Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings

An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.

Good on Mozilla

[Anonymous Coward]

Please publish the names of the authors, so we know not to ever install anything written by them ever again.

Re:

[Tharkkun]

Please publish the names of the authors, so we know not to ever install anything written by them ever again.

Better yet. Stop trying to police addons we want to use in our browser.

Re:

[johanw]

Try a Firefox clone like Palemoon http://www.palemoon.org/ [palemoon.org] . The flexibility of Firefox but without the would-be Chrome UI crap.

Re:other browsers with Firefox-like add-ons

[arth1]

Or you could just install Classic Theme Restorer, since palemoon isn't 100% compatible with firefox addons and made by amateurs.

From a security point of view, Palemoon failed even at step one, installation. Its Linux installer *requires* that the system is set up for gratuitous sudo. Anything that asks for a system password during installation is something I will not install. And a system password that for an account that is set up to have root access for any command when the account password is given? No, just no.

(And never mind that they can't be bothered to list the prerequisites either.)

Re:

[jez9999]

Its Linux installer *requires* that the system is set up for gratuitous sudo.

Heh, I guess you're not a Windows user or you'd be pretty used to elevating to Administrator during installs!

Re:

[thegarbz]

Heh, I guess you're not a Windows user or you'd be pretty used to elevating to Administrator during installs!

That is predominantly to allow writing to the registry and a few locked folders during installation. These days the number of applications which actually require to be *run* as administrator are near enough to zero that it's not an issue.

However Linux never had this peculiarity in the first place. If you download a program that is standalone and doesn't have some deep hooks into the OS there's no reason you need elevated privileges on Linux, which makes me even MORE cautious when a Linux program asks for it

Re:other browsers with Firefox-like add-ons

[sexconker]

It really is too bad that Windows doesn't really have a concept of an /opt directory or installing to user folders.

It does.

Programs that aren't written by morons should ask you if you want to install it for the current user only (no UAC required) or for the whole system (UAC required).

For the user, HKEY_CURRENT_USER\Software in the registry is like the opt directory.
But so is %USERPROFILE%\AppData\. And in AppData you have Local, LocalLow, and Roaming.

The %APPDATA% variable points to Roaming by default, while the Local directory is for shit specific to the PC (shouldn't roam), or is too big to roam. LocalLow is a "low integrity" directory. Allegedly things like plugins and add-ons should store their shit there and not be able to write to the Local directory.

For the system, you have HKEY_LOCAL_MACHINE and %ProgramData%.

The problems are:

1 - Morons write programs and demand full access to the whole system regardless of whether or not they need it.

2 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the registry, in both HKLM and HKCU. Even when it's documented, it's fucking wrong (I'm looking at you, Adobe).

3 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the the various %USERPROFILE%\AppData\ folders and the %ProgramData% folder .

4 - Morons write programs and store even more configs in the program's installation folder or other random places (like the Documents library).

Any one of these things alone is annoying, but programs often do all 4. This makes figuring out configs even harder - does the registry override settings.ini in the program folder? Or perhaps the profile in %AppData% wins out. What about the settings in %ProgramData%? Which registry settings are in HKLM vs HKCU? Why isn't anything in %AppData% or %ProgramData% or even the fucking registry cleared out when I uninstall?

It's a mess because developers are morons and Windows lets morons make a mess of things in several ways.

Re:

[HiThere]

Even MSWind95 did that. When I installed Squeak and Python on MSWind95 there were no files installed outside the application directory, which I located in a custom place segregated from all system files.

The problem isn't that MSWind doesn't allow that, the problem is that it doesn't (didn't?) require that.

FWIW, I generally prefer /usr/local to /opt, but in either case the files should be those that you trust, and the locations should require root permission to allow installation. Files with any doubt as t

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[malditaenvidia]

You're also free to use seamonkey, waterfox, iceweasel or any of the other forks that aren't 10 versions out of date.

Re:

[arth1]

Waterfox is available for Linux now? That's news.

Re:

[HiThere]

The last time I tried to use Seamonkey it wouldn't run. I didn't devote a whole lot of effort into trying to figure out why, but it did compile without errors (that I remember). I was trying to install it to use its html editor, but I found another one that looked like a fork and worked without problem. (Can't remember its name.)

Re:

[beastofburdon]

If you are installing into the standard directories then you must use root privileges. That is the way Linux is designed. If you want to install it in your home directory I guarantee that it will not require it.

Re:

[arth1]

If you are installing into the standard directories then you must use root privileges.

Using root privileges to do something specific is not the same as granting a program gratuitous privilege escalation to root, or giving an installer a password.

That is the way Linux is designed.

No, it isn't. If the documentation states what it needs write permissions to, or the installation script reports problems and then rolls back, you can temporarily give the required access.
Either through group permissions or ACLs.

If it installs under, say, /opt/palemoon, it is FAR better to create that directory as root, and give the installing user

Re:

[beastofburdon]

Let me get this straight. Are you saying that the install script is somehow giving the program root permissions that it can use after it has been installed? Otherwise in order to write to the /bin, /usr/bin, or any other directory that is not in your home directory you must have root permissions. You can temporarily give a user write permissions for a folder, but that also involves using root to give that permission.

Re:

[fbobraga]

DownThemAll [downthemall.net] is a must have add-on to me, and it's not available for Chrome (since long time, now): it was the primary cause that made me stick with Firefox over Chrome :P

Re:

[arth1]

I think downthemall.com is an unfortunate name. I thought it was for 14 year olds who wanted to hang out down the mall.

Re:

[fbobraga]

I think this naming problem is is a consequence of o major problem, that relates to all open-source community: poor "marketing" decisions (it's not natural?)

Re:

[lgw]

I've been frustrated with the fact I can't use anti-container (a wonderful extension to downthemall) on Pale Moon. It's the only reason I keep a copy of FF around. Chrome is right out.

Re:

[allo]

And it will die in a few firefox releases. Mozilla deprecates (and removes) XUL and XPCom and addons as powerful as DTA will not be possible, the DTA author wrote he will probably need to discontinue it.

Re: other browsers with Firefox-like add-ons

[fbobraga]

A sad news to me :/

Re:

[fbobraga]

Opera is nice for offline reading

I recommend Opera Mini [google.com] over "normal Opera" [google.com]: it has a much minor size and memory footprint (by been very light, it works very well on old phones and tablets)

Re:

[ArchieBunker]

Why not Chrome? I know everyone claims it spies but nobody has provided any kind of Wireshark logs or further information to prove it.

Re:

[Alumoi]

Hmm, could it be that because it logs you automatically on all google sites (search, youtube, ad network and so on)?
With Firefox/Opera I can choose when I want to be logged in and when not.

Re:

[sexconker]

The mere fact that the address bar and search bar are the same qualifies.
You can't type in an address without it being sent off to Google to deliver suggestions when they're the same bar.

Security design-flaw in Firefox

[Anonymous Coward]

It should not have been possible that an add-on can change security settings to begin with.

Re:

[Anonymous Coward]

Why not?

Re: Security design-flaw in Firefox

[Anonymous Coward]

Security relevant settings should of course be changeable. But they should only be changed by the user, and only via native browser UI, or maybe by explicit opt-in permission from the user via native browser UI. I say maybe because is already dangerous to let users grant that kind of permission. Firefox is for the general population, people who have been trained to give anything they install sweeping permissions without even reading the boilerplate.

Re:

[BronsCon]

let users grant that kind of permission

was, I think, referring to

maybe by explicit opt-in permission from the user

which would imply the user granting an add-on the ability to change the settings on their behalf. I think AC was pretty clearly agreeing with you that the user should be allowed to change the settings themselves when they said

Security relevant settings should of course be changeable.

and

But they should only be changed by the user, and only via native browser UI

You must have seen these remarks; you directly quoted each of them.

Re:

[sexconker]

Make up your mind!
First you say that security relevant setting should be changeable then you say it's dangerous to let users grant that kind of permission.

And?
Users should be able to do dangerous things if they so choose.

Re:

[Anonymous Coward]

What if you WANTED that add-on to change the security settings?

If a addon cant change security settings then people will be complaining that firefox has things blocked off that can't be changed.

People are lazy and will use addons to change simple stuff. Look at the ones to disable webrtc. All it takes is typing in "about:config" and double clicking on a entry but all the people who use those addons show people like the convenience of addons to change the settings for them.

You shouldn't blame firefox for giv

Re:Security design-flaw in Firefox

[bloodhawk]

Then the user should be asked and CONSENT to changing the security setting. Allowing any addon to do this without the users knowledge is most definitely a design flaw.

Re:

[softnewsit]

Code signing will not be a "turn off/on" settings in upcoming Firefox versions. It is under testing, so it still allowed users to disable it because it did not get to "test & sign" all existing addons

Re:

[joboss]

What you're saying is why Firefox basically sucks. They go too far for security and forget about diminishing returns. You can't deal with a stupid user and the longer you over guard them from their stupidity the longer they stay stupid for. You can never say never. There are reasons an addon might need to override "security". Security is not a magic word for something unobtrusive. It means crippling and limiting everything that might be abused, if not simply removing it. You can't say there is no legitimate

Re:

[chefmonkey]

Well, sure. The issue is that add-ons have historically been loaded into the same security context as the rest of the browser code, which means they could literally do anything. The recent move towards having a better-defined API -- one that would prevent the kinds of things you think should be prevented -- is being done in large part to make this a far more tractable problem to deal with.

Of course, as soon as there's any noise about preventing add-ons from doing literally anything they want to your compute

Tor Browser + youtube-dl is a great work around

[Anonymous Coward]

and youtube-dl makes this simple so you don't use insecure flash or html5. youtube-dl supports a ton of sites with videos and always downloads the best quality version of the video.

don't download the older versions of youtube-dl in your Linux repository, instead, just download the newest version @ youtube-dl website:

http://rg3.github.io/youtube-d... [github.io]

Re:

[Anonymous Coward]

I previously used youtube-unblock before to bypass georestriction. using tor browser will let me access youtube *sitewide* block (block from national isp filter, company filter, etc...) but it will be a test of luck if you are trying to browse/download *georestricted* video (ex: many japanese youtube will restrict their access to japan users--japan ip-- only). As much as youtube-unblock is grayware/malware, I don't think it is not replaced by Tor browser (+ youtube-dl or so).

GJ

[ZeRu]

When I read the first sentence, I thought to myself that reasoning behind this was some corporate/copyright bullshit. But looks like Mozilla did a good job on this!

I didn't realise this add-on existed...

[91degrees]

Now I want it. Except without crippling my security.

Is there an alternative?

Re:

[jrumney]

Is there an alternative?

Newsflash: people who write ad-ons that do not respect the rights of publishers most likely have no respect for your rights either. If you still want alternatives, tread carefully.

Re:I didn't realise this add-on existed...

[cdrudge]

people who write ad-ons that do not respect the rights of publishers most likely have no respect for your rights either.

So authors the various ad blockers, NoScript, Ghostery, etc aren't respecting your rights when they also don't respect the publisher's rights, blocking all the crap the publishers include? How am I suppose to live with myself and sleep at night violating the publisher's right to violate me?

Re:

[KGIII]

About that Ghostery...

https://www.google.com/search?... [google.com]

I've long-since moved away and use uMatrix. It's completely open and, unless I'm missing something in the code (I've checked the source - I'm pretty sure), there's nothing amiss there. It's got a bit of a learning curve but it's slight and easily doable. If I can learn it, I'm sure you can. You can then get rid of anything and everything on a site. It's pure whitelist-based.

I like to describe it as being akin to an old-school software firewall except li

Re:

[jrumney]

As I said, tread carefully. Adblockers to counter malware and obtrusive advertising are one thing, but not all ad blocker authors have your best interests at heart ("Acceptable Ads" anyone?).

Re:

[cdrudge]

Yeah. Violate me. As in my right to privacy, right to be or not to be tracked, right to not be exposed to potential security issues, etc.

Re:

[Tharkkun]

"violate" you? come on, you aren't being raped or anything, dial back th froth a little.

You sound like Bill Cosby.

Re:

[chefmonkey]

Hrm. If there were only some way to search for that kind of thing...

https://addons.mozilla.org/en-... [mozilla.org]

Re:

[91degrees]

Yes... The first one wants "anonymised click stream data", and I'd rather not give permission without knowing what it it. Others seem to want me to sign up for something that all else being equal I'd rather not do.

But it's possible that a slashdotter somewhere knows about a good alternative or can offer advice on which one to use.

It turns out though, that you're right and I'm wrong. They don't. I just get a response from some sarcastic jerk.

Re:

[KGIII]

There are many, many ways to use a VPN. This is even do-able in just the browser itself. If one's goal is to bypass geolocation restrictions, and isn't really all that security minded, then one need only look at the many services offered. Many of them are free. Some of the free ones have various restrictions, such as bandwidth restrictions. Needless to say, there are ways around those restrictions - such as multiple accounts. I guess, I'd rather call those "proxies" instead of "VPNs" as they're not really a

Danke, GEMA

[Knuckles]

n/t

Re:

[epyT-R]

Well, on the one hand, it's good to know that there was possible bad behavior, but on the other, the trend of vendors locking down their ecosystems is hurting those who do not wish to accept whatever they're willing to push through the needle.

Re:Let THE USER Decide

[Kremmy]

What, are you a malware author or something? Remove this backdoor garbage from official add-on repositories.

Re:Let THE USER Decide

[William Baric]

I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.

Re:Let THE USER Decide

[paulatz]

The FA says you are still allowed to infect your pc with all the malware you want from the addon homepage. Did you try to RTFA but were stopped by ad popups?

Re:

[Anonymous Coward]

Haha, ok, well, that's the end of Firefox, then. I've just read the signing process [mozilla.org] and nope, nope, nope. I used to write and maintain extensions for a local site I was involved with and there is no way in hell I'm submitting shit to them and waiting for them to approve what already works and my users already trust me with.

Although I might just work out how to get everyone installing a developer certificate or recomend that they install one of the Firefox forks.

Re:

[Anonymous Coward]

A reputation built through a web of trust is the best possible system.

A single centralised decider of who counts as trustworthy - particularly one so incompetent and obviously lacking in decent direction as Mozilla - is the worst possible system.

So, you're the polar opposite of correct.

Re:

[chefmonkey]

You need to read more carefully. For the kind of add-ons you mention -- that is, ones not hosted on Mozilla's servers -- the signing process is automatic. You can even use a commandline tool to automate submission of the file for signing, and generally get a signed version back within a few seconds.

Re:

[Tharkkun]

I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.

I agree. They fuck with Java non-stop which I require for internal applications. Who cares if my Java is out of date when I use one specific browser on one applications. Stop disabling my shit Mozilla.

Re: Let THE USER Decide

[Anonymous Coward]

"The add-on remains available through its homepage."
The user still can decide. Mozilla only removed it from their add-on marketplace, which is IMO the correct action and certainly not any kind of overreach. That's like saying Google is wrong for banning Android apps from the Play Store which root your phone - it's not, they have policies and those apps knowingly violated them; if you still want those apps side loading is available.

Re:

[LoneBoco]

That's what will happen once mandatory addon signing is implemented.

Re:

[DrXym]

They could do that too. They have blacklist functionality which I'm sure includes the ability to block apks. And who's to say they won't use it if the add-on is a malware vector.

Re: Let THE USER Decide

[bickerdyke]

The user CAN NOT decide if the probably unwanted stuff is slipped to him secretly.

It would be different if the user was warned during plugin installation "Hey, we're going to mess with your browser security setting and will install stuff that would trigger your virus alert, but - just to avoid that confusion - we will disable your antivirus while we're at it. OK?"

THAT would be "let the user decide".

COB: Corporate Overreach Blocker has detected....

[TapeCutter]

As the smartest guy on the internet you probably already have my patented corporate overreach blocker installed. As you probably know it has been banned from freedom hating corporate repositories, meaning my elite followers are forced to download it from my exclusive website. What you may not know is that I just finished uploading the new version. The new version of the banned plugin can now shrink corporate overreach from the most powerful multi-nationals in the world down to the size of Donald Trump's fin

Re:

[BronsCon]

the censors at google are about to delist my website

Your corporate overreach blocker can't block that? Garbage.

Re:

[lgw]

But can your corporate overreach blocker do everything that hosts files can?

Re: I need a nubile girl

[Anonymous Coward]

127.0.0.1