Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Firefox Security Mozilla Your Rights Online

Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings (softpedia.com) 112

An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.
This discussion has been archived. No new comments can be posted.

Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings

Comments Filter:
  • Good on Mozilla (Score:2, Interesting)

    by Anonymous Coward

    Please publish the names of the authors, so we know not to ever install anything written by them ever again.

    • Please publish the names of the authors, so we know not to ever install anything written by them ever again.

      Better yet. Stop trying to police addons we want to use in our browser.

  • by Anonymous Coward on Friday March 04, 2016 @02:29AM (#51634871)

    It should not have been possible that an add-on can change security settings to begin with.

    • by Anonymous Coward
      Why not?
      • by Anonymous Coward

        Security relevant settings should of course be changeable. But they should only be changed by the user, and only via native browser UI, or maybe by explicit opt-in permission from the user via native browser UI. I say maybe because is already dangerous to let users grant that kind of permission. Firefox is for the general population, people who have been trained to give anything they install sweeping permissions without even reading the boilerplate.

    • by Anonymous Coward

      What if you WANTED that add-on to change the security settings?

      If a addon cant change security settings then people will be complaining that firefox has things blocked off that can't be changed.

      People are lazy and will use addons to change simple stuff. Look at the ones to disable webrtc. All it takes is typing in "about:config" and double clicking on a entry but all the people who use those addons show people like the convenience of addons to change the settings for them.

      You shouldn't blame firefox for giv

    • Code signing will not be a "turn off/on" settings in upcoming Firefox versions. It is under testing, so it still allowed users to disable it because it did not get to "test & sign" all existing addons
    • by joboss ( 4453961 )
      What you're saying is why Firefox basically sucks. They go too far for security and forget about diminishing returns. You can't deal with a stupid user and the longer you over guard them from their stupidity the longer they stay stupid for. You can never say never. There are reasons an addon might need to override "security". Security is not a magic word for something unobtrusive. It means crippling and limiting everything that might be abused, if not simply removing it. You can't say there is no legitimate
    • Well, sure. The issue is that add-ons have historically been loaded into the same security context as the rest of the browser code, which means they could literally do anything. The recent move towards having a better-defined API -- one that would prevent the kinds of things you think should be prevented -- is being done in large part to make this a far more tractable problem to deal with.

      Of course, as soon as there's any noise about preventing add-ons from doing literally anything they want to your compute

  • and youtube-dl makes this simple so you don't use insecure flash or html5. youtube-dl supports a ton of sites with videos and always downloads the best quality version of the video.

    don't download the older versions of youtube-dl in your Linux repository, instead, just download the newest version @ youtube-dl website:

    http://rg3.github.io/youtube-d... [github.io]

    • by Anonymous Coward
      I previously used youtube-unblock before to bypass georestriction. using tor browser will let me access youtube *sitewide* block (block from national isp filter, company filter, etc...) but it will be a test of luck if you are trying to browse/download *georestricted* video (ex: many japanese youtube will restrict their access to japan users--japan ip-- only). As much as youtube-unblock is grayware/malware, I don't think it is not replaced by Tor browser (+ youtube-dl or so).
  • by ZeRu ( 1486391 )
    When I read the first sentence, I thought to myself that reasoning behind this was some corporate/copyright bullshit. But looks like Mozilla did a good job on this!
  • Now I want it. Except without crippling my security.

    Is there an alternative?
    • by jrumney ( 197329 )

      Is there an alternative?

      Newsflash: people who write ad-ons that do not respect the rights of publishers most likely have no respect for your rights either. If you still want alternatives, tread carefully.

      • by cdrudge ( 68377 ) on Friday March 04, 2016 @10:17AM (#51636165) Homepage

        people who write ad-ons that do not respect the rights of publishers most likely have no respect for your rights either.

        So authors the various ad blockers, NoScript, Ghostery, etc aren't respecting your rights when they also don't respect the publisher's rights, blocking all the crap the publishers include? How am I suppose to live with myself and sleep at night violating the publisher's right to violate me?

        • by KGIII ( 973947 )

          About that Ghostery...

          https://www.google.com/search?... [google.com]

          I've long-since moved away and use uMatrix. It's completely open and, unless I'm missing something in the code (I've checked the source - I'm pretty sure), there's nothing amiss there. It's got a bit of a learning curve but it's slight and easily doable. If I can learn it, I'm sure you can. You can then get rid of anything and everything on a site. It's pure whitelist-based.

          I like to describe it as being akin to an old-school software firewall except li

        • by jrumney ( 197329 )
          As I said, tread carefully. Adblockers to counter malware and obtrusive advertising are one thing, but not all ad blocker authors have your best interests at heart ("Acceptable Ads" anyone?).
    • Hrm. If there were only some way to search for that kind of thing...

      https://addons.mozilla.org/en-... [mozilla.org]

      • Yes... The first one wants "anonymised click stream data", and I'd rather not give permission without knowing what it it. Others seem to want me to sign up for something that all else being equal I'd rather not do.

        But it's possible that a slashdotter somewhere knows about a good alternative or can offer advice on which one to use.

        It turns out though, that you're right and I'm wrong. They don't. I just get a response from some sarcastic jerk.
    • by KGIII ( 973947 )

      There are many, many ways to use a VPN. This is even do-able in just the browser itself. If one's goal is to bypass geolocation restrictions, and isn't really all that security minded, then one need only look at the many services offered. Many of them are free. Some of the free ones have various restrictions, such as bandwidth restrictions. Needless to say, there are ways around those restrictions - such as multiple accounts. I guess, I'd rather call those "proxies" instead of "VPNs" as they're not really a

Never worry about theory as long as the machinery does what it's supposed to do. -- R. A. Heinlein