×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox 3.6 Locks Out Rogue Add-ons

CmdrTaco posted more than 4 years ago | from the and-stay-out dept.

Mozilla 265

CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed 'component directory lockdown,' the feature will bar access to Firefox's 'components' directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. 'We're doing this for stability and user control [reasons],' said Johnathan Nightingale, manager of the Firefox front-end development team. 'Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

265 comments

I want a mechanism for pluck-outs... (2, Interesting)

jkrise (535370) | more than 4 years ago | (#30143826)

At my company I would like a stripped-down Firefox without features like awesome bar and other bloat. Is there a way to do this, easily?

Also I have the SmartQ 7 and SmartQ 5 MIDs which are basedon the ARM processor. Thedefault browseris Midori... can I get a Firefox compiled for the ARM to run on that?

I hink firefox shoudl focus on these and similar issues...

Re:I want a mechanism for pluck-outs... (3, Funny)

toppavak (943659) | more than 4 years ago | (#30143998)

A pony would be nice as well!

Re:I want a mechanism for pluck-outs... (0)

Anonymous Coward | more than 4 years ago | (#30144146)

and a new kitten!

WHAT!!??!! (-1, Troll)

Philip K Dickhead (906971) | more than 4 years ago | (#30145034)

This is another attempt by the Responsible Republican establishment to silence the voice of Sarah Palin, and ignore the wishes of ordinary Americans who want to put God back into the Constitution that he wrote!

Re:I want a mechanism for pluck-outs... (1)

sakdoctor (1087155) | more than 4 years ago | (#30144278)

The pony should be a plugin

Re:I want a mechanism for pluck-outs... (5, Funny)

jamstar7 (694492) | more than 4 years ago | (#30144720)

The pony should be a plugin

The mental image that came to mind when I saw that convinces me that I watch WAY too much porn...

That was the idea behind Firefox/Firebird/Phoenix (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30144400)

It was supposed to be a stripped down browser, instead of the bloat of the full Mozilla. And, when they started, they were close. But now they seem to be heading back in the other direction.

Re:That was the idea behind Firefox/Firebird/Phoen (1)

MyFirstNameIsPaul (1552283) | more than 4 years ago | (#30144644)

That's why I started using Phoenix in the first place. However, I am guilty of running up to a dozen plugins...

Re:That was the idea behind Firefox/Firebird/Phoen (0)

Anonymous Coward | more than 4 years ago | (#30144942)

Yes, but by choice. Your 12 plugins may be different than my 12 plugins. If they build everything in, they remove that choice.

Re:That was the idea behind Firefox/Firebird/Phoen (4, Insightful)

Reapman (740286) | more than 4 years ago | (#30145204)

Tired of reading these sorts of comments. Sure there's some "bloat", but what that bloat is varies by opinion. I've read where supporting CSS is "bloat". Graphics are "bloat". tabs are "bloat". RSS. etc.

My understanding (and please tell me if I'm wrong) is the point of Firefox was to supply a WEB BROWSER. Back then when you downloaded it you also got an email program, news reader, wysiwyg website builder, etc. Firefox was JUST a browser. Still is.

If you REALLY want where everything is an option go build it yourself. Have something where you choose which renderer you want (Moz's, Webkit, etc), whether or not to have tabs, allow plugins, command line version, etc. Hit next a few times and presto your very own browser.

Re:I want a mechanism for pluck-outs... (1)

Shikaku (1129753) | more than 4 years ago | (#30144546)

At my company I would like a stripped-down Firefox without features like awesome bar and other bloat.

What is the other bloat? On the default install please list everything you'd like to have removed.

Re:I want a mechanism for pluck-outs... (0)

Anonymous Coward | more than 4 years ago | (#30144818)

Perhaps this is what you want:
http://kmeleon.sourceforge.net/

Re:I want a mechanism for pluck-outs... (4, Interesting)

Lord Bitman (95493) | more than 4 years ago | (#30144962)

The awesome bar, and most of the other firefox bloat, should be plugins. Firefox had this great plugin architecture which everyone and their dog used- except the firefox devs.
Why doesn't firefox ship with an array of "default" plugins, all of which can be disabled? There's no need for something like awesomebar to be core, is there?

Re:I want a mechanism for pluck-outs... (2, Insightful)

anasciiman (528060) | more than 4 years ago | (#30145236)

The code is available and forkable. Why not fix it to your liking and then submit patches?

.NET Anyone? (5, Insightful)

Daengbo (523424) | more than 4 years ago | (#30143838)

Last February, and again in May, Firefox users complained when they found that Microsoft had pushed the .Net Framework Assistant add-on and the Windows Presentation Foundation (WPF) plug-in to their browsers as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.

That's the first thing I thought of when I read the summary.

Re:.NET Anyone? (4, Insightful)

NoYob (1630681) | more than 4 years ago | (#30143914)

The first thing I thought of was those Yahoo! toolbars that folks love to slip into every browser.

Re:.NET Anyone? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30144226)

If it wants to install something totally unrelated it is a sure sign that you shouldn't use this software.

In that context, I search a PDF reader for Windows with print capability.
Acrobat: See above
Foxit: See above
Sumatra: Converts to image for printing -> SLOW

Re:.NET Anyone? (1)

A Big Gnu Thrush (12795) | more than 4 years ago | (#30145040)

So true. Foxit was good for a while, but it got as bad as Acrobat.

Yahoo! and Adobe are two companies that can't fall off the face of the earth fast enough as far as I'm concerned.

Re:.NET Anyone? (1)

Anonymous Monkey (795756) | more than 4 years ago | (#30144438)

That's what I thought. I wonder what Yahoo! would do if it's software could only be installed by the user, and not by other software. Perhaps they will strike a deal with Microsoft to get back at Firefox.

Re:.NET Anyone? (5, Funny)

Anonymous Coward | more than 4 years ago | (#30144478)

What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

Re:.NET Anyone? (0)

Anonymous Coward | more than 4 years ago | (#30145038)

As a developer for a Web optimizer plug-in, this Firefox change will make it much harder for us to reach our users.

Good, are your "users" voluntary? or did your optimizer plug-in get parasitically installed with another piece of software (ie. hidden in an option somewhere or installed as a default opt-in when it wasn't noted in the download package for the desired software)?

Re:.NET Anyone? (5, Insightful)

mqduck (232646) | more than 4 years ago | (#30145118)

the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

I fail to see the downside for anybody but you, and you make it sound like you clearly deserve it.

Re:.NET Anyone? (4, Insightful)

Miamicanes (730264) | more than 4 years ago | (#30145498)

> What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other
> software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar
> is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox
> change will make it much harder for us to reach our users.

Q. What's the difference between a 'trojan' and 'malware'?

A. Malware has a EULA.

I can't even *begin* to emphasize how badly it pisses me off when some app tries to sneak BHOs and plugins into their installer... almost always in ways that someone in a hurry to install the app that's actually *desired* will overlook. I flat-out refuse to ever use Yahoo and Google's toolbars, *precisely* because they have so many people trying to ram them down my throat and trick me into installing them.

Re:.NET Anyone? (1)

Errol backfiring (1280012) | more than 4 years ago | (#30143936)

Me too. AND the fact that Microsoft thought that a browser was less stable because of the plugins. So they should actually be glad they cannot install unwanted crap anymore.

Re:.NET Anyone? (4, Informative)

sopssa (1498795) | more than 4 years ago | (#30144176)

Well, as no one reads the article, this doesn't concern .NET update in any way:

In actuality, Microsoft did not drop its code into Firefox's components directory, Nightingale confirmed. "The .Net Framework and WPF use our existing extension/plug-in mechanisms, that's why we were able to disable them when they were found to be vulnerable," he said in a follow-up e-mail. "They aren't impacted by this change."

Re:.NET Anyone? (5, Insightful)

trevdak (797540) | more than 4 years ago | (#30145078)

Regardless, there should've been a prompt to ask if you wanted to install it, and there damn well should be a working uninstall button.

Re:.NET Anyone? (1)

RudeIota (1131331) | more than 4 years ago | (#30145218)

Since .NET was installed in an 'official' way, I can only assume it is Firefox that provided Microsoft the ability to remove the "Disable" button from their first iteration of the Firefox WPF plugin. Is that behavior actually by design?

If it is, I certainly hope that gets changed in 3.6 too. Every plugin and extension ought to have 'Disable' and 'Remove' buttons, no matter what.

Re:.NET Anyone? (3, Interesting)

maxume (22995) | more than 4 years ago | (#30145434)

It's an artifact of supporting system wide extension installation, rather than per user. Microsoft probably should have used per user installation of the plugin (even though .NET is arguably a system wide update). Removing the support is probably overkill, as I imagine it is useful in managed environments.

Re:.NET Anyone? (5, Informative)

maxume (22995) | more than 4 years ago | (#30143968)

Those components were installed by editing the Windows registry, not 'dropped in' as is discussed here (Firefox looks in various locations to find plug-ins and addons to load).

Re:.NET Anyone? (1)

Krneki (1192201) | more than 4 years ago | (#30144540)

Those components were installed by editing the Windows registry, not 'dropped in' as is discussed here (Firefox looks in various locations to find plug-ins and addons to load).

Firefox (or any other browser) should have only one place for addons and plug-ins and this location should be locked with a password, like the OS devices.

Right now any program (or virus) can add addons to our browsers.

I'm sick of getting my browser hijacked every time I install a program.

Re:.NET Anyone? (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30144712)

I'm sick of getting my browser hijacked every time I install a program.

Maybe you should stop installing malicious software, then.

There's a perfectly good reason why these apps need to look in multiple locations: different users have different setups.

It's all well and good to have "one location", until that one location on one person's machine is an administrator-only location that non-privileged users can't edit, meaning they have no ability to customize their use of the software. I don't give a crap what people install on their machines under their accounts because they're running with few privileges and can only mess up their own setup. I don't want to have to start manually tweaking permissions on some shared add-ons folder every time somebody wants a new tool added to their instances of Firefox.

Just because you choose to keep installing viruses and junkware that messes up your machine doesn't mean the rest of us should have to suffer through endless security configuration headaches.

Re:.NET Anyone? (0)

Anonymous Coward | more than 4 years ago | (#30145494)

Maybe you should stop installing malicious software, then.

This is not insightful. Microsoft's Windows Update did it. Sun's java does it! You can of course debate about it being "malicious software" or not. But that is just bull shit. Not everything one installs is malicious, and if they have the control of automatic adding plugins to FireFox then I'm sure they could be evil enough to do it, even tho the software could be all good.

Re:.NET Anyone? (1)

indi0144 (1264518) | more than 4 years ago | (#30144614)

So my rant was useless?

http://slashdot.org/comments.pl?sid=1407593&cid=29776261

(no link because stupid slashcode eats my html tags)

I'd install a plugin that does just what I hinted in the end of the post :p

Re:.NET Anyone? (1)

maxume (22995) | more than 4 years ago | (#30145292)

Actually, even if Firefox kept an encrypted store of what DLLs it had told the user about, there really isn't any way to prevent a malicious program from simply replicating the code used to create the store, so it would be pretty hard to always notify the user.

Google update is initiated here on my system (it looks like it is intended to facilitate installing updates to Google software while using Firefox, I would be surprised if it was doing anything nefarious):

HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins

I guess the DRM plugins are loaded because Firefox treats the Windows Media Player directory as a plug-in directory, by default:

http://kb.mozillazine.org/Plugin_scanning [mozillazine.org]

Re:.NET Anyone? (1)

poetmatt (793785) | more than 4 years ago | (#30144006)

they said they would have a solution, and this is a viable one. That is exactly what I had in mind as well. Like they say, locks keep honest people honest.

Re:.NET Anyone? (1)

Arancaytar (966377) | more than 4 years ago | (#30144168)

Yes, and I think that's pretty much what they're taking aim at. They already specifically blacklisted the add-on a while ago, causing huge cheer as well as huge backlash. It seems that with this approach they want a more flexible solution by making sure people can disable stuff they don't want.

Re:.NET Anyone? (2, Informative)

The MAZZTer (911996) | more than 4 years ago | (#30144800)

This is different from that. Those are actually packaged as add-ons so this change wouldn't affect them at all.

What Mozilla should do about those IMO is one of two things: 1) Enable the uninstall button for globally installed extensions (IE installed for all users) on Administrator accounts (in Windows; root on Linux... assuming Linux has global extensions) 2) Take steps to prevent or discourage apps from trying to plop extensions down and install them in Firefox without the user's consent. The "official" way for installers to install extensions should be to invoke Firefox with the URL of the XPI. Then the user would get the normal Firefox "Do you want to install this extension?" dialog and they can decide. Of course it would be impossible to fully prevent extensions from being covertly installed, but I think it would be worth the effort to lay down a few roadblocks if only to indicate to extension devs "don't do it this way".

User perspective (5, Insightful)

omfglearntoplay (1163771) | more than 4 years ago | (#30143860)

From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

Re:User perspective (3, Insightful)

fluffy99 (870997) | more than 4 years ago | (#30145194)

From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

Correction - stability problems in Firefox have always been blamed on add-ons or extensions. Of course the developers always became deaf when people having issues with no plug-ins installed.

Effects on Add-on Development (3, Interesting)

Voulnet (1630793) | more than 4 years ago | (#30143882)

So what would be the effect on Add-on development? Would it make it more difficult to develop them? Would it constrain the Add-on developers?

Or is this just a method to lock out some Add-on with already known problems?

Re:Effects on Add-on Development (0)

Anonymous Coward | more than 4 years ago | (#30143964)

This seems to be a way to keep certain people (ahem, Microsoft) from slipping in Firefox "add-ons" that nobody requested or wanted.

Re:Effects on Add-on Development (1)

BitZtream (692029) | more than 4 years ago | (#30144178)

Doesn't effect that at all. Microsoft used a specific method available to Firefox plugins to add a reference to the Microsoft plugin. MS did not drop their extension in the firefox directory, they just added a registry key (in the documented way) to point to where their extension was.

You can still do that.

Re:Effects on Add-on Development (2, Insightful)

socsoc (1116769) | more than 4 years ago | (#30144002)

Hopefully it's gonna lock out add-ons that weren't initiated from within the browser with explicit intention from the user. The MS .NET stuff and the browser addons that get automatically (if you're not paying close attention, which my users never are) added from Adobe Reader, Java, CCleaner, etc.

Re:Effects on Add-on Development (4, Informative)

BitZtream (692029) | more than 4 years ago | (#30144308)

The MS plugin is not effected by this. It did things in the proper way, the documented method for adding system wide extensions rather than user level extensions. That is why Mozilla could easily disable the insecure version of the plugin, because it actually followed the rules.

MS just added a registry key that pointed at the files for the extension, which is well documented and used by many other pieces of software to allow plugins to be installed even before Firefox, and allowing any version of Firefox (or Thunderbird or whatever) to find them, even after installation into some random directory.

If you bother to read the article, it says the same. Google Desktop Search on the other hand, doesn't follow the rules and will be blocked unless Mozilla makes a work around for them or Google updates GDS to follow the rules.

This is essentially like not allowing code from anyone other than MS to be dropped into the Windows directory, and requiring it to be put somewhere else and properly registered with the system rather than throwing it in the system32 directory and loading it as if it were trusted code from MS.

Re:Effects on Add-on Development (1, Funny)

Anonymous Coward | more than 4 years ago | (#30144446)

good for you, youve posted the same thing like ten times, enough already

Re:Effects on Add-on Development (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30144622)

good for you, youve posted the same thing like ten times, enough already

Actually, he has posted 3 comments in this entire thread (so far), and this is the second one that mentions this point.

Re:Effects on Add-on Development (2, Insightful)

socsoc (1116769) | more than 4 years ago | (#30144500)

I disagree with the "proper way." I do not use .NET and have no wish for that to be in a competitor's browser. To me the proper way is for me seek out a download, preferably through an XPI, but definitely not through Windows/Microsoft Update.

Although I thought I read it, I didn't see the link to the second page to TFA, so thanks for redirecting me back to it.

Re:Effects on Add-on Development (0, Troll)

BigRedFed (635728) | more than 4 years ago | (#30145190)

I disagree with the "proper way." I do not use .NET and have no wish for that to be in a competitor's browser. To me the proper way is for me seek out a download, preferably through an XPI, but definitely not through Windows/Microsoft Update.

Well then you shouldn't be installing updates from MS that have to do with the .NET framework then should you?

Re:Effects on Add-on Development (0)

Anonymous Coward | more than 4 years ago | (#30145402)

That's pretty easy to do when you aren't in a domain environment and not running WSUS...

Re:Effects on Add-on Development (3, Insightful)

gbjbaanb (229885) | more than 4 years ago | (#30145456)

but it isn't a .NET addon. Its a Firefox addon.

So you should be perfectly able to install any .NET update from WU safe in the knowledge that it is not affecting your non-.NET applications, like Firefox.

Re:Effects on Add-on Development (2, Insightful)

ImYourVirus (1443523) | more than 4 years ago | (#30144512)

If it followed the rules, it would have asked instead of just installing it, quit spewing this shit of 'they did it the right way' obviously not if the user was unaware it was happening and thus didn't want it installed.

Re:Effects on Add-on Development (0)

Anonymous Coward | more than 4 years ago | (#30144954)

"which my users never are" - is weak - lock systems down.

Re:Effects on Add-on Development (1, Offtopic)

v1 (525388) | more than 4 years ago | (#30144004)

Seems like the best way to deal with an open plugin structure is to require mozilla to approve an app for wide-scale access to the internals, and for everyone else, restricted access that's more idiot-proofed. That way, anyone can write a plugin (unlike say, the apple store) albeit with limits, but at the same time the main app devs can allow power user plugins that are proven to be safe.

It's too bad Apple hasn't gone this route. (yet) Right now the only reason they are claiming for the app approval process is to "protect the users". While that certainly is one of their goals, eliminating competition with their own software, (the #1, #2, and #3 top reasons for app rejection at the store) doing what mozilla is doing would accomplish user protection without the lockdown/collateral damage of a must-be-signed-to-run system.

Re:Effects on Add-on Development (0)

Anonymous Coward | more than 4 years ago | (#30144134)

nice tangent that was totally not relevant.

Re:Effects on Add-on Development (2, Insightful)

vertinox (846076) | more than 4 years ago | (#30144034)

So what would be the effect on Add-on development? Would it make it more difficult to develop them? Would it constrain the Add-on developers?

Its the same reason why IE made it easier to develop web pages by tolerating broken HTML code.

People were using unintended features to make their work easier, but then when the unintended feature was removed then it breaks a lot of things.

In that respect, the developers should have wrote to spec in the first place rather than taking advantage of loopholes because it might get fixed one day.

Re:Effects on Add-on Development (0)

Anonymous Coward | more than 4 years ago | (#30144086)

This doesn't lock out any add-ons. This locks out a "back door" way of slipping add-ons into Firefox without going through the proper add-on installation procedures (which, among other things, require metadata such as version compatibility information).

Re:Effects on Add-on Development (1)

natehoy (1608657) | more than 4 years ago | (#30144538)

Net effect: Slight increases in development effort.

As I understand it, you can install additional functionality into Firefox in one of two ways:

1. Use the built-in installer. This is the "countdown box" that confirms that you want to install what the software is asking to install. It checks compatibility, and offers the capability of checking for updates and validating compatibility when a new version of Firefox gets installed (and disabling software that has NOT been tested with that specific flavor of Firefox).

2. Throw a file into a plugins or addons directory and Firefox will look for it and load it unconditionally next time it starts.

Sounds to me like they are going to reduce or eliminate #2.

So, as a developer, you'll probably have to package your plugins into a Firefox install package rather than an old Netscape-style plugin. You'll build that package specifying what versions of Firefox you have tested your plugin with, and the user will be informed that a new plugin wants to be installed.

Firefox could also fix this by scanning for all plugins and enumerating the ones that the user has identified as "safe", while prompting for any new ones that aren't in the database yet (or that have had their version numbers or file dates changed).

But that's more of a patch - the real solution is to protect the directory and only allow installs through the Firefox UI. I would be very curious to find out how they intend to protect the directory, though maybe they are simply ignoring anything "unexpected" that happens to be sitting there.

Marketshare Issues. (3, Informative)

carp3_noct3m (1185697) | more than 4 years ago | (#30144026)

In the browser wars, people tend to forget sometimes that marketshare is an inherent part of how much your browser will come under attack. Issue's like these, while it's good they're being patched, should have been taken care of a long time ago in anticipation of things to come. Firefox is still my preffered method of browsing, but thats because I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies. I used to recommend it to people, but now it seems just as bad (GASP) as IE with a standard install. I agree with jkrise (First Post!), there needs to be something like sub-builds that focus on security. I still like firefox better, as I occasionally evaluate the other browsers, and find them all lacking more than firefox in some areas. Just my two cents of subjective opinion though. Carpe Out.

Re:Marketshare Issues. (2, Insightful)

socsoc (1116769) | more than 4 years ago | (#30144154)

I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies.

Do you really feel this is necessary? Sounds like you are jumping through a lot of hoops and degrading your browsing at the expense of a tin-foil hat.

Re:Marketshare Issues. (2, Insightful)

carp3_noct3m (1185697) | more than 4 years ago | (#30144440)

Like I said, I only use the TOR on my ironkey when I'm say at class on an open wifi signal. The cookie thing is annoying as hell at first, but, as well as with noscript, once you have gone to the majority of the sites you frequent, its not an issue anymore.

Re:Marketshare Issues. (2, Insightful)

TheReaperD (937405) | more than 4 years ago | (#30144458)

Do you really feel this is necessary? Sounds like you are jumping through a lot of hoops and degrading your browsing at the expense of a tin-foil hat.

If you are doing anything of importance with your browser, yes. If all you do is surf the web all day, then usually, no.

If you work with online banking, do other forms of commerce online, then you need to treat your web browser like your bank should because it is, by extension, your bank. If any form of VPN connections are used to your work, then you need to treat your computer as a work computer and secure it appropriately. Also, if you surf for porn, you really need to use this as the most nasty exploits are routinely found on these sites. Since a majority of people do the first and/or third they now go in the category of needing to secure their browsers.

Re:Marketshare Issues. (0)

Anonymous Coward | more than 4 years ago | (#30144744)

Since a majority of people do the first and/or third [citation needed]

Re:Marketshare Issues. (1)

Spyware23 (1260322) | more than 4 years ago | (#30144600)

You can't just ignore the problems away. If you'd start reading various specs (esp. Javascript-related ones) you would realize that enforcing extra security is just common sense.

In addition to the add-ons listed above, may I recommend SafeCache and SafeHistory, you will most likely need Nightly Tester Tools (another add-on) to override compatibility (warning, etc).

Re:Marketshare Issues. (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#30145042)

I am a halfway knowledgeable user that uses adblock, noscript, betterprivacy, use privately encrypted TOR when about (Iron Key) and only allow certain cookies

And here are us uninformed louts who somehow manage to squeak by without any of these - and no A/V or software firewall to boot - and haven't gotten compromised in over 20 years...

It's not that simple (2, Interesting)

carp3_noct3m (1185697) | more than 4 years ago | (#30145466)

It really isn't that simple. You could be running *nix or a mac. You might go to the same 3 sites everyday, but never browse new things. Due to the nature of the ways browsers are installed by default (which you imply you are using) you could get infected by even legitimate websites (who resell adspace to unscrupulous buyers) and not even realize it. With no tools, how do you propose to prevent cross-site scripting attacks, Java-script attacks, etc? I actually don't run a/v on personal systems. But I do run daily scans (while I'm at work) with multiple tools. I used to use no software firewall, relying on my strict PIX access-lists to protect me, but now I am using windows 7 and the firewall is so granular it is a good extra step. You are actually a malicious wet dream, someone who thinks they have everything so secure, that as long as you hide the bot/trojan etc well enough, they will never know they are a zombie machine. Just because you haven't been infected in over 20 years doesn't mean you can't get infected tomorrow. So, either you customize your browser intricately (JS, active-x settings, etc) or your just playing Russian roulette. Read this for tips on where you might be lacking. http://www.cert.org/tech_tips/securing_browser/ [cert.org]

This is a small step forward (0, Troll)

For a Free Internet (1594621) | more than 4 years ago | (#30144052)

But it is a well known fact that Fire-fox is infested with secret Italian back-doors that allow Italian terrorists to steal our identities and use them for their nefarious schemes to subvert the family and Judeo-Christian morality and GOD and the United States. I say nobody who is suspected of Italian sympathies should be allowed on our internet.

Components specifying version compatibility ... (3, Insightful)

BitZtream (692029) | more than 4 years ago | (#30144140)

Works great, till you have someone like myself, who just specifies that my components are compatible with Firefox 2.* to 10.* so I don't have to worry about a new version claiming my plugin isn't compatible even though it is, which has happened enough in the past that I just don't care anymore.

Am I wrong? Yes. Is Mozilla wrong? Yes, you never trust the external code to tell you the truth, basic programming 101.

Re:Components specifying version compatibility ... (1)

maxume (22995) | more than 4 years ago | (#30144392)

I take it you don't care about getting accepted by addons.mozilla.org?

Re:Components specifying version compatibility ... (0)

Anonymous Coward | more than 4 years ago | (#30144412)

how is firefox 10? my alpha keeps crashing.

Re:Components specifying version compatibility ... (2, Informative)

The MAZZTer (911996) | more than 4 years ago | (#30144830)

You can't upload such extensions to addons.mozilla.org, thus it isn't likely many people will use it. Right now extensions can only specify up to 3.6.*.

Re:Components specifying version compatibility ... (1)

kalirion (728907) | more than 4 years ago | (#30145360)

Seriously, I wish Firefox gave you the user the option of "Yes, install this extension even though it's not marked as compatible, I ACCEPT FULL RESPONSIBILITY." It's a pain opening the archives and updating the version compatibility values manually.

homDo (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30144148)

had at lun3htime code.F' Don't

Anti-competitive?.. (1)

mi (197448) | more than 4 years ago | (#30144274)

prevent developers from sneaking add-ons into the program

Not that I disapprove of this particular decision, but imagining the Slashdot's reaction to Microsoft implementing a thus-describable feature makes my head spin...

Re:Anti-competitive?.. (1)

maxume (22995) | more than 4 years ago | (#30144426)

I don't know, people mostly criticized UAC for being ineffective, and it is at least similar in spirit.

Re:Anti-competitive?.. (1)

solevita (967690) | more than 4 years ago | (#30144592)

Sounds like Mozilla is securing Firefox; I imagine the average Slashdotter would approve of Microsoft doing to the same to IE. I don' t think this is related to anti-competitive behaviour, it's just ensuring that plugins act as plugins and don't overstep the boundary into application code.

IE and extension blocking (1)

Jim Efaw (3484) | more than 4 years ago | (#30145374)

I seem to remember that IE 8 does something like this when it's first installed, asking if you want any IE extensions enabled at all, and whether you want IE extensions blocked until you approve them, or something of that nature. But suffice to say that I don't install IE often enough to remember for sure.

Doesn't extend to all externally-installed add-ons (3, Insightful)

Todd Knarr (15451) | more than 4 years ago | (#30144382)

I notice this doesn't extend to plug-ins and extensions found via the various plugins directories and registry keys. If it were me, I'd extend this feature to include saving a list in a locked-down location of all known extensions/add-ons found via the plugin directories and via registry keys. Every time the browser started, if it found a plugin or extension being loaded via the registry or a plugin directory that wasn't on the list, it'd notify the user what the plugin was and ask whether they wanted it enabled or not. That way nothing can get added to the browser without the user knowing and approving of the change.

Down in the advanced options I'd add a setting to give expert users the additional option of removing the plugin by either removing it's files from the plugins directory it was found in or removing it's registry keys depending on how it was found.

Re:Doesn't extend to all externally-installed add- (2, Informative)

BitZtream (692029) | more than 4 years ago | (#30144716)

You do get notified when at least some of those methods are used the next time you start Firefox. Pretty sure it's been that way since shortly after the MS plugin fiasco.

Re:Doesn't extend to all externally-installed add- (0)

Anonymous Coward | more than 4 years ago | (#30145452)

All that does is add one more hoop for the bad guys to jump through.

Open source (1)

dandart (1274360) | more than 4 years ago | (#30144554)

But doesn't this undermine the open source nature of this software?

Surely people should be able to install any plugins, dodgy or not, if they want to, on their own system?

Re:Open source (2, Insightful)

maxwell demon (590494) | more than 4 years ago | (#30145184)

They don't disable installing the plugins, they disable installing them the wrong way.
And of course, you can always get the Firefox source and disable the check, if you really want.

The actual problem is... (3, Insightful)

JustNiz (692889) | more than 4 years ago | (#30144566)

The acutal problem is that firefox blindly loads whatever is in that directory.
Locking the directory is a hack of a solution that others, especially Microsoft will easily find a way around. The proper answer is that Firefox needs to compare components it finds by their signature (checksum and name combo or whatever) with a secure list of components it is authorised by the user to load, before it loads them.
The other fix firefox needs is to deny installed extensions the ability to prevent the user from uninstalling them (like Microsoft's .NET framework firefox extension did).

Re:The actual problem is... (1)

Nemyst (1383049) | more than 4 years ago | (#30144990)

Simply put, they should have an "approved" list within the browser's data as opposed to a "disabled" one like they appear to have now. Any new plugin found is disabled until added to the approved list by the user. Sure, it'd probably be possible to edit the list upon installation of said add-on, but that should lock out legitimate developers from doing it (Microsoft wouldn't do that for instance). Malware writers will always find a way I guess.

Re:The actual problem is... (1)

fluffy99 (870997) | more than 4 years ago | (#30145286)

It'd also be nice if verified plug-ins were signed by Mozilla, so the user knew they were safe. Perhaps make use of some of that peer-review that all the OSS folks claim is constantly happening? If it looks kosher, bless it with a digital signature like Microsoft does? Firefox has become a victim of lots of crappy add-ons. Keeping a list of unsafe add-ons would also be helpful (again list MS does).

Re:The actual problem is... (0)

Anonymous Coward | more than 4 years ago | (#30145454)

Yes, that will work great. Until they figure out how to add their components to the list, bypassing the user once again. You are only adding another hoop for these people to jump through.

Rogues (0)

Anonymous Coward | more than 4 years ago | (#30144766)

Rogues does it from behind.

Sounds like an improvement (0)

Eravnrekaree (467752) | more than 4 years ago | (#30144768)

This seems like this will improve firefox security. What firefox really needs however is a security zones feature that IE has had for over 10 years. You can create security zones, which contain lists of different sites and then place a site into that zone. The zone includes all settings for every possible feature a website uses, including flash and other plugins, java, javascript features, cookies, to name a few. This way you can use one database of sites for all settings rather than creating seperate lists of sites for each individual feature. This is one way that IE surpasses Firefox in security. Going to Firefox was in many ways a downgrade and has far more primitive security control.

Will this keep out Adobe's crap? (1)

Choad Namath (907723) | more than 4 years ago | (#30145276)

Will this prevent Adobe from installing their mongoloidish "Download Manager" Add-on that's set up to start every time you open a new window instead of just running when you start your browser?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...