Firefox 23.0.1 released [LWN.net]

Firefox 23.0.1 released

Posted Aug 20, 2013 18:37 UTC (Tue) by xorbe (subscriber, #3165) [Link]

With the removal of features with devs refusing to accept above-average users exist, and the removal of javascript enable/disable checkbox, etc, it's obvious where this is all going.

Firefox 23.0.1 released

Posted Aug 20, 2013 19:37 UTC (Tue) by raven667 (subscriber, #5198) [Link]

Yeah, a lot of the more advanced and unusual config options are only going to live in about:config while the main GUI dialog boxes are going to be much cleaner and spartan.

Firefox 23.0.1 released

Posted Aug 20, 2013 19:13 UTC (Tue) by dashesy (subscriber, #74652) [Link]

Or if you are feeling ducky (or lucky), URL bar's functionality is otherwise redundant.

Firefox 23.0.1 released

Posted Aug 20, 2013 19:34 UTC (Tue) by cesarb (subscriber, #6266) [Link]

There is one important difference between the two bars.

The search bar sends every keystroke to a remote server to generate the autocomplete dropdown. The location bar uses only local resources to generate the autocomplete dropdown.

The search bar is superior when you want to search the web (better autocomplete), the location bar is superior when you are directly typing an URL or searching the local history (what you are typing is not sent to the search provider's servers).

keyword.URL

Posted Aug 20, 2013 19:58 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

What's going on here takes a bit of unpacking, so since I've wasted ten minutes doing it let me save others a little time

On normal user systems, presumably particularly Windows, it's very common for malware to "hijack" the browser by modifying its internal settings to be more favourable to the bad guys who wrote or paid for the malware. One way to do this was to modify settings related to what happens when you type something that's not a URL.

Historically Firefox had a setting with no UI (about:config does not count as UI) that controlled this, to a power user (like most LWN readers) this is a useful feature that seemed harmless, and talk of "security problems" with the feature makes one think of maybe an accidental exposure via Javascript or something. But in fact the hijackers are _running code_ on your PC but (in this case, it so happens) they don't care about rewriting your boot sector or reading your SSH private keys, their objective is just to control where your web browser goes and thus influence advertising revenue so they just modify the browser config directly.

So Mozilla.org's solution is to remove this config altogether. No config means nothing for hijackers to hijack. They can still override the main search engine preference, but that has a UI so the user could change it back. Do users actually change it back? I'm skeptical, these are users who are allowing bad guys to run arbitrary code on their PC, they are not very sophisticated. But that's something for the Mozilla.org people to bump their heads against.

What you're seeing here is like DRM restricted movies, client security for first person shooters, and that sort of thing. Theoretically it's an unwinnable war, but that doesn't stop people from fighting it and in the process making your life unnecessarily difficult. So that's what is going on here. The "keyworld.URL hack!" extension is a way to return to what you had when nobody was fighting this particular unwinnable war on your PC.

keyword.URL

Posted Aug 20, 2013 21:33 UTC (Tue) by mattdm (subscriber, #18) [Link]

Anecdotal evidence time! When I visited my father this summer, I discovered exactly this sort of malware on his computer. He's moderately computer-savvy and doesn't normally execute random things from the internet, but apparently this stuff is everywhere. He had some commercial anti-virus software, but apparently that's basically only good for slowing your computer down.

So anyway, he _knew_ something was wrong with the search, but told me that he changed the search engine and it didn't help. This change absolutely would have helped him, at least in this case.

Now, whether it helps to plug one hole like this when you're in a boat made of swiss cheese....

keyword.URL

Posted Aug 20, 2013 22:25 UTC (Tue) by pflugstad (subscriber, #224) [Link]

It's EXTREMELY common for this hijack stuff to happen when you download and install a variety of games off the internet. It's usually part of the installer that helpfully offers to install an "elite accelerator super-bar" to IE or Firefox or Chrome (or installs Chrome itself, grr....). A handy little check box that if you don't UNcheck, will go and install this and a myriad of other idiotic things.

And usually it's pretty commercial stuff - i.e. not just some shady developer. As with all the crapware you get on new Windows PC's, it's an additional revenue stream for the developer.

I regularly have to "disinfect" my mother-in-law's PC of this kind of thing. Thankfully, HiJackThis (http://sourceforge.net/projects/hjt/) makes it easy to fix this (and a variety of other issues). She pays me back way more in baby sitting than I spend in fixing it, so other than reminding her to "don't install stuff like that", I just clean it up and move on.

So yes, this is very common, and very hard even for experienced and technical users to avoid.

keyword.URL

Posted Aug 20, 2013 22:58 UTC (Tue) by dashesy (subscriber, #74652) [Link]

It is not just games, try installing Java, by default it is bundled with a useless anti-virus. If one does not read each wizardry page carefully, there is going to be some jinx with the installer's privilege. Removing a Keyword.URL is not going to help.

Java install

Posted Aug 20, 2013 23:22 UTC (Tue) by pflugstad (subscriber, #224) [Link]

Hmmm... not sure what Java you installed, but the one from Sun/Oracle doesn't seem to have any bundled anti-virus in it (at least never that I've seen). If you got it from one of the various download sites, it may have added the anti-virus (see previous LWN articles about CNet Download bundling crapware with Nmap).

Java install

Posted Aug 21, 2013 0:35 UTC (Wed) by dashesy (subscriber, #74652) [Link]

My very bad, sorry, it was flash:

https://get.adobe.com/flashplayer/

Java install

Posted Aug 21, 2013 17:58 UTC (Wed) by lsl (subscriber, #86508) [Link]

It might not bundle anti-virus snakeoil but certainly other crapware. Something called "Ask Toolbar" in particular.

> http://www.java.com/en/download/faq/ask_toolbar.xml

Pretty disgusting if you ask me.

keyword.URL

Posted Aug 21, 2013 0:48 UTC (Wed) by rgmoore (subscriber, #75) [Link]

Java actually comes packaged with the Ask.com toolbar, which it will try to install every time you have to update it. It's Adobe products that try to install antivirus on updates. Those things alone should be enough to let you know the companies are evil.

Java crapware

Posted Aug 21, 2013 12:36 UTC (Wed) by pflugstad (subscriber, #224) [Link]

I still don't know where you're getting Java from that has Ask.com toolbar embedded with it. If I Google for Java, first link I get is:

http://java.com/en/download/index.jsp

Grabbing the Windows offline version and running it under Wine shows no sign of any Ask.com toolbar (I've not seen it when I run it under Windows either). Is it maybe the online installer?

Note: I'm not defending Oracle at all - it has epically mismanaged Java - it's clear that the only thing they have no idea how to run any business other than their core DB. But so far I haven't seen them stoop to anything like toolbar add-ons in their installer.

Adobe now - they're just plain obnoxious. All the extra crap that gets installed with Reader/Flash is out of control.

Java crapware

Posted Aug 21, 2013 14:41 UTC (Wed) by rschroev (subscriber, #4164) [Link]

Following the link you provided (on Windows), the big download button ("Free Java Download" downloads jxpiinstall.exe. When running that, it first downloads the full installer (I think), then starts that full installer (I think) and then this window appears (see http://www.roelschroeven.net/JavaAskToolbar.PNG):

"Java Setup

We recommend installing the FREE Browser Add-on from Ask"
etc. etc.

with checkboxes "Install the Ask Toolbar in Mozilla Firefox" and "Set and keep Ask as my default search provider in Mozilla Firefox" checked by default.

Java crapware

Posted Aug 21, 2013 16:31 UTC (Wed) by Jonno (subscriber, #49613) [Link]

The installers from oracle.com [1] is clean, as is the installers you get from the java.com "See all Java downloads" page [2]. Why the big red download button on java.com gives you a different installer I have no idea...

[1] http://www.oracle.com/technetwork/java/javase/downloads/i...
[2] https://www.java.com/en/download/manual.jsp

Java crapware

Posted Aug 21, 2013 16:50 UTC (Wed) by rschroev (subscriber, #4164) [Link]

Good to know, next time I'll use one of those (though it doesn't help for updates: IIRC the automatic update uses the offline installer and has the Ask.com crap)

Java crapware

Posted Aug 21, 2013 17:18 UTC (Wed) by jwakely (subscriber, #60262) [Link]

Yes everytime the auto-updater tries to install a new version I have to untick the "Install the useless Ask.com toolbar" checkbox.

Java crapware

Posted Aug 21, 2013 22:36 UTC (Wed) by rgmoore (subscriber, #75) [Link]

I wonder if it has to do with the expected sophistication of the user using each possible installation method. People who just click on the "Get Java" button are presumably less sophisticated and may be more likely to let the thing install an unwanted extension. People who actually go to the trouble of downloading a specific version are presumably a lot less likely to do so, and are more likely to be annoyed by it.

keyword.URL

Posted Aug 21, 2013 5:10 UTC (Wed) by mmarq (guest, #2332) [Link]

> Now, whether it helps to plug one hole like this when you're in a boat made of swiss cheese...

I think you are exaggerating. Besides i suspect your father was on windows isn't it ?

I had no problems at all with firefox on linux for quite more than 5 years, using only noscript, addblock and ghostery.. WOT if talking would say i'm completely crazy, my favorite pass-time was exactly going where it advices not to go lol

OTOH, when i tried v20, it started to block every page i went, even the most harmless trivial google searches, everything... thats no security!.. thats a stupid annoying paranoia, because still 99% of the times you just got to tell that you know what you are doing and the "whole" is established. Block all scripts not HTML... even with invalid more than uber useless stalin+hitler central authority certificates. At least ppl should be able to see what is asked to be blocked or is blocked, not blindly answer a stupid dialog page creeps!

Up to v18 i manage to turn off(kind of) the creepily stupidity, and remain super safe. But v20 is revealing itself a pig. I will only try next after i get v20 to behave and obey me, otherwise...

I SUSPECT WERE MOZILLA WANTS TO GO

No, it has nothing to do with *real* security, the central mania of authority "i got to choose for them and protect the sheeple from themselves", is a *faux argument* but is here to stay, and it has to do with something like this

http://spoon.net/browsers/#tab2

Run Firefox ? ... run from the web as a service... supersafe, *centralized* sandbox, super filtered for malware, no direct connection with NSA headquarters at all lol... and low price "additionals" for every tastes and every seasons lol...

For me, hell will have to freeze over first and chickens born with teeth.. mozilla.

Like a joke around here: "the best anti-conception method of all is not to F " lol ... don't have or max avoid have anything important connected to the web, don't fall in temptations...

Malware is mostly and basically a huge exercise of "social engineering" not code, no virus or malware comes to you, you must go to them, search them and accept them somehow, everything from the web is "downloaded" first. Just don't click where they say to click, don't click to see a celebrity without panties... then you'll be pretty safe LOL

In that perspective, most of those "web services" brewing are the most UNSAFE, annoying, restrictive, INVADING, kind of MALWARE ever invented (not all but most of the more "pretentious" useful of the kind).

Web services and all about "web", its not only a fashion, is here to stay, there is no killer app for replacing this... most will say.

yes there is !

Simple... "X next" kind of replacing http... from the very top usability feature in a computer, with "persistent" or "persistent aware" connections, from desktop to desktop it would be possible, with encryption (already possible) but no public keys, direct point-to-point video conference (if desktops evolve in that sense you can even have group video conferences), direct sharing everything, and direct white boarding, *and all only, and exposed only, to whom you want*... and from cache servers, like squid and or others, you can even have "group intranets" for the web... "family intranets"... locally filtered and no possibility of tracking anyone individually.

I like the approach of *decentralized* "multi interconnected universes" of True3Dshell http://www.sixtyfourbit.org/3dshell.htm ... its a potential killer app waiting to happen, though the shell itself its yet very crude and uninteresting.

But then the *desktop will be your browser, not a browser being your desktop*. Gain don't lose usability and features. The speeds of local internet connections are more than enough for all this now, its even good for SmartTV with HD content lol.. and an encouraging thought if "containers" will be here on time for this.

That is why " just insult me with the theories", "they" ( the status quo) are going to kill X or the possibilities or real advancements... not embrace & extend, the successful tactic of MSFT, but kill it, obliterate it, get rid of it once and for all.. and they might succeed.

But with no centralized service capable of collecting some money, what will be the business model for the all OSS ecosystem ?

ummm... wonder if teaching the masses of users that don't have a clue or the wrong clues of what OSS is, *what is the difference, what the heck is it good for, for non-developers*... if compile install from online, optimizing for the hardware ppl can have, cannot prove itself to be a literal gold mine and the most useful web service of all.

Firefox 23.0.1 released

Posted Aug 21, 2013 5:33 UTC (Wed) by josh (subscriber, #17465) [Link]

Quite aside from the issue of Windows malware, I personally welcome this change because it means I can set my search engine *once* rather than *twice*. It makes no sense to set your search engine but then find yourself in Google if you type a search at the address bar.

If you actually *want* that behavior, that seems like a textbook use case for an addon, and sure enough there is one.

(Personally, I'm looking forward to the search bar finally going away, and Ctrl-K just taking me to the address bar with a keyword automatically prepended. I keep meaning to write an extension that does that.)

Firefox 23.0.1 released

Posted Aug 21, 2013 16:27 UTC (Wed) by mmarq (guest, #2332) [Link]

Wasn't that already easy to fix, in your profile search.rdf and search.sqlite and search.json... after set it first properly you can just alter the permissions of those files. Don't allow writing for json and rdf.

Better than the actual posix file permissions, only capabilities in fashion of the old EROS OS. And both give the user total control.

All this security is a "faux argument", Linux can be pretty safe already without artificial mechanisms.

In Windows if you have ACL, you can do the same.

No!... Malware is a "social engineering" paradigma, and in that perspective all this seems more like a "carrot in front of the donkey" for something else.

Firefox 23.0.1 released

Posted Aug 21, 2013 16:49 UTC (Wed) by mmarq (guest, #2332) [Link]

OF course this doesn't suit mozilla, you can do the same for the "minidumps" or "crash reports" folders, and if firefox "phones home" by its own initiative, in the tradition of windows, if those folders are not writable they get nothing.

An ultra super security feature for firefox will be a "reliable" utility that plays with those file permissions, after set it right, it could set non-writable all those files that do not block usage, but that would block changes... "simply there isn't the need to constantly change anything", its psychological, its artificial, change only when its broken... even block mozilla of any saying about this...

Firefox 23.0.1 released

Posted Aug 21, 2013 16:58 UTC (Wed) by mmarq (guest, #2332) [Link]

And needless to say this will be better than any sandbox around. ACL/file permissions, as well capabilities are like a fine-grain super sandbox.

Firefox 23.0.1 released

Posted Aug 22, 2013 11:05 UTC (Thu) by etienne (subscriber, #25256) [Link]

> ACL/file permissions, as well capabilities are like a fine-grain super sandbox.

Can't you copy the parent directory into a new directory (but the files you want to change) then erase the old directory and rename the new directory with the old name?
Anyway if you want Firefox to be able to upgrade itself (and not the package manager) you would better have Firefox be able to write to its own configuration files, else you may get half an upgrade...

Firefox 23.0.1 released

Posted Aug 22, 2013 15:39 UTC (Thu) by mmarq (guest, #2332) [Link]

> Can't you copy the parent directory into a new directory (but the files you want to change) then erase the old directory and rename the new directory with the old name?

Can't understand what this accomplishes, specially if its inside the same directory path of the profile, its a 360º turn lol. Unless you symlink and then you can have several different profiles directories that could point to the same profile, you could change profiles changing only where the link points. You can also symlink individual files & folders.

> Anyway if you want Firefox to be able to upgrade itself (and not the package manager) you would better have Firefox be able to write to its own configuration files, else you may get half an upgrade...

But half an upgrade is exactly what will be fine, some minor features doesn't need a whole new version, which is 90% of times... and could be restricted only to some very few files/folders, the rest could remain non-writable most of times, even the prefs.* files ( i think)...

And Firefox could do it like that from origin for the Linux versions, really "highlight" the differences in security capabilities of the OSes, and *Linux versions* could dispense with about all of the creepily stupidity.

Firefox 23.0.1 released

Posted Aug 22, 2013 15:51 UTC (Thu) by mmarq (guest, #2332) [Link]

Want even better security, some files could be read only by the "owner", nothing else, non-writable, non-executable... downloaded scripts can't touch them, nothing can take over, not even firefox upgrades lol... and no need for useless dialogs, utilities, and faux security.

Firefox 23.0.1 released

Posted Aug 22, 2013 16:21 UTC (Thu) by mmarq (guest, #2332) [Link]

And so an obvious super sandbox that firefox could have , is create a different "user name & group" specifically for everything downloaded, upon install. And with the web everything is downloaded first. You the "owner" of "home/***" could read and write into anything Firefox, but the other way around would be severely restricted.

Even the REAL "home" directory could be restricted to anything firefox reach(not only root). And some distros already do a good job at restricting "real home directories". This way directories in the "home" path, will be out of manipulation to anything "downloaded" (are a different user), and with the web everything is downloaded first. No script or embedded code could touch any important file or folder on your system, either "root" or "home"... only the very essential to function, which even so, there could be a "copy" into a restricted "shadow home directory" inside the .mozilla/profile of the real thing. Only when saving is there a need of what is "downloaded" to touch your REAL "home" directory (don't talk root for obvious reasons)... the slightest doubt don't save anything... 100% safe!...

All playing only with posix file systems and permissions... no need for Chroots, no need for 3th party sandboxes... a galaxy ahead of anti-virus, malware protections, stupid utilities, etc

Firefox 23.0.1 released

Posted Aug 22, 2013 16:24 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

I await your implementation with great interest.

Firefox 23.0.1 released

Posted Aug 22, 2013 16:37 UTC (Thu) by mmarq (guest, #2332) [Link]

make me CEO of mozilla lol

Firefox 23.0.1 released

Posted Aug 22, 2013 16:42 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Why? The code's there. The implementation you're describing sounds straightforward enough that you should be able to add it without too much effort. Demonstrating that a a simpler permissions-based approach works better than sandboxing would be a pretty strong incentive to use that implementation.

Firefox 23.0.1 released

Posted Aug 23, 2013 13:40 UTC (Fri) by mmarq (guest, #2332) [Link]

> Demonstrating that a a simpler permissions-based approach works better than sandboxing would be a pretty strong incentive to use that implementation.

Of that you can be 100% sure... better...

If you don't play with the OS security features, then is not like "swiss cheese" but everything will be pretty useless.

And that is the case will all this firefox security... its not safer, its only to make you "feel" safer. Block every page etc... annoying... but for many its like "firefox seems to care", only its not safer.

Imagine the "Lion worm"... and imagine every folder from /boot to /var is protected with a "capability". Every process outside certain rules have to pass for a "permission" dialog protected by an encrypted key. Even if there was a red flashing warning that what might be attempting to write into /bin /sbin /etc /var etc is probably malware with a high percentage of certainty, a high percentage of users only to see the panties of a celebrity will give the permission... how can mozilla or any one take such responsibility !?

Make the choices for the users only serve to make pervasive the "confused deputy" paradigma... upon an infection everything will be worst. In the end "safe the sheeple from themselves" will only serve to take control of their systems... and that by definition is the intent of malware.

So avoid malware by having a "central" control security paradigma, is only replacing malware by other "accepted malware", which in the end WILL BE INFECTIVE in protecting against the real sophisticated threats, if not playing with OS security and maintain a great deal of user control.

That is where firefox is going, the more restricted it becomes, because its intended for other platforms (win, mac), and they want to keep a generalized approach, the more control they take away from the users, and that serves no one but themselves, and can't protect against the real nasty "ugly bugs".

Firefox 23.0.1 released

Posted Aug 23, 2013 14:53 UTC (Fri) by mmarq (guest, #2332) [Link]

Yes complementing file permissions with "capabilities" for the important folders and some files (all from /boot to /var to /home/***), will be like having an IDS/ITS (intrusion detecting/tracking system) embedded, which could be complemented with a simple and fast virus/rootkit elimination tool, and no need to scan everything or sophisticated detection algorithms, becasue malware will be denouncing themselves (and no need for snort, tripwire etc).

You can already protect folders with a password, only this will be automatic and embedded.

Having a pertinent copy (only what matters) of home/*** inside the profile for "everything downloaded", with a different user & group, and protect firefox itself with a lot of non-writable triggers, could also be quite better than any sandbox. But of course for this FF will have to be coded accordingly.

In the end even simple "client" environments are pretty complex, software have bugs and exploits, there are no 100% assurances... but there is 100% better...