LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox 8 released

Firefox 8 released

Posted Nov 9, 2011 9:07 UTC (Wed) by ekj (guest, #1524)
In reply to: Firefox 8 released by job
Parent article: Firefox 8 released

It's been a problem that unrelated third-party programs being installed on the same computer, take the liberty of inserting add-ons into firefox, bypassing the normal restrictions. (only add-ons from user-approved sites are installed, and the user needs to explicitly click "Install" after having watched a dialogue warning about the dangers of untrusted addons for atleast 5 seconds)

For example, if you install a certain instant-messaging-crapware-program, you also get, at no extra charge, a firefox-addon that'll change your default search-provider to Yahoo, and set your homepage to a banner-ad-infested hell. (and it'll reset these two settings on every firefox launch)

Such addons --- i.e. ones that are not installed trough firefox, but merely present in the apropriate addon-directory, will now be disabled by default. (though you can still enable them in the addon-manager if you *do* want them)

(Log in to post comments)

Firefox 8 released

Posted Nov 9, 2011 10:52 UTC (Wed) by Cato (subscriber, #7643) [Link]

On Windows, Microsoft Office, Adobe Reader and quite a few other applications do this, and often they re-enable the addons/plugins every time the application is updated. Great that Firefox now addresses this.

Firefox 8 released

Posted Nov 9, 2011 13:02 UTC (Wed) by gidoca (subscriber, #62438) [Link]

Yes, it is. I wonder though how long it will take for application developers to figure out how to bypass this.

Firefox 8 released

Posted Nov 9, 2011 13:11 UTC (Wed) by Cato (subscriber, #7643) [Link]

Firefox is just scanning for installed addons when it starts up, I believe, so the addon would have to change Firefox's own files to fool it - probably possible but addons that do that are really crossing the line into malware and should be treated as such.

Firefox 8 released

Posted Nov 9, 2011 20:43 UTC (Wed) by gidoca (subscriber, #62438) [Link]

IMHO, changing the home page and default search provider at every start of Firefox is already well beyond the line to malware.

Firefox 8 released

Posted Nov 10, 2011 9:23 UTC (Thu) by job (guest, #670) [Link]

You just said "disabled by default" with many more words. The question remains what Mozilla can do to remedy this?

The only thing I can think of is to make installation really convoluted, perhaps require that several different changes are made, in sync, to undocumented file formats. A reasonably intelligent person would recognize this as a solution probably worse than the problem.

I'm slightly sad that not only is the release announcement made of these nonsensical PR bullet points, but they are repeated on news sites and blogs while no one understands what they mean. People do not seem to expect anything else anymore. Web browser development has been made more ivory tower-ish over the past few years and all that's visible on the outside is new window dressing every few months.

Solution is simple...

Posted Nov 10, 2011 9:48 UTC (Thu) by khim (subscriber, #9252) [Link]

The only thing I can think of is to make installation really convoluted, perhaps require that several different changes are made, in sync, to undocumented file formats.

Not really. You only need one such file - and you already have it: browser binary. Just sign the preferences file with some key unique to the browser build - and that's it. You will need to include keys for all previous officially released builds, obviously (to make it possible to upgrade), but this is not a big deal.

Sure, crapware developers may try to scan you binary to find embedded keys, but these schemes will be inherently fragile. Your goal is not to make something impossible but merely make something unfeasible, after all.

Solution is simple...

Posted Nov 10, 2011 17:03 UTC (Thu) by job (guest, #670) [Link]

I'd like to challenge that. Even if keys were unique for each build they are stored somewhere and a third party installer could just as easily extract them. You would need to obfuscate keys by hand at random positions for each release for this scheme to slow down a third party installer noticeably.

It amounts to a pretty standard copy protection scheme, and all of those are broken not very long after release. (By people who receive by pay by the way, defeating this installer would be worth money.)

This is not so simple.

Posted Nov 10, 2011 17:42 UTC (Thu) by khim (subscriber, #9252) [Link]

You would need to obfuscate keys by hand at random positions for each release for this scheme to slow down a third party installer noticeably.

Nope. We are talking crapware here, not malware. You only need to slow down it enough to trigger ยง 1201. After that point you don't have an example of crapware. It's clearly illegal malware and should be treated as such: it will be added to virus databases, etc.

This is not so simple.

Posted Nov 14, 2011 20:28 UTC (Mon) by job (guest, #670) [Link]

I see. I would never have thought that I would find EUCD/DMCA on my side some day, but what do you know...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds