Mozilla's response to the whole addon fiasco

Who cares about how a dedicated porn browser responds to revelations about its stark incompetency?

jesus christ, you faggots. they fucked up. they fixed it. they admitted they'd fucked up.

The thing that angers me the most is that all this fiasco is to blame on ffox being a nannny browser.
Why the fuck should I (or them) care that Normie McNorman got a ransomware/miner/whatever the shit for installing a shitty addon when trying to download warez or porn from some shady chinese/slav page?
Keep the signing on your side and warn the user to only dl shit from their servers. There, this shit would have never happened.

Actually the problem is that Mozilla is faggots not us.

>hacks.mozilla.org
>hacks

they sure are

>We’ll be running a formal post-mortem next week and will publish the list of changes we intend to make, but in the meantime here are my initial thoughts about what we need to do.

>not a single mention of giving the user the ability to disable signing

but you can already do that.

not on stable

You can do that already as long as you either use an unbranded version of Firefox or a developer/beta/nightly release.

After this shit I'm never installing """""stable""""" again.
And neither should you, really.

>Keep the signing on your side and warn the user to only dl shit from their servers
If you turn off the signing requirements, unsigned or unverified add-ons get a big warning label saying it's potentially dangerous.
Honestly, that should be the norm. Like Windows will tell you "hey, this .exe isn't signed - it could be dangerous to run it" but they will let you run it if you so choose.
I would be 100% okay with that with Firefox addons. Just don't fucking disable them automatically.

I think part of Firefox's problems as of late is that they are forgetting that their core userbase was built on powerusers.

So what about legacy users?

Yeah the new EU meme law is pretty rough.

Every so often even prominent tech companies do something stupid like forgetting to renew a cert. I don't see all the bitching at Mozilla.

The Release version of Firefox by default chooses security over convenience. Extension can't be verified? Disabled with a notice as to why. There are a couple of workarounds immediately available if you need them that second and are tech savvy enough. They fixed it seamlessly within literally hours on a Saturday morning with a test quality fix through studies, and soon a final fix with a version update. Those running literally any Firefox version but standard Release channel on Windows could disable signing all together with a single setting - which is reasonable. Nightly, beta, Dev edition etc are made for people able to take responsibility if they disable it.

Really can't be too upset about this. They made a stupid mistake with the cert but the software failed secure. If they did the opposite and had it just not bother and load unsigned extensions you people would be angry about them putting convenience before security especially if there was some vulnerability causing issues, claiming the trannies fucked everything up

Let's just dispense with this discussion of the actual event. So many seem to just be pissed because of some hypothetical tranny conspiracy theory dreamed up about how Mozilla is under their control

They could even simply make it an option if they want to protect idiots, just give people who actually look in the settings a box to untick.

>they are forgetting that their core userbase was built on powerusers.
I agree with this 100%. Mozilla has been thinking too ambitiously of the time when they begin to reclaim market share of the general public which is entirely made up of normalfags, and so they've implemented some "features" that would be beneficial for these bottom of the barrel tech illiterate mongoloids. They don't realize, though, that these people all use chrome right now and their actual userbase is full of people that are perfectly capable of identifying a virus/fishy extension and not falling for it. Locking the browser down right now is a bad move since it only pushes away their userbase and they don't have mass market appeal yet to save them from power users switching away.

They had to be sure they could prevent the white supremacist Gab plugin from ever working again.

In my opinion the problem is not the certificate expiring. The problem in my mind is that the certificate expiring invalidated addons that were previously installed and verified. If addons checked out before that should be it. The only time they should throw up a warning is if the user tries to install a new addon with an expired cert.

>Users of very old builds of Firefox which the Studies system can’t reach.
>We can’t really do anything about the last group — they should update to a new version of Firefox anyway because older versions typically have quite serious unfixed security vulnerabilities. We know that some people have stayed on older versions of Firefox because they want to run old-style add-ons, but many of these now work with newer versions of Firefox.
So if you're using an older PC basically fuck you, use Chrome?

hear you've been talkin some shit

in this situation or when the cert cant be check they should just soft-fail, i can definitely see this happening again before they change

I bet they suck each other off too.

Too many fuck ups.

They have not admitted they fucked up when they added this system noone asked for or broke plugin compatibility. This fuckup is a direct result of the former so apologizing for this doesn't fucking matter.

>you people would be angry about them putting convenience before security
This is how it was from the beginning and no one complained.

I am pretty miffed that they created an addon walled garden. I should be able to decide if I want extra security on my shit, but that doesn't let them censor shit.

>their core userbase was built on powerusers
They got shitloads of normies on board some years ago, but Chrome has since whisked them away. Now literally the only ones left who actually give a fuck are the power users.

>Like Windows will tell you "hey, this .exe isn't signed - it could be dangerous to run it" but they will let you run it if you so choose.
No, Windows does not do that, Window lets you run unsigned exes without a warning, which is how it should be.

>Second, we need a mechanism to be able to quickly push updates to our users even when — especially when — everything else is down.
>but at the same time we need to be able to push updates to our users; whatever the internal technical mechanisms, users should be able to opt-in to updates (including hot-fixes) but opt out of everything else.
Users shouldn't be able to opt-out of updates / Updates should be forced through a more powerful backdoor because the current one is too secure.

Very weasely worded, that's not good.

See its a accurate what Mozilla means. The part where he blatantly lies about old style extensions working, scummy scummy.

Yeah, I just tested two XP VMs and I can't get any add-ons to work.

why the fuck do these fools take pride in how quickly they responded and fixed the issue? this should have literally been a non-issue, not to mention they DIDN'T EVEN KNOW THE FUCKING CERT EXPIRED until people started complaining. if they keep operating with this level of retarded incompetence I hope they go under.

pic related is mozilla when the bug reports started coming in

Attached: andover_ping_pong_hampshire_tournament.jpg (344x380, 24K)

but how will they properly virtue signal without personally censoring their userbase?

>servo
eww, no thanks

Attached: servo.png (1081x855, 180K)

Attached: spam.png (945x925, 137K)

underrated. i used to defend mozilla for shit, but killing off all addons was too much. no more.

Wow is this your first time reading anything from public relations?

What is this? A shill campaign?

Too late. Brave is the comfiest browser.
>t. long time Mozilla user

Attached: 1455690312405.jpg (552x424, 23K)

probably just some autist with a bot, manually filling out captchas, and he does it for free

This is a shitposting nazi website.
Please refrain from using facts and logic here.
This is your final warning.

>why the fuck do these fools take pride in how quickly they responded and fixed the issue?
Someone went around the office and stuck gold stars on their monitors, and left a vegan muffin on their desk, for doing super awesome work!

people were outraged by the addon signing requirements when they were first imposed, which they correctly saw as
1) an egregious limitation on user freedom to install whatsoever they chose
and
2) a hostile act against developers, who, for whatever reason, could not, or would not upload to AMO instead of hosting their addons on their own pages (e.g. every one using github).

Does this mean that people with older versions of FF don't need to update to prevent/fix that issue?

Kek

>Then there were a few false starts where we didn’t issue exactly the right certificate, and each attempt cost an hour or two of testing before we knew exactly what to do.
Oh boy, you and your pills.
>Second, we need a mechanism to be able to quickly push updates to our users even when — especially when — everything else is down.
So more botnet is on the way. Thanks!

>So more botnet is on the way. Thanks!
How is improvements to the auto-update mechanism "more botnet"?

They didn't offer any "improvements" to auto-update mechanism, the whole paragraph is just retarded. "especially when — everything else is down" - nothing was down, they jerked around with their botnet studies instead of rolling the fucking update for god knows why. "whatever the internal technical mechanisms, users should be able to opt-in to updates (including hot-fixes) but opt out of everything else" - yes, that's why people had auto-updates enabled and disabled the fucking studies, and if not for dumb trannies distributing critical update via studies, that's how it would've worked.

I think the real issue with the article, and what is angering most people, is that it talks about what steps they took to solve the issue but not once did it touch on why this was an issue in the first place. There are a few potential solutions in my eyes, none of which Mozilla seems to be considering.

1. Only verify signatures during installation of an addon, not all the time
2. Allow users, even in stable branches, to disable signature verification
3. Set a fucking calendar reminder a week before the cert expires

Instead of doing any of that though, Mozilla has decided they want more remote code execution functionality in their browser. They're planning to fuck up again and are taking steps to alleviate those fuck ups instead of taking preventative measures.

discourse.mozilla.org/t/fixed-certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/22

Unless I'm misunderstanding something, it would appear that the last post in the link I posted implies they're working on a fix for users on versions 52-59

t. ranny

>alleviate
*aggravate

>they jerked around with their botnet studies instead of rolling the fucking update for god knows why
Rolling out full updates is probably a lot slower than rolling out a small hotfix.

>I think the real issue with the article is that it talks about what steps they took to solve the issue but not once did it touch on why this was an issue in the first place.
That sounds like the topic for a operate article.

>1. Only verify signatures during installation of an addon, not all the time
>2. Allow users, even in stable branches, to disable signature verification
Those would break one of the main reasons for having signatures - that crapware can't install itself as a Firefox addon without getting removed the next time its signature is checked.

>3. Set a fucking calendar reminder a week before the cert expires
They damn well better.

>Instead of doing any of that though, Mozilla has decided they want more remote code execution functionality in their browser.
I'm not sure why you think the idea is unreasonable. They're probably just going to used the SAO system they already have, given it seems to work for hotfixes.

>They're planning to fuck up again and are taking steps to alleviate those fuck ups instead of taking preventative measures.
Fuck ups will always happen regardless of prevention. A hotfix system would be useful for more than just replacing certs, it would also help with serious vulnerabilities or misbehaving CAs.

heh

>crapware can't install itself
only >2., retard, and that is only if a user chooses to disable it.

This. I use the unbranded build now because of this.

Since when do apologies matter?
There needs to be punishments. Liabilities, crimes, misconduct. Its not enough to just say sorry.
There needs to be responsibility.
This is not about kids with a school project.
It is about adults, businesses and money.
How about some jail time.

Seriously? Fucking jail time?

Check the license. No warranty, no contract. No recourse. If you want accountability then pay for your software.

>we have developed a system called Normandy which lets us serve SAOs to Firefox users. Those SAOs automatically execute on the user’s browser and while they are usually used for running experiments, they also have extensive access to Firefox internal APIs
FF is an actual botnet client.

Attached: 1557319286273.jpg (400x323, 20K)

these ad-pushers will keep pushing ads

a license cannot waive rights

>only >2
No, if signatures were only checked at install time than any crapware which bypasses the browsers install process (by copying itself into the directory) wouldn't ever get verified.

>and that is only if a user chooses to disable it.
The user doesn't need to be involved - the crapware installer could just turn signature verification off.

What exactly do you think an automatic updater does?

What rights are you talking about? You don't have a right to force others to give you high quality software, and they didn't promise it.

if malware is using a side channel to get into your computer, that isnt something for the browser to bother itself with.
feudal secirity makes us all insecure slaves.
read bruce schneier

>by copying itself into the directory
It's not the browsers job to take care of OS security.

>CTO of Mozilla
>hasn't resigned
>hasn't killed self
Shameful display.

Attached: sudoku.png (394x394, 342K)

>if malware is using a side channel to get into your computer, that isnt something for the browser to bother itself with.
Think back to when when every Java install bundled twenty-six different toolbars. That's a pretty serious usability issue. And while "the user installed dumb shit" is a side channel, if it breaks the browser it makes sense to prevent it.

>feudal secirity makes us all insecure slaves.
If you want full control, use any Firefox release but the one intended for Grandma.

>It's not the browsers job to take care of OS security.
It shouldn't be.

On the ESR branch I got a fix on Wednesday. So no, they did not work fast you faggot

Fucking these. If the machine is compromised, they could install their own patched Firefox with none of the protections anyway. What a retarded threat model.

If the the goal is to prevent casual "oh but we're not malware we promise" tier shit, then just disable the extension by default and toss up a flag on browser start to let the user know they need to manually enable it. That's literally all you can do. Malware can always bypass whatever protection you put in place once it's gotten a foot hold.
>Browser intended for grandma
It's security theater that grandma can't even comprehend. At least the TSA makes idiots feel safer. This pretty much does nothing.

>If the machine is compromised, they could install their own patched Firefox with none of the protections anyway.
Patching or replacing Firefox is much harder than editing one JSON file.

>If the the goal is to prevent casual "oh but we're not malware we promise" tier shit, then just disable the extension by default and toss up a flag on browser start to let the user know they need to manually enable it.
Then the malware will just set the "the user has enabled this addon" flag. There's no change to the configuration that a user can do but another program couldn't.

>It's security theater that grandma can't even comprehend.
Grandma doesn't need to comprehend it, she just needs to not have Ask toolbar in her face when she checks the news. Everyone else can install a different release if they want full control over what needs to be signed.

Please stop posting this unsolvable sudoku.

>Patching or replacing Firefox is much harder than editing one JSON file.
Fucking how? If you have access to the OS's files, then you just replace the firefox binary with your own. There's nothing mozilla can or should do in this instance.

>addons
>privacy
don't worry you already have away your entire browsing history to countless companies worldwide. The only way to achieve privacy is to use Tor and not install a single add-on. Everything else makes it easier for you to e b tacked

Not true at all. Companies aren't magic. The NSA probably knows your entire browsing history, but there's no way for a company to know if you take the right precautions (block tracking scripts, avoid fingerprinting, etc.)

>Fucking how?
Legal pressure. Actual malware isn't going to give a shit, no matter what Mozilla does. But most of the toolbars and crapware is distributed under the paper-thin legal argument "you clicked / didn't click a checkbox, so you agreed to installing this shit". Flipping a config setting to allow unsigned addons is vaguely justifiable as part of that (and has happened in the wild, apparently) but so far nobody is willing to go as far as altering the executable itself.
Maybe that will change, but for now the toolbars have gone away.

Replacing Firefox is not difficult. Malware often replaces system files. You think replacing a browser binary is hard?
If it's casual crapware you're defending against, then you just put the flag in the sqlite database and hope they realize it looks really bad when you start fucking with a database to get your addon installed. Doing shady shit is how your PUP gets put in the Windows Defender blacklist.
>Grandma doesn't need to comprehend it
Grandma is using fucking Chrome because her adblock got broken by a bunch of retards at Mozilla, and she installed legitimate malware because she wasn't used to seeing ads. Being an autist about Ask got her fucking cryptolocker you cunt fuck. I only put up with fuckups like this once.

Just, stop being a goddamn idiot. The threat model is a submarine and this bullshit is a screen door welded to the hull. It doesn't work. It's just annoying.

>If it's casual crapware you're defending against, then you just put the flag in the sqlite database and hope they realize it looks really bad when you start fucking with a database to get your addon installed.
Too late, we're already past that point. Touching the executable seems to be the only line they won't cross.

>It doesn't work. It's just annoying.
It definitely does seem to work, given the crapware is gone.

>By clicking here you agree to install Ask Firefox. The better Firefox!
The only way to defend against this garbage is by being savvy or using a decent anti-apyware/anti-PUPware. Defender isn't enough for an absolutely clueless person. It only goes after the hardcore malware.

>But most of the toolbars and crapware is distributed under the paper-thin legal argument "you clicked / didn't click a checkbox, so you agreed to installing this shit"
The exact same thing applies to installing a firefox binary with the signed addons disabled.

You don't seem to remember the days where these applications would install their own browser and set it as default. Now that Windows stops setting browsers programmatically they can't do that. But they could install over an existing browser if the user "agreed to it". This has already happened with malware that didn't ask first. Nothing is stopping the more legally ass covered guys from trying it.

>By clicking here you agree to install Ask Firefox. The better Firefox!
Technically, I'm pretty sure that would be trademark infringement.
But yes, this arms race is probably going to end up with shit like that. In the mean time, signing works.

>The exact same thing applies to installing a firefox binary with the signed addons disabled.
Maybe, but so far nobody's been brave enough to to try that. It definitely wouldn't be a good look to be taken to court over altering the binaries of another application -- distributing actual malware.

>Nothing is stopping the more legally ass covered guys from trying it.
They haven't tried it yet.

Signing doesn't work. It broke and pushed a shitload of people towards Chrome. If you can't see how that was an enormous backfiring then you're totally hopeless.
>Distributing actual malware
Not him, but it's not. If the binary is just Firefox with signing disabled ala developer version, then it's not malware at all.

Is everything fixed now with firefox?

Well there's still retards running it so no.

To be fair, I thought Gab was going to foster legitimate discussion on websites - instead it's just Jow Forums on popular sites and literally zero comments on other sites. Even CNET only has 2 comments, and one of them is about Jews.

I don't think this addon is nearly as (((DISRUPTIVE))) as this site puts it out as.

developer edition doesn't support importing profiles from normal firefox for... some reason, and current nightly has multiple persisting broken features (inability to save via drag and drop for example) and will randomly break entirely depending on how bad the current alpha update is (which is why i stopped using nightly years ago). there is no reason to force people to use a shittier version of firefox just to let them toggle an about:config options when several other config options are freely available to the user in base firefox.

there was also no reason to push the quick fix out via telemetry-infested bullshit and that seriously reeks of foul play.

how did someone "forget" about the certificate expiring anyways? does no one keep tabs on that shit?

could be
0. not an original concept (digg, reddit, disqus, mefi...)
1. gab has a small userbase
2. less popular sites get less traffic (imagine my shock)
3. less traffic = less comments
4. gab is datamining shit and you shouldnt use it, nothing to do with politics, fuck you.

>developer edition doesn't support importing profiles from normal firefox
It does. You need to go to about:profile and then change the active profile or something to your old profile.

It has literally everything to do with politics, just look at their website retard.
Also
>CNET
>Unpopular
Gtfo newfag