COMMAND LINE WARRIORS

Taking Control of your Own Technology

  • RSS-Button

Firefox is your nanny?

22 May 2008

Extensions are cool

Extension frameworks are a good way to add new functionality to large applications that are messy to alter directly, they also help to quickly add functionality now, without having to wait six months for the next release.

The whole fun of extensions is that you can make your own and download random ones from the Internet, try them out for a bit, remove the ones you don't like, share the ones you do.

This of course implies two things. Firstly, that the extension interface is well thought out so that a badly written extension does not crash or unexpectedly interfere with the main application. Secondly, that the user who installs the application is adept enough to know what they are doing.

The killer feature of Firefox has been its extension framework, having hundreds or even thousands of useful extensions is what has enabled Firefox to break into the IE-dominated browser market where so many have failed.

All your extensions belong to us

Firefox 3 has changed many things compared to previous versions. One unexpected change is that the extension framework has been locked down.

I have mixed feelings about this. I understand there is a balance between on the one hand, fun and spontaneity, and on the other hand, security and protecting clueless people from themselves. However, for me, I hate software designed as a jail for idiots. That is why I refuse to use Windows for anything beyond testing that web applications work on it.

Firefox 3's extensions framework has a new DRM-like security barrier. You have to either submit your extension to be vetted and hosted by Mozilla, or you must use SSL, or use cryptographic keys.

I am all in favour of cryptography (as long as it is open for everyone to play), but I would be worried if this implementation makes it harder for people to write and share updates.

Computer says no

I tried to install an extension the old fashion way, by going to the author's homepage and clicking on link to install the extension.

Firstly, there a warning popped up, the same warning that was also in Firefox 2:

/images/posts/firefox/firenanny1.png

So I clicked "Allow" and then reclicked the install link.

Then, like a naughty child, we have to wait 4 seconds as a cooling off period, before we can click "Install".

/images/posts/firefox/firenanny2.png

Thirdly, even though we clicked "Allow", then were put into time-out like a child, then clicked "Install", it flatly refused to do what I had told it to do:

/images/posts/firefox/firenanny3.png

'Secure' here being defined as "approved by Mozilla", very few Firefox extensions are secure in the formal sense of 'trusted'.

I am root

I know Firefox are trying to keep us safe, but I have to admit that the interface here gets on my nerves somewhat. There are "Allow" and "Install" buttons, I press them, but Firefox changes its mind and does not do what the button says.

Fortunately, in Firefox, the extension censorship can be overridden in the about:config settings dialog. So I went to Firefox 3's about:config page, and guess what? Yes you guessed it, they have added another new confirmation screen!

/images/posts/firefox/firenanny4.png

Oh well, all's well that ends well. I am sure some of you will have strong views either way on this. Let me know!

1 Johnathan Nightingale says...

Hmm - I get why some of these decisions might not seem intuitive, but "DRM" is a pretty misleading word to be throwing around here. Not Godwin's law, but getting there.

Without any kind of verification of add-on updates, there's this fun game you can play.

  1. You get a laptop
  2. You install ettercap, and play "rogue access point" at the next convention, airport, or coffee shop you happen to pass
  3. With minimal ettercap tweaking, you start serving bogus update code to any firefox that comes online, pushing your code into their browser.

That's not a good thing, and more importantly, people will get victimized no matter how expert they are. The change in FF3 is that we don't let that attack happen any more.

You really hit the nail on the head - extensions are the best part of Firefox, we would never do anything to try to hurt that ecosystem, much less try to act as gatekeepers. You can secure your updates by hosting them on AMO, for free, or on your own servers if they serve SSL, or anywhere at all with a signed manifest using the McCoy tool (also free!)

We're absolutely open to other suggestions though - if you can help us understand what's onerous about the current approach, and how you would advise we protect update integrity with a lower barrier than the three options mentioned above, I am certain people would be eager to hear it.

ASIDE: I'm not sure why the default assumption is that we're overzealous nanny dictator types. This isn't a megacorp managing liability, this is an open source community trying to make an awesome browser that keeps people safe while making them happy. No one here wants that experience to suck, so if please let us know what you think we can do better!

Posted at 4:59 p.m. on May 22, 2008


2 Brian says...

Clueless users are most of the intended audience of an internet browser. I have no problem with this hand-holding and warning-nagging as long as it can be permanently disabled.

Posted at 9:45 p.m. on May 22, 2008


3 Zeth says...

Hi Johnathan Nightingale,

Thanks for your post. I think my main problem is with the interface. I click on the download link, then press "Allow", then click on the download link again, then enter time out, then press "Install". After all that, you then tell me I can't install it.

If as you say, the only way to have good security is to block the extension over HTTP, then can you not block the extension at an early stage, i.e. before I run through the hoops? It seems silly to provide "Allow" and "Install" buttons that refuse to work.

You are raising the cost of participation in the sense that Firefox only recognises expensive SSL certificates from the large companies. Ones that are free, such as CAcert, are not recognised by Firefox.

Hi Brian,

Perhaps the moral of the story is that there cannot be one piece of software that is suitable for everyone. Maybe we need one browser for less-technically astute users, and another for those of us who know what is going on.

That latter browser could have extensions that you install via the filesystem, if installing extensions over HTTP is fraught with security issues.

Posted at 10:24 p.m. on May 22, 2008


4 Dan Fego says...

I agree whole-heartedly with the article. I understand the desire for a browser to be spread out to the masses, but there should be easily-changeable configurations for this stuff. Yes, about:config is great and all, but you shouldn't have to dig into settings that they have to warn you about changing. They also, IMHO, crossed a line when they made this (seemingly) unchangeable setting warning you when trying to open up a website on certain ports. It's not even a warning -- it simply stops you from viewing. That's absolutely ridiculous. If I want to run my website on another port, that's my prerogative!

Posted at 10:27 p.m. on May 22, 2008


5 Johnathan Nightingale says...

Hey Zeth,

You're absolutely right, detecting that earlier would help a lot. It's tricky for us, because the manifest (where the update mechanism is defined) is just a file inside the XPI, so we can't see it until things are downloaded, but there might be some brilliance we can look into there, maybe? I'll talk with people, anyhow.

Incidentally, we were very careful not to create a financial burden here - authors that use the McCoy tool to sign their manifest can do so with a (free) self-signed certificate (as long as the same cert signs the updates, we know that the original author is still in control). If authors choose to serve things over SSL, Firefox 3 includes the StartCom root, which provides free SSL certs. And, of course, for authors that want to host on addons.mozilla.org (and I understand why many authors don't) -- that's free as well.

Thanks for your feedback here, I hope I haven't seemed defensive-- I'm just interested in what we can do to improve the experience in Firefox .next.

Posted at 6:45 a.m. on May 23, 2008


6 Leonov says...

And I, for one, welcome our new insect overlords...

Posted at 8:52 a.m. on May 24, 2008


7 Zeth says...

Johnathan, thanks for your response.

I had not heard of the McCoy tool before, this should hopefully solve the problem of allowing extension authors to share extensions without needing to be a rich company.

Posted at 9:52 a.m. on May 25, 2008


8 Justin says...

I've always thought that only allowing extensions to be written in Java is probably a bad thing, but this could just be because I hate Java. Extensions are awesome but they really slow Firefox down (mine more than double Firefox's ram usage). A possible solution to this is to allow the development of extensions in more robust languages than Java.

Another way around this is to install the extension manually. Its not that hard and Firefox won't get a chance to complain.

Posted at 8:54 a.m. on October 15, 2008


What do you have to say?

Show Editing Help

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Zeth

November 29, 2009
Hi Jordan, yes that URL is gone now. I have a new contact form on this site.
Python CGI contact forms

Jordan

November 29, 2009
Zeth attention! Your form, http://zeth.me.uk/contact/, is not working The explorer says connecting ..but nothing happens Sorry for my poor English: I am Spanish Regards
Python CGI contact forms

Jordan

November 26, 2009
Sorry: tell me , not tellme (I'm spaniard) And http://zeth.me.uk/contact/ don't work
You got the touch, you got the power

David Jones

November 25, 2009
Your mad skillz are too l33t! for me. I specifically switched to Google Reader so that I could show people what blogs I read. But I couldn't work out how ...
How to find the fashionable blogs quickly

Brian R. Hickey

November 20, 2009
Symantec picked it up too.
How to bring down Internet Explorer with six words

Zeth

November 17, 2009
Thanks djm, I am the moose here. Christian, assuming one actually does Internationalise the countries, it should still work I guess, as the gettext stuff will happen before the list ...
Countries in Django

Phillip Temple

November 17, 2009
Good start, but: a) wouldn't I want None back rather than 'ZZ'? b) why not add a 'shortcut' boolean, then prepend flagged fields (plus usual '-----' separator) to the actual ...
Countries in Django

djm

November 17, 2009
Am I being a moose or did you mean: from whatever.countries import CountryField instead of from whatever.countries import CharField ? Good post though, cheers.
Countries in Django

Christian Joergensen

November 17, 2009
Wouldn't the ordering get messed up after i18n?
Countries in Django

Steve - Electronic Cigarettes Fan

November 17, 2009
Very well done. Is your blog just you writing? Nicely done, Steven.
Blogger vs Wordpress

vetetix

November 15, 2009
Sorry to bother you nearly two years after you wrote this blog article, but I can't manage to find how to modify an existing field. I am trying to change ...
Three Useful Python Bindings - ClamAV, Apt and Evolution

Manju

November 4, 2009
I am transferring some files using psftp to other device's FAT partition. But the filestamp of the file being transferred is modified to that of FAT device, after the transfer. ...
PuTTY Series: Using PSFTP

iki

November 2, 2009
or simpler: socket.gethostbyname_ex(socket.gethostname())[2]
How to find out your IP address in Python

iki

November 2, 2009
local_ip = set([ i[4][0] for i in socket.getaddrinfo(socket.gethostname(), None) if i[0] == 2 ])
How to find out your IP address in Python

Fred

November 2, 2009
testing rst ------------- - point 1
An Introduction to ReStructuredText

Ano

October 27, 2009
"You simply found the license of the StumbleUpon Toolbar for Internet Explorer." That's possible. I've got some more interesting information to add. Firstly, go to this page: https://addons.mozilla.org/en-US/firefox/addon/138 - this ...
Are your Firefox extensions proprietary software?

Ken

October 21, 2009
Stumbled in here at lunch. This is the best find of the week. Thanks.
Three classic command line tips

Jim

October 19, 2009
Thanks for the rtsp:// post - that's something that has been bugging me for a while!
Three classic command line tips

Zeth

October 18, 2009
Thanks for the comments guys. Great to see the all the gang are still here!
Three classic command line tips

Bubba

October 18, 2009
Is there any way psftp can return the true transfer rates oberved during the actual transfer?
PuTTY Series: Using PSFTP

Made with Django. Creative Commons License Theme Designers Homepage Valid XHTML 1.0 Strict