good security designs increase convenience (eg ssh, touch id, single sign on).

The three goals of computer security are integrity, confidentiality and availability.

All three of those expand the usefulness of the system to the end user.

replies(1): >>19829014 #
124. neiman ◴[04 May 19 15:35 UTC] No.19827090{5}[source]
Unless the entity that pushes the updates become malicious, then they're a security hole.
replies(2): >>19827140 #>>19827994 #
125. ◴[04 May 19 15:43 UTC] No.19827134[source]
126. lvh ◴[04 May 19 15:44 UTC] No.19827140{6}[source]
How do you audit Firefox updates? Because if the answer is “I don’t”, Mozilla already controls the most important piece of userspace code on your computer. And if the answer is “I don’t install them”, then everyone with a few grand to spare already controls the most important piece of userspace code on your computer.
replies(2): >>19827228 #>>19828248 #
127. zingmars ◴[04 May 19 15:46 UTC] No.19827160{3}[source]
On Windows I have the "Allow Firefox to install and run studies" option disabled and yet in about:config Normandy was still enabled. I haven't received the fix. Could be that Firefox simply hasn't checked for it, or it could be that there's more than that about:config setting that determine whether Normandy is run.

Weird.

128. CompuHacker ◴[04 May 19 15:48 UTC] No.19827172{5}[source]
Well, it should be, but that's an entirely different discussion.
129. mateus1 ◴[04 May 19 15:52 UTC] No.19827192{5}[source]
Clicking the URL was the only way I was able to get the hotfix on Firefox mobile for Android
130. _Codemonkeyism ◴[04 May 19 15:54 UTC] No.19827208{4}[source]
Exactly the same here, Brave + a password manager after 25y of Firefox/Netscape/Mosaic.
131. 1over137 ◴[04 May 19 15:55 UTC] No.19827210{3}[source]
So not only does this 'normandy' thing exist, but it goes to a google server? So much for using Firefox to keep google out of my life. :(
replies(1): >>19827771 #
132. johnnycab ◴[04 May 19 15:56 UTC] No.19827215{3}[source]
>hotfix-update-xpi-signing-intermediate-bug-1548973: https://storage.googleapis.com/moz-fx-normandy-prod-addons/e...

This fixed it for me. Thanks. W10/FF 66.0.3

133. DoctorOetker ◴[04 May 19 15:57 UTC] No.19827221{3}[source]
Thanks for the sleuthing, but who does this repository belong to? I'd like to apply it but only if mozilla provides such instruction on their issue page, I don't know who the actual owner of /moz-fx-normandy-prod-addons/ is...

https://storage.googleapis.com/moz-fx-normandy-prod-addons/e...

Can mozilla please verify, confirm authenticity, and list this instruction on their issue page?

replies(1): >>19830574 #
134. robolange ◴[04 May 19 15:58 UTC] No.19827228{7}[source]
I rely on the Debian system to assist with that. Normandy bypasses that system, if it's enabled. (The jury is out whether it's actually enabled in Debian Firefox ESR.)
replies(1): >>19827424 #
135. DoctorOetker ◴[04 May 19 16:00 UTC] No.19827247{9}[source]
> Do you have any examples of actual serious security/privacy fuck ups by Mozilla/Firefox?

Sadly I don't, but others argue they have top notch standard security practices like automated alerts etc. regarding certificate renewals...

136. reubenmorais ◴[04 May 19 16:08 UTC] No.19827304{6}[source]
The studies system is also code-signed, but with a different certificate chain, hence why it wasn't affected. What security hole do you think this opens in Firefox?
137. AsyncAwait ◴[04 May 19 16:13 UTC] No.19827328{8}[source]
I am not sure what 'spying' Mozilla is doing, but I agree this should be better named and better highlighted.
138. Piskvorrr ◴[04 May 19 16:17 UTC] No.19827358{7}[source]
The expires certificate seems to be in a chain concerning extensions. Not necessarily the same chain concerning core browser updates...
139. lvh ◴[04 May 19 16:27 UTC] No.19827424{8}[source]
What do you think the median size of a Firefox release is, what do you think the resources (let’s call it US dollars FMV) are to audit that, and what do you think the resources Debian has to devote to it?

Clearly more eyes are good, but... In between “Wild West WebExtensions” and “Mozilla backdoors my Firefox and it gets used for nefarious purposes” and “delays in browser updates increase exploitation windows”, I know which threat models I’m buying.

replies(1): >>19831081 #
140. shstalwart ◴[04 May 19 16:43 UTC] No.19827554{6}[source]
The bug is that plugins can't be manually enable. Nobody is working to fix that.
141. Redoubts ◴[04 May 19 16:49 UTC] No.19827604{5}[source]
This unit modifier was specified under RFC 69420
142. brynjolf ◴[04 May 19 16:50 UTC] No.19827611{9}[source]
Spying was the wrong word. But yes, the telemetry. The google analytics that are hidden on the extensions page, that only listen to the Do not track, but not the turn off telemetry checkbox. Sadly it just doesn't seem to stop.
143. reader_1000 ◴[04 May 19 17:07 UTC] No.19827736{4}[source]
Unrelated to cert problem: Yes, clicking on the link installs the plugin, but it is suprising to see that firefox claims that it is the news.ycombinator.com, not storage.googleapis.com, that wants to install plugin. Could it be a security issue since if an attacker somehow manages the post/inject a link for a malicious plugin in a credible site, firefox will claim that plugin is from that site?
replies(1): >>19827781 #
144. DoctorOetker ◴[04 May 19 17:09 UTC] No.19827749{4}[source]
that would be good news, how can I verify that the Normandy feature isn't available in the Debian build?

Has Mozilla provided instructions to manually fix the issue? if so where? (XORcat was helpful to provide a solution, but I refuse to apply it if it doesn't come from Mozilla itself...)

replies(1): >>19829734 #
145. julian-klode ◴[04 May 19 17:11 UTC] No.19827762{4}[source]
So why do you use a browser made by an ad company, that is all about analysing your browser history and targetting ads at you?
146. DoctorOetker ◴[04 May 19 17:13 UTC] No.19827771{4}[source]
that's an interesting question: when we install add-ons or extensions, are these hosted on google servers? I'd rather not have google know what versions of which add-ons I am running...
147. DoctorOetker ◴[04 May 19 17:15 UTC] No.19827781{5}[source]
oh wow! that's really bad
148. neop1x ◴[04 May 19 17:49 UTC] No.19827994{6}[source]
exactly. Like here https://news.ycombinator.com/item?id=10624087 or here https://news.ycombinator.com/item?id=19482191 for example...
149. SignalsFromBob ◴[04 May 19 18:13 UTC] No.19828158[source]
Is there a CVE for this "normandy" backdoor?
150. guido_vongraum ◴[04 May 19 18:22 UTC] No.19828213{4}[source]
>The UI knob is > Options -> Privacy & Security > Allow Firefox to install and run studies

Well it's a half-assed knob then, because it was unchecked and still I had app.normandy.enabled = true somehow.

151. neiman ◴[04 May 19 18:27 UTC] No.19828248{7}[source]
I audit software updates by looking at developers announcements and community discussions (in social media, forums etc) before installing updates.

Then, even if developers keys and computers are compromised, I would notice something is wrong.

* No, of course that I don't always do that. I even don't often do that. But I did do that in the past, and I'd like to have the option to do that.

152. lordlimecat ◴[04 May 19 18:27 UTC] No.19828249{7}[source]
Open source software can't have a backdoor because the code is available to review.

Got it.

153. devcpp ◴[04 May 19 18:35 UTC] No.19828312{4}[source]
I just installed some random googleapis link. This is so stupid, and very disappointing from Mozilla.
154. devcpp ◴[04 May 19 18:38 UTC] No.19828332{9}[source]
And you shouldn't have to care. No one should. The very fact that this exists and that we are expected to trust it is very disappointing.
155. rue ◴[04 May 19 19:22 UTC] No.19828628{5}[source]
Look, at this point it’s not the user’s responsibility to “chill out”. It’s very much Firefox’s responsibility to try to repair their reputation by:

1. being completely transparent about all the mechanisms that data or code can be pushed to or pulled by the browser, or pushed from or pulled from the browser; and

2. having a toggle for all of them, yes every single one, in Privacy & Security.

156. rue ◴[04 May 19 19:26 UTC] No.19828663{9}[source]
…This one?

This one isn’t very privacy-friendly or open. And that raises all the previous questions again. Should they maybe have learned something about clandestinely fucking with people’s systems?

157. afiori ◴[04 May 19 20:10 UTC] No.19829014{6}[source]
But the point here is not about integrity, confidentiality, or availability. It is about whether you trust Mozilla, and how much trustworthy they are.

A configuration where Mozilla cannot push remote updates is neither more secure nor less secure. Mozilla is often under fire for not allowing a privacy conscious, minimal trust use case.

158. ◴[04 May 19 20:31 UTC] No.19829184{6}[source]
159. xvector ◴[04 May 19 20:52 UTC] No.19829308{3}[source]
Sorry, the stress someone on the Firefox team must be experiencing would easily be magnitudes beyond what we are.
replies(1): >>19832423 #
160. howard941 ◴[04 May 19 21:49 UTC] No.19829602{3}[source]
Any way to preserve this workaround's functionality beyond 24 hours?
161. nanis ◴[04 May 19 22:10 UTC] No.19829703{6}[source]
I am getting it from the simple fact that when I looked at Normandy related settings a unique ID and an API endpoint screamed at me ... Let's assume the explanation given here regarding Normandy's endpoint is legitimate. Why am I assigned a unique ID? How hard is it to make the connection between the fact that for the past N years, despite telemetry and studies being turned off, my browser had been pinging Mozilla with this unique ID. Until proved otherwise, it is safe to assume that this was used to track browsing.
replies(1): >>19853360 #
162. teddyh ◴[04 May 19 22:15 UTC] No.19829734{5}[source]
> how can I verify that the Normandy feature isn't available in the Debian build?

In the Debian bug about this issue¹ it says “Firefox from the Debian package has data reporting disabled so using studies is not possible.

1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928415

163. bscphil ◴[04 May 19 23:34 UTC] No.19830076{3}[source]
Thank you for reporting it. Debian's pro-user stance is one of the things I like about it... now tell me they've disabled Pocket too and I might just switch from Arch to Debian Sid.

FYI, I have learned from other user's comments and the Wiki page below that Studies and Normandy are different things. The former depends on the latter, but not vice versa. So it is possible that Debian disabled the studies program but did not disable the underlying Normandy tool. You might also want to look at whether firefox is affected in addition to firefox-esr.

https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout#...

164. bscphil ◴[04 May 19 23:48 UTC] No.19830148{9}[source]
> But as far as I can see they do not have a bad track record when it comes to security/privacy. Do you have any examples of actual serious security/privacy fuck ups by Mozilla/Firefox?

I mean, they are currently shipping real actual ads on the new tab page that aren't blocked by ad blockers - and possibly can't be (there are limits to what WebExtensions can modify on Firefox internal pages). Sure, maybe your parent comment was exaggerating a little bit, but what if Mozilla instead starts inserting "privacy-friendly" "recommendations" into webpages in order to "enhance users' browsing experiences"? That doesn't sound at all far-fetched for the Mozilla we know today.

replies(1): >>19833905 #
165. XORcat ◴[05 May 19 01:43 UTC] No.19830574{4}[source]
I would have the same question if I didn't see the response come back from https://normandy.cdn.mozilla.net/ myself.

I encourage you to go through the whole Normandy process yourself in a test environment, and even better (if possible), check out the code to see whether it looks legit or benign.

I'm happy, because I went through and checked it out myself without needing to enable Normandy on my actual Firefox, but ultimately, it will be great when Moz can get instructions for manually applying the fix out.

166. conanbatt ◴[05 May 19 02:43 UTC] No.19830778{5}[source]
They read your entire page content, they have access to all your information.
replies(1): >>19833211 #
167. ◴[05 May 19 03:47 UTC] No.19831023{3}[source]
168. anfilt ◴[05 May 19 04:01 UTC] No.19831081{9}[source]
I agree an unpatched vuneribility is probably more risky. However this feature can change settings the user explicitly sets. The bigger issue is it does not give me any indication the settings have been changed.
169. dang ◴[05 May 19 04:16 UTC] No.19831123{10}[source]
Please read and follow the site guidelines when commenting here.

https://news.ycombinator.com/newsguidelines.html

170. robolange ◴[05 May 19 04:19 UTC] No.19831131{3}[source]
Posting an update for posterity. It appears that even with app.normandy.enabled=default [true], as long as app.shield.optoutstudies.enabled=false, Normandy is disabled. app.shield.optoutstudies is the key controlled by the UI element "Allow Firefox to install and run studies".

I've closed the above bug report as it's not really a bug.

171. ComodoHacker ◴[05 May 19 07:44 UTC] No.19831678{6}[source]
From what I understand, Normandy is an infrastructure for delivery of some changes to some of Firefox users (or all of them). There are two major use cases: preferences rollout and studies. In the first case default values of preferences get changed (if your pref has non-default value, it won't affect you). In case of studies some piece of code gets delivered and executed, which cat do anything. In this hotfix the study installs add-on, which in turn installs certificate.
172. guido_vongraum ◴[05 May 19 09:30 UTC] No.19831941[source]
What bothers me is the fact that everyone seems to be accepting the usage of these newspeakish romantically sounding euphemisms that are completely opaque about the purpose of things they stand for. "Normandy"... What is this - a place, a sort of champagne, a hotel or the internal name of some freaking area51 document?..

Like, "In order to disable Normandy, uncheck Vaduz, Monterrey, Vologda and select Newcastle in the Xinjang drop-down menu - we'll ship Bronx with next update".

P.S. Keep flagging, I'll repost, no problem.

173. mccosmos ◴[05 May 19 12:20 UTC] No.19832423{4}[source]
No offense but they're not getting inhumane shock treament either if you're going to pull "our stress is holier than thou" and say it's magnitudes higher, I'll be waiting scientific backing on this or else it's just rude... plus they can always just not make me periodically re-install all my addons with no option to just bypass verification... except this time it doesn't work even with the fixes. (Actually, one time I just didn't see it was set to update automatically downgrading one of them. I'm no expert on these issues, really. They just could have asked first in my opinion.) Thanks, Mozillama.

Edit: I had to click "Restart with addons disabled (safe mode)" for those wondering.

174. feanaro ◴[05 May 19 15:17 UTC] No.19833211{6}[source]
But there are free software ad blockers like uBlock Origin.
replies(1): >>19833319 #
175. conanbatt ◴[05 May 19 15:39 UTC] No.19833319{7}[source]
if uBlock got compromised as an extension even for 1 day, the amount and value of data uBlock can collect will make anyone very very rich.

It's on the level of saving passwords as texts in terms of privacy.

replies(1): >>19834222 #
176. Certhas ◴[05 May 19 17:38 UTC] No.19833905{10}[source]
Besides your claim not being true AFAIK tell [1](there are no ads on my new tab page, and as far as I can tell there was no incident of paid for content showing up on peoples new tab), how exactly would shipping ads be a privacy/security violation?

This is exactly the sensationalist misrepresentation I was talking about. You don't like what they are doing, fine. Misrepresenting it as something that it's not is not fine.

Besides: Mozilla is funded in large parts by having Google as the default search provider. This means they are funded by Google selling ads. Them starting up new revenue streams and getting away from that funding model would be a pro privacy step.

[1] If you are referring to something else that I missed, feel free to enlighten me.

replies(1): >>19837233 #
177. kzrdude ◴[05 May 19 18:35 UTC] No.19834222{8}[source]
How is it different from any other browser extension? They are all like that, aren't they?
replies(1): >>19839893 #
178. kzrdude ◴[05 May 19 18:36 UTC] No.19834224{3}[source]
Firefox includes content blocking, so it's not that bad.
179. phyzome ◴[06 May 19 03:08 UTC] No.19836545{8}[source]
Obviously not?

But there are trustworthy people working with and integrating that code, there's a good chance they'll notice a hinky commit, and they're very close to having completely reproducible builds—which means that there can be verification that the shipped binary matches the inspected source.

https://gregoryszorc.com/blog/2018/06/20/deterministic-firef...

180. bscphil ◴[06 May 19 06:20 UTC] No.19837233{11}[source]
Maybe you've opted out of studies or otherwise disabled Pocket? That's how they're bundling much of this new stuff in.

See: https://help.getpocket.com/article/1142-firefox-new-tab-reco... especially the part that says "From time to time, the occasional sponsored story may appear as a recommendation from Pocket. These stories will always be clearly marked, and you have control over whether they’re shown on your new tab page."

All so-called recommendations I've seen have been spammy, the sort of stuff you see linked as "other articles you may enjoy" when you disable your ad blocker on bad sites. Regardless, this directly contradicts your claim that there haven't been incidents of sponsored content on the new tab page: this is explicitly what is happening according to Pocket's own website. Mozilla themselves explicitly said they are introducing sponsored stories to the new tab page: https://blog.mozilla.org/futurereleases/2018/01/24/update-on...

I think there's a world of difference between making a search engine that sells ads the default, and selling ads yourself and inserting them into the browser's chrome. Among other issues, if I help someone install an ad blocker, that ad blocker will block ads on Google, but will not block ads in the browser chrome.

So, given this and other recent behavior by Mozilla, I have to say I don't think seeing "related stories" inserted into the browser chrome for certain web pages is at all far fetched. That should worry us.

replies(1): >>19837418 #
181. Certhas ◴[06 May 19 07:12 UTC] No.19837418{12}[source]
I thought you were referring to the snippets.

I actually don't see the pocket recommendations on my desktop (maybe the Linux Mint build has them disabled by default), but they are there on mobile. There is a UI setting to disable them of course. It's explained right on the page that you link to.

More importantly, that page also explains that no data gets sent to Mozilla or pocket or anyone else for these ads to show up.

So again, no privacy violation here. I also think it's an extreme leap from "they show this in the new tab page which they design and control" to "they could start showing it overlayed on other peoples content".

I think they got some decisions very wrong. Among them not implementing a way to allow people to override signing of addons, which people did warn about. Having signatures enforced as a strong default is certainly good and right, but if they had included a "right click on addon, use without signature (WARNING THIS IS SKETCHY REAL ADDONS DON'T ASK YOU TO DO THIS)" option this signing issue would have been relatively mild.

But their track record on privacy/security simply isn't as bad as people make it out to be.

182. conanbatt ◴[06 May 19 14:47 UTC] No.19839893{9}[source]
It depends on the permissions: uBlock has permissions to read the entire page on any domain. Some extensions only limit themselves to specific domains, or don't touch that at all.

uBlock still reads your bank website, etc.

183. hanif184 ◴[06 May 19 15:39 UTC] No.19840386[source]
Help my business account
replies(1): >>19840402 #
184. hanif184 ◴[06 May 19 15:41 UTC] No.19840402[source]
Payment method messenger all app link stor all removed link
185. hanif184 ◴[06 May 19 15:42 UTC] No.19840411[source]
Okay I will try
186. sciurus ◴[07 May 19 20:55 UTC] No.19853360{7}[source]
Disclaimer: I work for Mozilla on the operations team responsible for Firefox's backend services, including Normandy.

TL;DR you are not sending us your browsing history.

If telemetry and studies were turned off, your browser wasn't sending us this unique id.

If you had kept them enabled, for normandy telemetry you would have been sending us the data described at https://firefox-source-docs.mozilla.org/toolkit/components/n...

You can read more broadly about what data Firefox sends by default at https://www.mozilla.org/en-US/privacy/firefox/

And learn more about the review process any data collection has to go through at https://wiki.mozilla.org/Firefox/Data_Collection