> FWIW, Firefox 57 is currently looking like a net loss in terms of security and privacy. A significant number of the extensions people have previously used for blocking or restricting potentially intrusive or dangerous behaviours seem to have been lost, in some cases without equivalent WebExtension alternatives being available.
First, I'd like to put things in context. When you write "Firefox 57 is currently looking like a net loss in terms of security and privacy", I suppose that this might (arguably) be true for you and a few other power users, but for the ~100% of users who do not use these power add-ons, their life will only be improved by the change.
Plus, I actually think that all the add-ons in the domain either have been ported or have an equivalent that has been ported. Certainly all the ones I use have been. Am I missing something that people actually use for their protection?
> If you're arguing that 57 is now more secure and better for privacy, perhaps you know something that people like me don't, and if so, maybe it's worth highlighting whatever built-in functionality can now replace those protections more in the documentation/marketing?
There is only so much message that marketing can propagate in a single campaign. I expect that we'll have another marketing campaign in a few months detailing what we've been doing for security and privacy. Especially since we'll have exciting stuff to showcase :)
Let me give you a few keywords of stuff we've been doing to improve security: a gazillion fixes, better static analysis, replacing some critical components with Rust, introducing the first formally proved implementation of cryptography components in a browser, sandbox improvements, etc.
On privacy, I'll admit haven't really paid attention, but the new add-ons you install don't have access to your private data without your consent, I remember that we've been working working with Tor Browser to reduce fingerprinting, etc.
> However, moderation is all this gains, because anyone who is preinstalling Firefox on a computer could still install a modified executable instead.
Well, apparently that is a line that vendors are not prepared to cross.
> There is also a known risk of the user's security or privacy being compromised by visiting malicious websites that exploit weaknesses or vulnerabilities in Firefox.
When it comes to actual weaknesses or vulnerabilities, it seems clear to me that Mozilla should not rely on add-ons for patching those. But yes, blocker extensions still provide value; luckily, they are also still allowed.
> as I and others have explained, there are tried and tested ways they could do so that are no more vulnerable than the current approach yet would not suddenly remove all protection offered by addons against the latter threat without warning in the middle of a browsing session. The current heavy-handed approach is like building a secure home by making a concrete bunker with no doors and windows: the efforts to secure the addon system ultimately rendered the entire system useless.
You've said this before, so to prevent getting into a loop, I won't repeat my response :)
> Worse than that, though, the current strategy violates the basic principles that attract some users to Firefox in the first place, specifically its extensibility through addons and its relative respect for users' privacy and control of their own systems.
This I understand, and I wish it wasn't necessary too. I do think Mozilla has not shown little understanding - they've repeatedly explained how they are caught between a rock and hard place, and reached a different conclusion than you did, after weighing the pros and cons. That does not mean a lack of understanding of the cons, but merely that they did not outweigh the cons of the alternatives in their view.
This might simply be the result of different valuations of the pros and cons between you and Mozilla; given the amount of data and insight Mozilla has on the use of Firefox, I would also suggest to be open to the idea that there might be a lack of understanding on our side about the scale of the problem of malicious extensions.
> Firefox is indisputably the best mainstream browser available available today outside of Tor for privacy, adblocking
The thing is, while things like privacy and adblocking are important, they are passive defensive features made necessary by others; they aren't things that make you feel good, they just make you feel less bad about certain things. When an extension could customize your browser exactly the way you wanted, that was exciting; when TreeStyleTabs felt integrated into the browser, instead of taking several seconds to load and feeling bolted on, it felt like an amazing part of _Firefox_; when mouse gestures worked reliably on every page, including new tab pages and plaintext-mime pages (really, sort this out Mozilla! No reason other than bad coding for extensions to not work on text/plain pages), it felt like a part of the browser, like Firefox was super-charged.
These are the things people can get excited about, and so gets people to show them off to others and recommend it. It's hard to talk about how this nuanced privacy feature is better for X complex reason, in casual conversation; much easier to demonstrate how you're able make the browser fit you like a glove with customizations A, B, and C (and it's more psychologically natural to want to show off positive additive features, too).
> and (even with the decline of functionality) extension support
Extension support, yes, but in terms of actual extensions, it's a yes-and-no situation. The thing about this and other customization that Mozilla doesn't seem to understand is, it's not enough to have "better" extension support, it needs to be "better enough" to overcome the difference in popularity between Firefox and Chrome, and hence the difference in availability/motivation of addon developers.
I still use Firefox as my main browser, but the extension support is not "better enough" for me anymore (see issues mentioned in the first para above), and so for the first in time actual decades, after switching from IE6 to Firefox back in the day, I'm considering switching or partially switching to another browser for my daily use (and have been doing so little by little, with Brave and qutebrowser).
> The add-ons might be better, but XUL-based Firefox add-ons are not better. They essentially give full control of your computer to the developer of the add-on.
IOW, the addons are software, just like Firefox is. That is what makes them useful.
> Most add-ons can be ported to webextensions. The ones that can't probably shouldn't have ever been add-ons to begin with.
I hope you realize that this attitude is 100% the opposite of the original Mozilla team, and that Firefox and Mozilla would not exist today if it had been. Firefox became what it is today because of its customizability and its empowerment of users.
> Firefox will be better off for only supporting webextensions.
On the contrary, it will no longer be Firefox.That is the point that we 15-plus-year, loyal users have been trying to drive through the thick heads at Mozilla.
If I wanted to use a browser like Chrome, I would use Chrome. What kind of product manager thinks he can beat his competitor by essentially duplicating their product, when there is no differentiation on price? Both browsers are free. People are already using Chrome because Google has what is essentially a Microsoft, IE-style de facto monopoly. People can still use Firefox if they prefer it--but if it ceases to be unique, why would they bother?
Firefox 56 will be the last version of Firefox I use, because Firefox 57 will no longer be useful to me. That is the bottom line.
> Few people use those forks, for the simple reason that what has been removed from Firefox is not game-changing enough to mandate an exodus.
This is not the reason for me at least to not use it as my main browser.
I recently tested and the speed is good and it is absolutely wonderful to have true full fledged extensions and complete themes.
My reason is that I'm worried if their security is good enough. If we could somehow be sure about that I'd actually happily leave modern Firefox behind for it.
Personally I'm hoping for someone to create a patch set and bulld binaries based on it to re-enable the old stuff, not by letting extensions muck around in the internals but by providing defined extensions points like:
For real. I understand the security argument, but that poster and Mozilla in general seem to be making the argument that "no, you're wrong, you don't know what you want, we're going to tell you what you want, and it's a less feature-rich Firefox."
Well, I use Firefox, and I evangelize Firefox to everyone I know, on the basis, essentially of the extensions, and most of the popular Firefox extensions would have never come into existence with the new extension model. Mozilla is developing APIs to grandfather some of them in, but they're still reducing the possibility space from "anything" to "what we expose through these APIs", so new extensions that change everything will no longer come into being.
And aside from that, they don't even cover everything; I've already been notified by the developers of two extensions I use that they either can't or won't be switching over.
I really do have to agree with the people who are saying Mozilla has totally lost the plot. I've disabled automatic updates until I can figure out what I'm going to do.
> Firefox is making a strong case for itself as the privacy centric browser.
They try their best to market themselves as a privacy-centric browser. To promote themselves as so they add some shiny things like making clearing browser history a two mouse clicks more accessible. But I'm still worried.
I'm really nitpicking but... That 3rd party cookie controversy that lasted for almost an year, the "oh, we're full of FLOSS ideals and are firmly against DRM but... hey, wait, users want Netflix, gotta support DRM" controversy, the recent "sponsored tiles" controversy, the update of over-engineered and undocumented proprietary Firefox Sync/Accounts that makes it even harder to not depend on their servers, the complete ignorance on TLS client certificates' UI and usability (which is why we're still stuck with passwords), the BrowserID/Persona thingy that happily continued the trend that makes your identity owned by a third party, and so on. I know, it's not good to complain in such rude manner, but the issues do exist. Personally, I wouldn't really trust Firefox. Not without lots of addons, at least.
Unfortunately, I guess this can't be helped. A large project like Firefox seems to be impossible without steady and fairly big money income, and since this money comes from advertisers whose interests are in complete opposite of users' privacy, Mozilla just have to make some sacrifices.
Still, among the mainstream browsers they're better than competitors.
> Mozilla is basically doing nothing that makes power users say "Wow, I really want to use this browser and will recommend it to my friends and family". Instead for some reason those users are increasingly frustrated with Firefox on multiple levels.
There are a number of things Mozilla is doing that are appealing to me as a power user.
1. Rust and Firefox Quantum. Mozilla has invested a herculean amount of effort into making Firefox's internals cutting edge, and we've only just started seeing it pay off. The updated CSS rendering component alone made Firefox one of the snappiest browsers, and it's going to get even faster as additional components are rewritten.
2. Firefox is going to start blocking a lot more trackers by default in the coming months; some of this is in beta, more is in nightly. Power users can already do this with extensions, but it's easier for me to recommend a browser that does it by default.
3. Mozilla is reviewing add-ons. There were a lot of complaints about this initially, but I feel safer installing things from Firefox Add-ons than I do from the Chrome Web Store. The review process isn't perfect, but it feels like it's much harder for a Firefox addon to scoop my entire browsing history and get away with it. Allowing me to disable automatic updates for individual extensions is also good; it's a second layer of protection against situations like that Sylish fiasco where an extension suddenly, silently becomes malicious.
4. Add-on APIs. The add-on situation was dire when Mozilla killed XUL extensions and switched to a Chrome-compatible format. But now they're extending it and adding all sorts of functionality for add-ons that Chrome doesn't have, again.
> For me, Firefox seems to be making decisions with user's security and privacy in mind, and I see that as a net positive. As a long time user, it is the only reason I use Firefox.
I agree that that is a good thing. However, the more firefox breaks compatibility with sites people use, the harder it will be to regain marketshare. And if Firefox keeps losing marketshare it will have less ability to influence web standards, and could potentially die altogether, which would be bad for privacy and security in the long run.
Fortunately, state partitioning isn't enabled by default on Firefox yet (it is part of "strict" ETP), so only people who are ok with it potentially breaking sites will turn it on.
> It definitely sucks, but I don't see how it was anti-privacy at all.
It definitely increased the attack surface area[1] with no upside for 99.9%[2] of Firefox users.
1. It's a juicy target: an addon that can modify the content of any page a user visits? It doesn't take much of an imagination to think of how this could be subverted.
2. My conservertive guess of the fraction of Fx users not interested in Mr Robot easter eggs; I probably ought to add a couple more "9"s
>In a sandbox even I, as the owner of the computer, can't let them out of. That's not cool.
Good software doesn't easily let you shoot yourself in the foot. It turns out if you allow it, people will do it. There exists software that does let you shoot yourself in the foot, but Firefox is designed for the mass market, not a specific niche. It's the only serious competitor to Chrome.
NPAPI is also gone. Not behind a flag, the code to support it is gone. It was broken, and so was the old extension API. It's about time for the majority of users to move on.
>In the sense that it's no longer possible to do the things one could do with a Firefox codebase.
This doesn't make any sense. You can do the same things you could do with the Firefox codebase before: download it, modify it, redistribute it. The runtime is what you're thinking of, and you were never guaranteed any abilities with regards to the runtime; you just got used to them, then they changed. This happened a few times with Firefox before, so it's not really clear how this update is much different.
>I own my computer, and my browser; Mozilla have taken away the ability for me to extend my computing environment (without reïmplementing it all myself).
Firefox is not your "computing environment." You're free to remove Firefox from your computing environment, or use an ESR release of Firefox and still get security updates with your old extensions, or use a fork of Firefox, of which there are a few to choose from.
Even so, it's depressing that every time a breaking change happens, even one like this that's 2 years in the making, the same responses happen: weird arguments about entitlement and a lot of looking toward the past.
Why not look toward the future? If you relied on an extension and now it's not possible with WebExtensions, it would help a lot of people out if bugs were filed and features were requested to bridge the gap. It's clear that there's overwhelming reasons to continue down the WebExtensions path, and whether people like it or not it's definitely going to be the only option in the browser you use in a few short years. So it's in our best interests to push for WebExtensions to meet the needs of extensions rather than make pointless arguments for decisions that were made a long time ago and have no chance of being reverted.
>Which is silly, IMO. What did this addon actually do, besides be installed without user consent?
1) Demonstrated that Mozilla has the ability to silently push addons without any kind of notification to the user that their browser behavior has been patched.
2) Demonstrated (allegedly) that there are privacy and security related preferences in Firefox that are reverting themselves to less-safe defaults without user interaction, aka Microsoft preferences.
3) Demonstrated Mozilla's marketing department lacks the good sense to respect these capabilities for the loaded gun they are
It's not about what they did, it's about what they could do. Mozilla doesn't need these tools, and these tools are dangerous. Why did they make them? Why shouldn't we ask Mozilla to remove them?
> How could Mozilla respect the needs of users who opt-out of Mozilla knowing they, and their needs, exist at all?
How about surveys or well, common sense?
I'm a tech oriented person who cares about privacy. I want software that is lightweight, configurable, with sensible defaults. For any features besides the basic functionality (in this case: browsing the web), I don't want to opt-out, I want to opt-in.
Privacy oriented means for me that the software I use doesn't send one bit of data that isn't necessary for its basic functionality. I use a "dumb phone" because of this. I never understood how anybody can think telemetry and privacy can co-exist.
I want a Firefox without Pocket, Send, Screenshot Tools, Sync, Clickz, any cloud based service. I only want a fast, lightweight browser that doesn't send any unnecessary data anywhere without me explicitly configuring it. That's a sensible default for me, really. Software used to be like that.
I'd also like to configure when my software looks for updates. My Linux distro let's me do that.
And it would be awesome if all other functionality (like Send/Sync/Pocket, etc.) is available via optional plugins, or in another "full-featured" version of Firefox. The deluxe edition or whatever.
I believe I'm not alone with these ideas about software. In discussions about Firefox these things always come up. There are github projects [1,2] with 1600 and 1200 stars about hardening Firefox. People care about privacy. It's not hard to find this part of the userbase.
The idea that you can't create software for your users without telemetry, is what leads Mozilla to disregard their privacy oriented users in the first place. It's depressing.
And even if I allowed telemetry on my system Mozilla wouldn't learn anything about what I wrote here. It's useless.
>The add-ons might be better, but XUL-based Firefox add-ons are not better.
This statement is contradictory.
>They essentially give full control of your computer to the developer of the add-on. There's no permission model.
Yes. I know. That's why it's better.
>Most add-ons can be ported to webextensions. The ones that can't probably shouldn't have ever been add-ons to begin with.
You're pushing a worldview here in which some entity - Mozilla, presumably - sees fit to decide in what way I should, or should not be able to extend my web browser. I reject this premise.
The whole point of XUL/XPCOM, as you yourself seem to realise, is that it naturally exposes browser internals and thereby enables permissionless innovation. The only reason WebExtensions can even support the use cases it can is because Mozilla basically looked at the popular addons and defined it to be able to support corresponding functionality. Extension developers finding gaps in WebExtensions APIs were invited to communicate this to Mozilla - that is, to ask Mozilla for permission to extend the browser in a certain way (and for them to allocate manpower to adding that API, etc.)
The idea is to make WebExtensions politically palatable by happening to support what's popular, but that very approach proves the impracticality of the premise. If ad blockers were invented tomorrow, would there be a WebExtensions API? Probably not. Would Mozilla bother to allocate manpower to adding an API for it when one person has the idea and asks? Probably not. If Firefox (and before that, Mozilla Suite, etc.) had had only WebExtensions-like APIs from day one, would ad blockers exist today? Probably not. Ergo, we can conclude that future, yet unconceived innovations will be prevented by this change. The "ask us to add an API for it" approach is not acceptable, given that the technology to make this a non-issue (XUL/XPCOM) already exists and is in use.
>Lots of other browsers used to do the same thing Firefox does, and chose to use a webextension-like model instead. Why? Because those screenshots of folks with half their screen consumed by toolbars, weird popups, overlays in the browser viewport, extensions that sneakily inject ads into pages, and track user behavior _still exist_. And there's really nothing Mozilla can do to stop them.
This isn't Mozilla's problem, and as you yourself acknowledge, trying to save users from themselves is a futile effort.
>Do you know how Firefox add-ons get approved? A human sits down and sifts through the obfuscated source code. I helped build these tools years ago, I can tell you it's hell. Beyond being error-prone, it causes months-long delays in add-ons getting approved.
If this upsets Mozilla, they could get out of the extension approval business. Nothing obliges them to intermediate themselves in this way.
No version of Firefox which implements restrictive code signing practices will ever touch any system I control. Currently I use Firefox Developer Edition. It doesn't appear it will be updated after version 56.
> I can think of several ways to drastically improve the privacy of web extensions by providing audit logging or more fine-grained control over permissions.
You were talking about API surface though. Neither of these things are API surface in itself. They are after the fact, informing the user what it can do and what it did with those APIs.
> It's just pointless to have the most advanced content blocking mechanisms when you allow browser extensions to circumvent them all.
I don't think so. It's not pointless. It just means you need to trust more than mozilla, you ALSO need to trust the extensions, just like you need to trust many other things in your system. The error here is assuming that everything should be reducible or can be reduced to a single source of trust.
> There are countless studies that show most non-expert users don't know what is happening with their data and are not able to judge the risks they're taking when installing software like browser extensions.
Perhaps. But if you follow that argument then you end up with a locked-down system with little flexibility, which I was referring to as apple-style walled garden. Some people may value such a thing, but I wouldn't use or recommend firefox if it became something like that. I would flee in terror.
> I have no problem if the Mozilla Foundation or the Firefox team has different priorities, but say that rather than telling technical people the reason for the changes is because XUL or XPCOM are somehow so hideous the team had no choice. It smacks of dishonesty when everything that you have described here is a problem with procedure not anything technical.
Well, some of our priorities with WebExtensions are (not necessarily in this order):
- stable, documented, future-proof API;
- improving security;
- improving performance;
- improving privacy.
You are, of course, free to consider these things "not anything technical", but they were impossible as long as add-ons weren't based on an API at all.
So, again, while I fully realize that there is a cost, I believe that we're moving from something unsustainable to something sane, which makes it better in the long run.
> I believe that we're moving from something unsustainable to something sane
It is only unsustainable because the FF team chose to make the process more difficult than it had to be. This is how what you are saying sounds:
1. We didn't want to break plugins so we involved addon developers
2. The process takes so long that it takes 18 months to introduce any new code
3. Since 2 was so slow we decided instead we would PERMANENTLY break plugins with no way to ever fix them
Put another way: things were taking too long because of Mozilla's own self-imposed guidelines so the Firefox team had no choice but to PERMANENTLY break addons that will never be fixable by design because the Firefox team was so concerned about temporarily breaking plugins. This is double speak. The predicate (3) contradicts the subject (1).
After it was pointed out how ludicrous this sound the caveat is added that this had to be done in the name of security, performance, and privacy. At what point did security and performance become more important than an open platform and why? Numerous addons exist solely to provide privacy by blocking fingerprinting, stopping redirects, providing control over cross-site requests (RequestPolicy Continued), super-cookie safeguards (BetterPrivacy), and these options are no longer available. How are these privacy enhancing features being added now that the option has been removed since the goal is privacy?
The whole thing is hard to take at face value when everything seems to be self-contradicting (sans performance).
> And then, as someone pointed out on reddit, I realized that we still haven’t taken the time to explain in-depth why we had no choice but to remove XUL-based add-ons.
> * very quickly, add-on developers realized that anything they did could break anything else in the system, including other add-ons and Firefox itself, and they often had no way to prevent this;
> * similarly, anything Firefox developers did could break add-ons, and they often had no way to prevent this;
> * also, some of the changes that Firefox needed to remain competitive with Chrome were going to break most add-ons immediately, possibly all add-ons in the longer term;
> * oh, and by the way, since add-ons could do everything, they could very easily do anything to the operating system, from stealing passwords to pretending to be your bank.
---
It's a really long article with lots of background and technical detail, so I felt it safe to include a larger summary of the basic points than I normally would.
> But as far as I can see they do not have a bad track record when it comes to security/privacy. Do you have any examples of actual serious security/privacy fuck ups by Mozilla/Firefox?
I mean, they are currently shipping real actual ads on the new tab page that aren't blocked by ad blockers - and possibly can't be (there are limits to what WebExtensions can modify on Firefox internal pages). Sure, maybe your parent comment was exaggerating a little bit, but what if Mozilla instead starts inserting "privacy-friendly" "recommendations" into webpages in order to "enhance users' browsing experiences"? That doesn't sound at all far-fetched for the Mozilla we know today.
First, I'd like to put things in context. When you write "Firefox 57 is currently looking like a net loss in terms of security and privacy", I suppose that this might (arguably) be true for you and a few other power users, but for the ~100% of users who do not use these power add-ons, their life will only be improved by the change.
Plus, I actually think that all the add-ons in the domain either have been ported or have an equivalent that has been ported. Certainly all the ones I use have been. Am I missing something that people actually use for their protection?
> If you're arguing that 57 is now more secure and better for privacy, perhaps you know something that people like me don't, and if so, maybe it's worth highlighting whatever built-in functionality can now replace those protections more in the documentation/marketing?
There is only so much message that marketing can propagate in a single campaign. I expect that we'll have another marketing campaign in a few months detailing what we've been doing for security and privacy. Especially since we'll have exciting stuff to showcase :)
Let me give you a few keywords of stuff we've been doing to improve security: a gazillion fixes, better static analysis, replacing some critical components with Rust, introducing the first formally proved implementation of cryptography components in a browser, sandbox improvements, etc.
On privacy, I'll admit haven't really paid attention, but the new add-ons you install don't have access to your private data without your consent, I remember that we've been working working with Tor Browser to reduce fingerprinting, etc.
reply