All Tridactyl installations might get removed by Firefox on Aug 21 | Better HN

86 comments

46 comments · 10 top-level

mcpherrinm6y ago· 13 in thread

Oof, looks like Tridactyls "fixamo" disabled the URL checking for addon installation in firefox, by writing into the user.js prefs:

    user_pref("extensions.webextensions.restrictedDomains", "");

I can see why they'd get yanked over that. I would definitely not expect installing a random addon that makes my browser have vim controls to change a relatively sensitive setting like that.

The developers are now whining about being asked to revert that change, on the grounds that touching the file is a breach of trust (which, they've already done)

Ambroisie6y ago

The thing is, users that ran this command know what it did. Maybe not in all its detail (I certainly didn't know exactly what it did, although I could have looked for it). That's because for this command to be of any use to the user, they first have to enable the "native client" to enable reading Tridactyl's RC file, which is explicitly stated to weaken the security model Mozilla tries to enforce on extensions.

This isn't a "random plug-in" playing with your security settings. It's a well designed extension which tries its hardest to allow power users to do what they want : control their browser the way they best see fit, without restrictions. If you want to stay safe, just don't enable those settings : they're not necessary to get a good out-of-the-box experience, but they allow some very powerful fine-tuning to turn your browser into your browser, with your commands.

shawnz6y ago

It's explicitly stated that it will weaken the security model, but it's not explicitly stated that it will modify user.js. Now the author is claiming that reversing the change would be improper because it involves modifying user.js without explicitly saying so, but that's literally exactly what they did already.

They are not claiming that the problem is being forced to strengthen the security model without explicitly asking. They are claiming that the problem is specifically being forced to modify user.js without explicitly asking.

Did they? I just looked up the documentation for this command, and I have no idea why users would have the expectation that it did this.

ndarwincorn6y ago

I feel like vim browsing is better off with a browser designed for it like luakit, and that's coming from someone who uses vimium and tridactyl.

They both get in the way as often as they help. Mirrors my experience with vim-mode plugins for non-vim IDEs/editors too.

bovine3dom6y ago

Whining developer here.

The documentation was this: https://github.com/tridactyl/tridactyl/blob/32ac11fe9d432190...

A fragment of that documentation would have been displayed in our tab completions as fixamo was typed.

As many other replies have mentioned, it was only ever run if users installed our native executable, and ran `fixamo` themselves.

nextos6y ago

Thanks for developing Tridactyl.

It's sad how Mozilla killed Vimperator with the transition to WebExtensions. And how many of its features still cannot be replicated in Tridactyl, which I otherwise love, despite all your efforts.

Due to the new addon model, addons don't get the chance to run till the page finishes loading. So e.g. a 404 or a slow page force you to revert to standard keybindings which ruins the immersive Vim user experience.

Mozilla should perhaps create an API for privileged extensions. I know the userbase is small. But it's a very important userbase to keep the platform healthy.

bsdubernerd6y ago

This was never done automatically.

In fact, I did it manually to enable umatrix and tridactyl on AMO as I hate not being able to use my regular keybindings everywhere.

I'm doubly pissed at Mozilla here. I'm tired of being baby-sitted. Quantum killed half of what I was using before. And trydactyl still cannot do half of what previous extensions could do.

miloignis6y ago

It looks like you had to run the command explicitly to do that though, and that it wasn't done by default, so it seems pretty kosher to me if they had appropriate warnings (and I think the issue says they did...)

mcpherrinm6y ago

As far as I can tell from a brief check, it just says it "fix tridactyl on addons.mozilla.org".

But it's overriding a fairly useful setting, one that we use internally: By preventing webextensions from running on "sensitive domains", which includes AMO by default (since that could allow an addon to install more addons and bypass or hide the user prompts, I gather), but it would also include any other domains you've marked as sensitive.

I don't use Firefox at work unfortunately (because of https://bugzilla.mozilla.org/show_bug.cgi?id=963354), but we generally want to allow users to install addons on non-sensitive sites.

Internal domains that are much higher risk, and may have regulatory requirements around who can receive data on them (eg, because of GDPR). So we'd use a setting like this (or the equivalent in Chrome) to restrict addons on those very sensitive sites. Having addons like Tridactyl that undermines that is a big red flag.

I admit I don't fully understand all the nuances here, but it seems like Mozilla's stance closely aligns with what I'd expect here.

mechnesium6y ago

The fact that third-party addons can even touch sensitive settings in the user.js prefs is a massive security flaw in Mozilla's implementation of the WebExtensions API. Addons should be sandboxed/containerized or require privilege escalation before touching files on the disk.

Mathnerd3146y ago

It uses native messaging with a Python script: https://github.com/tridactyl/tridactyl/blob/master/native/na...

I don't think anyone who uses Tridactyl is worried about its security, it has a permissions list 15+ lines long.

gruez6y ago

This. The whole point of this security feature is to prevent extensions from interfering with Mozilla pages. What's the point of this when addons can bypass turn it off themselves?

cp96y ago

and it wouldn't. You explicitly have to install the native messenger and run fixamo, which in the rc file for tridactyl explictly mentions what it's about to do

Arubis6y ago· 6 in thread

Genuine question: can Mozilla prevent Firefox from allowing an extension to be installed _at all_, or is this more a matter of de-listing an extension from the Mozilla directory?

vengefulduck6y ago

It depends on the version most release builds of Firefox require addons to be signed by Mozilla with the exception on Linux and developer versions. You can also change this by compiling yourself.

Arubis6y ago

While I was initially pretty shocked that Mozilla would make a walled-garden move like this, doing it on the mainline release (for a primarily non-technical audience) and not holding the same requirement on dev and nightly builds actually feels like an appropriate balance, if that is indeed accurate.

Probably near 100% of Tridactyl users would be comfortable on at least the dev version of FF; it may be that an appropriate remediation would be to offer the `fixamo` functionality on an unsigned extension release only.

rebelwebmaster6y ago

There's a built-in extension blocklist which also gets updated remotely.

https://hg.mozilla.org/mozilla-central/file/tip/browser/app/...

Mathnerd3146y ago

More on the policy for said blocklist: https://wiki.mozilla.org/Blocklisting (2008-11) https://support.mozilla.org/en-US/kb/add-ons-cause-issues-ar... (2012) https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO... (2019)

The expansion from "we block malicious add-on versions" to "we block add-ons with known stability or security issues" to "we err on the side of security" does not bode well for the future of hacking cool add-ons.

Arubis6y ago

This is more what I’m concerned about. Does this only affect mainline FF or dev/nightly as well?

ihuman6y ago

Yes. All extensions have to be signed by Mozilla, even if they're distributed outside their directory. The only way would be able to install it is by downloading an unzipped version and sideloading it. However, it will be removed if you restart firefox, and you will have to re-add it.

Endy6y ago· 5 in thread

Well, perhaps the Tridactyl devs should move back to XUL and explicitly support Pale Moon & Basilisk. It would be a strong move since Firefox won't support them or their users.

bovine3dom6y ago

FWIW, there's at least one (minor) change that was made to Firefox to help out Tridactyl - https://github.com/tridactyl/tridactyl/issues/792.

Mozilla also were happy in principle to allow us to intercept key presses on all parts of the browser last time we spoke to them a couple of years ago; we just need someone to write that extension to the WebExtension API - https://github.com/tridactyl/keyboard-api.

Rewriting Tridactyl in XUL is not something I would wish on anyone.

Endy6y ago

Have you considered working with either Pentadactyl or Vimperator?

Arubis6y ago

If you're running an XUL browser and want this functionality, you should just use Vimperator: http://vimperator.org/vimperator

Tridactyl only exists to bring that functionality over into Quantum-branch Firefox.

michaelmrose6y ago

It would be a poorly thought out idea with zero merit and lots of downside.

Edit: To be clear

- Tridactyl for xul already exists its called pentadactyl

- Rewriting Tridactyl in xul is basically creating pentadactyl from scratch. This is a lot of work for no reason.

- There are many legitimate improvements that have come into being between firefox 38 which is what Palemoon basically is and 70 which you would lose.

- It's highly unlikely that a fork of firefox 38 by a few acceptably skilled developers has the chops to keep up with what mozilla can do with millions of dollars.

- Your browser is the most dangerous app in your system running an old version means that anyone with access to the list of patched vulnerabilities for current firefox may well be able to trivially turn these into exploit vectors for old versions.

Endy6y ago

Responding with boilerplate at first because your comments are predictably wrong.

> - There are many legitimate improvements that have come into being between firefox 38 which is what Palemoon basically is and 70 which you would lose.

> - It's highly unlikely that a fork of firefox 38 by a few acceptably skilled developers has the chops to keep up with what mozilla can do with millions of dollars.

> - Your browser is the most dangerous app in your system running an old version means that anyone with access to the list of patched vulnerabilities for current firefox may well be able to trivially turn these into exploit vectors for old versions.

* https://forum.palemoon.org/viewtopic.php?f=4&t=21626 "Rumor: "Pale Moon is just a rebranded rebuild of an old Firefox version" Rumor: "Pale Moon is an obsolete and insecure version of Firefox" FALSE Pale Moon has been on a divergent path with its own code for a long time already. It was a rebuild in 2009, yes. It was a rebuild with minor changes in the Firefox 4.0 era, yes. But we've come a very, very long way since then with an increasing amount of different code being carried over each time it was re-based on later Firefox code. It's a true fork now, building on a completely independent fork of Mozilla code called the Unified XUL Platform (UXP) and has employed rapid development (as opposed to rapid release) to solidify this independent direction with its own focus and attempt at keeping the browser sane, lean, and offering users choice and stability - not corporate strong-arming or gadgeteering. At the same time, Pale Moon's strong focus on security/privacy and evolving networking standards has added features and kept pace with those developments in other browsers, by e.g. adding TLS 1.3 support the moment it was standardized, by keeping a close eye on encryption and the browser's security by continuing to port or re-implement security fixes that apply to Pale Moon as a browser and the underlying platform. It is neither old nor outdated, it is not a "rebuild" and it does not use obsolete technologies and does not have known security holes or vulnerabilities."

* "Rumor: "Pale Moon is a one-man show and does not have the manpower to keep up with Firefox/the modern web" FALSE Pale Moon is not "just me" and hasn't been for the majority of its life. There are some talented and dedicated people at work in our community to make Pale Moon what it is, and actually has seen support in many ways by many people over the years. Despite e.g. the WikiPedia article for Pale Moon just talking about "Straver this" and "Straver that", the fact that I am the one leading this project and holding the keys and making the overall major decisions about direction doesn't mean that no others are involved. That would be the same as saying that Bill Gates single-handedly wrote the Windows O.S. or that the Mozilla CEO is the only one working on Firefox. To name a few other people currently actively helping with the project's core development: Matt A. Tobin, Travis W. ("trava90"), "JustOff", "Ascrod", "kn-yami". Don't forget our beta testing team, or the people reporting issues while using the unstable channel builds, either. Or the people helping with extensions and extension compatibility or theme porting (thanks FranklinDM and Ryan C.!). Or even the community as a whole providing support to users. Also hats off to all the people doing translations for our language packs. I can go on. One man? I think not. Of course since it's crowdsourced, it's easy to forget the numerous people in the background who play their part, but please don't forget them."

On the other hand, the Pentadactyl discussion is valid.

gabcoh6y ago· 4 in thread

If anyone’s looking for a browser with deeply integrated vim key bindings then check out qutebrowser. I’ve been using it for about a month now and it’s pretty great. Only downsides for me are lacking support for my yubikey, and questionable security. I’m not saying the security is necessarily bad (I think the actual browser is based on chrome), just that I don’t have as much confidence in it as I would in stock chrome or Firefox.

https://qutebrowser.org/

The adblocking/script-blocking capabilities (described in #9 and #10 in their FAQ: https://qutebrowser.org/doc/faq.html) are extremely weak and inconvenient (and their claim about the negative impact of adblocking is outright false).

Those are probably the two most important capabilities for security, so the lack of them definitely means I'd never want to use it for general browsing. I'd much rather deal with weaker keybinds than sacrifice that much on the security and privacy side.

danShumway6y ago

I know it's a pain for new browsers to support, but I can't imagine myself running any browser right now (even experimentally) that can't install UMatrix and UBlock Origin.

If you want me to try out your browser, you have to support the WebExtension API -- you can support other APIs in addition to that, but WebExtensions are a minimum requirement. I guess Chromium doesn't bundle them, so it's harder for smaller browsers to add the same capabilities?

I'm not sure how Vivaldi and Brave handle it.

michaelmrose6y ago

It's easier to claim that a real adblocker is a net negative for performance while implementing in a slow language than admit that they can't realistically do better this decade due to the complexity of the task and the fact that it's basically one guy's part time project.

The-Compiler6y ago

Looks like U2F works for most sites with Qt 5.12.4 (though I haven't tried myself yet): https://github.com/qutebrowser/qutebrowser/issues/3043#issue...

As for security, see point 8 at https://github.com/qutebrowser/qutebrowser/blob/master/doc/f... for some thoughts on that.

userbinator6y ago· 3 in thread

"Users should not ever do this"

Overall authoritarian tone aside, that's the one phrase from the reviewer that really pisses me off; what happened to Firefox being the browser that "puts users in control of their online experience" (or whatever the variants thereof which have appeared numerous times in the Firefox marketing material/slogans)?

Instead, it seems now that Mozilla have built their walled garden, they are reluctant to let it go and have really acted against the principles upon which it was founded and gained much of its user/fanbase, all in the name of "security". The demand reads more like it came from an Apple app store reviewer, not Mozilla.

It is almost exactly 4 years ago when Mozilla started to build the walls of their garden, and some of the comments on the discussion there are well worth reading: https://news.ycombinator.com/item?id=10038999

The saddest thing about all this is that today's browser "choice" is really between the even more restrictive Chrome-clones and Firefox, and the latter is slowly edging in that direction too.

thristian6y ago

The problem, as usual, is one of user education. Some users fully comprehend every detail of the consequences of their actions, some users blindly do whatever anyone tells them, or even just flip every switch the opposite way around to see what happens, and there are millions of users at every point on the spectrum between those extremes. It's not practical to ship different browsers tuned for different points on the spectrum, and even if it were, you couldn't guarantee that people would download the browser most appropriate for them, they'd download whatever looked nice at the time.

So you have one browser distribution, with one set of defaults, and on one hand you want educated users to be able to configure things to their liking, while on the other hand you want to prevent uneducated users from screwing themselves over by accident, or because somebody told them to open the secret Developer Console and paste a funny-looking string to see a picture of a bunny.

There aren't really any good answers.

userbinator6y ago

It's not practical to ship different browsers tuned for different points on the spectrum

For the longest time, that's how it was. The browser at one end was called Chrome, and the one at the other was called Firefox.

while on the other hand you want to prevent uneducated users from screwing themselves over by accident

As the saying goes, "Freedom is not worth having if it does not include the freedom to make mistakes."

The whole "protect the users" mentality is IMHO misguided and dangerous, because it's basically one individual or a small group making the argument that taking away individual freedom (and thus giving more control to those in power) is "better for everyone". The road to hell is paved with good intentions. Incidentally, that's how a lot of dystopian sci-fi looks like...

4bpp6y ago

> some users blindly do whatever anyone tells them, or even just flip every switch the opposite way around to see what happens

So... let them? It's not like they typically wind up harming anyone other than themselves in the process. I don't understand why it is considered okay now to run the whole adult world like a kindergarten.

tylermenezes6y ago· 3 in thread

You can argue for or against `fixamo` as a command, but Mozilla's position seems to be that even documenting the ability to turn off restrictedDomains anywhere is not allowed.

Among other things they're asking the author to censor the command from his personal dotfile. That's not justifiable and makes me really disappointed in Mozilla.

detaro6y ago

The "personal dotfile" that's lives in the same repo as the extension and is recommended as an example in its documentation, and only documents these commends as "Add helper commands that Mozillians think make Firefox irredeemably insecure". If you want to signal to a reviewer you're not taking them seriously, that's the kind of thing to do when they ask you to remove code.

bovine3dom6y ago

`fixamo` was first removed after an informal request via informal channels from someone on the Firefox security team. The comment wasn't intended as a jab at a reviewer who didn't exist at that time; I was just tickling myself as is my wont.

I'm sorry if it offended anyone. I'm generally really appreciative of the work reviewers do.

In our defence

1. that's a perfectly sensible comment to suggest that you should probably look it up on your own if you care about security.

2. The command did document exactly what it did in the same manner (or more detail) as the blogs we got it from.

3. We invited Mozilla to provide text for us to comment it with and they didn't give us any.

Edit: And as bovine3dom says, this was done in response to an informal request by someone reasonably friendly to the project.

ihuman6y ago· 1 in thread

I can kind of understand why they want the developers to remove the line from people's user.js file, but why can't they tell the users when they do this? Why do they have to do it "without user interaction?"

detaro6y ago

I'd interpret as that they can tell users they did it, but they have to do it without the user doing anything.

azpekt6y ago· 1 in thread

Okay, so I presume that: - development of Tridactyl stops? - there is no way to run it on fresh/updated versions of FF on Win10?

That sucks.

No. Check the latest updates in the github thread.

1. We will release an update that we think is compatible with the AMO reviewers' demands. 2. You can just read the readme for the project on github for a non AMO but easy way to install it.

noodlesUK6y ago

Tridactyl is a wonderful piece of software. My problem is the assumption that it’s unacceptable for an extension (which has a native messenger) to have the capability to modify Firefox when explicitly told to by the user. I use tridactyl, and plenty of people do, but realistically, the entire audience of an extension that gives you vim keys is highly technical, and can be expected to read the docs. Making the software edit personal files on disk when not asked to explicitly by the user is a breach of my trust model. It’s not as though fixamo is run on startup, it’s something you have to do explicitly. I’ve never run it, nor do I use the native messenger. This reviewer is totally out of order as far as I’m concerned.

I am one of the developers of Tridactyl.

This dispute is because Tridactyl used to provide a function that users could choose to run that would change two of Firefox's settings (the kind you find in about:config). Changing these settings allows addons to run on e.g. addons.mozilla.org and accounts.firefox.org where they otherwise cannot. The change we made is the same change that several blogs had already talked about and suggested.

Here is a relevant bugzilla thread that motivated the creation of the blacklist that we turned off, so you can see what Mozilla thinks: https://bugzilla.mozilla.org/show_bug.cgi?id=1415644

A mozilla employee informally asked us to remove this function for security reasons (and we did). Later, an AMO reviewer asked us to change users' Firefox config automatically to remove these settings. We would rather this were made an explicit choice for Tridactyl users and we're trying to negotiate a compromise with the reviewer.

This is the only plausible route to exploitation of this situation that I know of, assuming a user acting before we removed the fixamo command:

1. You manually install Tridactyl

2. You manually install our native messenger

3. You manually run a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read and customise it because it does things you might not like; and then you don't read or edit it

4. You also manually install a malicious addon

5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org

6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).

My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.

---

Some people have opined that our documentation for the command was not explicit enough. My opinion is that it's good enough and about on par with other resources that talked about the same settings. It would be better if it was more explicit about the security risks, but we provided fairly complete information about what we were doing and a link to the source code.

This is the documentation we provided:

In the "Webextension caveats" section:

"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."

In the docstring for fixamo, partially displayed if you type fixamo in the commandline and also included in the help pages we encourage users to use with e.g. `:h fixamo`:

"Simply sets

"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""

in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."

You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a

We also included a variant of the fixamo command in the exemplar .tridactylrc file (not used unless you have also installed the native messenger and also explicitly found, downloaded and installed the exemplar). This file includes this text at the top:

"Provided only as an example.

Do not install/run without reading through as you may be surprised by some of the settings."

And this text right above the fixamo line:

"Make Tridactyl work on more sites at the expense of some security"

j / k navigate · click thread line to collapse