Silly policy with FireFox site access

Discussion of general topics about Mozilla Firefox
chief editor
Posts: 41
Joined: April 27th, 2005, 4:01 am

Silly policy with FireFox site access

Post by chief editor »

I've just discovered that I can't access extensions directory and other parts of the site because I'm not using the latest build of FF. The site "insists" on upgrading to 1.0.6. And there is no option to bypass the upgrade. IMHO, this is bad idea. The warning about a new version with security fixes would be sufficient. Now I'm compelled to open the site in IE (!!!) in order to browse extensions for FF. It's ridiculous.

I do understand security problems of the former FF releases, but can't agree that a user has no right to decide whether [s]he wants updgade or not. I'm using 3-d party software for closing security breaches and do not require immediate update. I don't want to download updates one after another just as they released. I want to decide myself when and what to do with my copy of FF. Currently I need an extension and I'm very disappointed with inability to do this due to the site policy.

I hope this post will make the staff reconsider the policy for the future.
User avatar
RadioactiveMan
Posts: 1222
Joined: June 27th, 2005, 5:37 pm
Location: Portland, Oregon

Post by RadioactiveMan »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 BOBA CE
OlGranDad
Posts: 4191
Joined: December 8th, 2004, 4:34 am

Post by OlGranDad »

disregard
Last edited by OlGranDad on July 28th, 2005, 6:44 am, edited 1 time in total.
Guest
Guest

Post by Guest »

Yes it is relevant. I just saw confirmation the other day.
chief editor
Posts: 41
Joined: April 27th, 2005, 4:01 am

Post by chief editor »

_Jim_ wrote:The problem is the security vulnerablity that was fixed in newer versions is related to installing extensions from trusted sites. It's not a silly policy:


This only can be treated as if you don't trust your site. Then perhaps the site itself must be upgraded? Isn't that silly? How the site can be compromised by the "extension install" feature applied on another site? - Only if that was a faked site, but this is not under Mozilla control anyway. Why not just to show warning instead of obligatory upgrade?

Oh! I understand... ;-) This is how FF reached 75 millions downloads.
User avatar
Thumper
Posts: 8037
Joined: November 4th, 2002, 5:42 pm
Location: Linlithgow, Scotland
Contact:

Post by Thumper »

Yeah, insults get you really far. The answer you were given didn't go into sufficient detail to describe exactly why the upgrade was necessary, but in a nutshell the problem is that pre-1.0.6 Firefoxes can be compromised by *any* extension which lists update.mozilla.org as an upgrade site. The only way to prevent this is to block pre-1.0.6 sites from accessing u.m.o at all, which than makes Firefox's installation process fail and means that externally-hosted malicious extensions cannot be installed.

You weren't really civil enough to justify me responding, but I'm in a good mood.

- Chris
chief editor
Posts: 41
Joined: April 27th, 2005, 4:01 am

Post by chief editor »

Thumper wrote:You weren't really civil enough to justify me responding, but I'm in a good mood.
- Chris

Thank you for your reply, though I'm not sure it is advisable to post here irrelevant judgements (on me or other person). You are welcome to write me a private message, if you are still in the good mood. ;-)

The point is that FF compromised itself by these bugs, and it is already done. The restricted access to the site is just a matter of inconvenience for the users. The necessity to upgrade FF every week is also a great inconvenience. In fact this is one of the reasons why I don't rush myself into updating FF. Who knows - perhaps next week we will see the next update... But I have FF not for the sake of pure continuous updating of it, but for using. As the upgrade process is not quite clear from troubles - at least, usually - so let an end user decide what to do with his/her copy of FF. A smart user uses firewall and AV software. A fool will compromise FF anyway.

After all, we must admit that FF (as any other browser) allows a user download a malicious software to his/her PC. Why then not to kill all the browsers, because they can compromise their developers?

OK, I see the point of FF, but I can't agree.
User avatar
scratch
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post by scratch »

chief editor wrote:The point is that FF compromised itself by these bugs, and it is already done. The restricted access to the site is just a matter of inconvenience for the users.


this is absolutely, without a doubt, 100% incorrect. if u.m.o blocks access to <1.0.5 browser versions, this bug is *absolutely unexploitable* on a default install -- the same as if the bug never existed. if u.m.o does not block access to <1.0.5 browser versions, any site on the web can compromise any computer system running a <1.0.5 browser version. perhaps now you see where they are coming from?
old Ol Grumpy
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by old Ol Grumpy »

I'm running Ubuntu 5.40 and Firefox 1.06. Even if I sort of don't understand all the ins and the outs of this I just went to the site with no difficulty whatsoever. I also know that I upgraded from FF1.02. When I first downloaded FF1.0 on my original Operating system I found a few things which I considered questionable but in rapid succession almost every single breach, flaw or quirk was dealt with faster than anything I have ever owned. I also didn't have to change things on a weekly basis though I know a lot of folks went for the nightly builds. Each security fix was downloaded when I noticed it or when someone told me and I've been relative satisfied with the frequency of the way things work. I don't see an issue with upgrading or fixing a security breach every week and think it's good to have that kind of attention and interest in the project.

It's not been overly annoying or demanding any real special attentions and since it's mostly automated on the Windows side and nearly so on the Linux side (I can't speak for MAC) I don't get the gripe?
chief editor
Posts: 41
Joined: April 27th, 2005, 4:01 am

Post by chief editor »

scratch wrote:this is absolutely, without a doubt, 100% incorrect. if u.m.o blocks access to <1.0.5 browser versions, this bug is *absolutely unexploitable* on a default install -- the same as if the bug never existed.

Yes. But FF can still compromise other sites, if a user changed default settings. This is 100% sure.
if u.m.o does not block access to <1.0.5 browser versions, any site on the web can compromise any computer system running a <1.0.5 browser version. perhaps now you see where they are coming from?

I clearly understand how a possible exploit could work. I did't say that the site should not block access for old browsers, but I'd prefer if it provides an option to proceed, if a user wants to.
I don't see an issue with upgrading or fixing a security breach every week

An automatic upgrade has both advantages and disadvantages. It seems to be useful, but it can harm your system. The fresh example is 1.0.5, which made some extensions fail to work. The history of FF, as well as development of every software product in general, shows that each patch/update not only comprise bug fixes but introduces (may introduce) new bugs also. This is why an automatic or hurried update is not as good as it seems. The rule is "wait to see how a fix works on others before applying it to your PC". Manual or deferred upgrade policy is the best practice for me. BTW, extensions installation from a remote site has also its shortcomings. The very situation with the security breach proves that. I'd prefer FF allows a user to install only local extensions by design.
User avatar
greenknight
Posts: 6187
Joined: December 13th, 2004, 2:28 am
Location: In the shadow of Mount St. Helens

Post by greenknight »

Since Firefox work just fine without extensions, they're not exactly forcing you to update by this policy.

I skipped 1.0.5 myself, because I delayed updating to see if there would be problems, and problems developed.
Win 10 Pro x64, AMD Ryzen 5 5600G 6 core, 3900 MHz (4450 Turbo), AMD Radeon Vega (integrated graphics). 16GB DDR4-3200, Firefox 124.0.1, Developer Edition 125.0b5, Nightly 126.0a1.
User avatar
scratch
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post by scratch »

chief editor wrote:
scratch wrote:this is absolutely, without a doubt, 100% incorrect. if u.m.o blocks access to <1.0.5 browser versions, this bug is *absolutely unexploitable* on a default install -- the same as if the bug never existed.

Yes. But FF can still compromise other sites, if a user changed default settings. This is 100% sure.

yeah, but do you think grandma goes mucking around in the prefs? the vast majority of the people who play with whitelist settings have already updated their browsers. this is protecting virtually everyone using those old versions.
if u.m.o does not block access to <1.0.5 browser versions, any site on the web can compromise any computer system running a <1.0.5 browser version. perhaps now you see where they are coming from?

I clearly understand how a possible exploit could work. I did't say that the site should not block access for old browsers, but I'd prefer if it provides an option to proceed, if a user wants to.

it can't do that. if you think it can do that, then you do not understand how an exploit could work. that particular server cannot be accessible to those browser versions. period. the instant that "option" is implemented, every <1.0.5 browser becomes vulnerable, regardless of what the user chooses or if the user even goes to updates.mozilla.org.
User avatar
Thumper
Posts: 8037
Joined: November 4th, 2002, 5:42 pm
Location: Linlithgow, Scotland
Contact:

Post by Thumper »

chief editor wrote:Thank you for your reply, though I'm not sure it is advisable to post here irrelevant judgements (on me or other person).


It isn't an irrelevant judgement. it has direct relevance on whether I'm ever going to reply to another thread of yours.

The point is that FF compromised itself by these bugs, and it is already done. The restricted access to the site is just a matter of inconvenience for the users.


Huh? No it isn't. If you're running a non-upgraded build, any link you click on any page anywhere can instantly own your entire machine. You shouldn't be doing this. The Mozilla Foundation know what is best for you.

After all, we must admit that FF (as any other browser) allows a user download a malicious software to his/her PC. Why then not to kill all the browsers, because they can compromise their developers?


Firefox is a product whose reputation depends heavily on being more secure than the main competition. This means that situations which are potentially apocalyptic for Firefox's security (like a bug which turns people's PCs into Russian spam zombies when they click an innocent-looking link) demand draconian action.

An automatic upgrade has both advantages and disadvantages. It seems to be useful, but it can harm your system. The fresh example is 1.0.5, which made some extensions fail to work.


This is a failure in execution, not in planning.

- Chris
chief editor
Posts: 41
Joined: April 27th, 2005, 4:01 am

Post by chief editor »

scratch wrote:it can't do that. if you think it can do that, then you do not understand how an exploit could work.

Well, of course you may be right. All I know about the vulnerabilities were read here. From this information I can't deduce at which moment FF shows the install confirmation dialog - if it does this right after a user click a link with xpi, when this is indeed the problem. But if it shows only after an OK reply from a site, then it could be intercepted.

the instant that "option" is implemented, every <1.0.5 browser becomes vulnerable, regardless of what the user chooses or if the user even goes to updates.mozilla.org

Not quite right. For example, I wiped out updates.mozilla.org from the list just after installation. I suppose my browser is not vulnerable.

the vast majority of the people who play with whitelist settings have already updated their browsers.

Perhaps. But there are a lot of other topics here about big problems raised during the upgrade to 1.0.6, so I'm not sure 1.0.6 is really stable and can be recommended. On the one side - old FF works stable and does almost all I need, including several extensions, and the probability to undergo a hacker attack is negligible. One the other side - new FF may bring problems up to entering into entirely inoperable state, and it does not contain any desirable features. So, everyone chooses for himself.

Thumper wrote:If you're running a non-upgraded build, any link you click on any page anywhere can instantly own your entire machine.

Hmm. I thought the mozilla update site must be in the whitelist for this to be true, am'I right?

The Mozilla Foundation know what is best for you.

That's very bad.

demand draconian action.

I'm glad you use this definition - draconian action. I'm agree.

This is a failure in execution, not in planning.

Most of bugs are of the same kind. This changes nothing in the situation. The dilemma between old stable version and new emergency update remains. Moreover, since the update is made in a hurry, the probability of new bugs in it increases. Let us set aside enthusiasts of nightly builds.
User avatar
Thumper
Posts: 8037
Joined: November 4th, 2002, 5:42 pm
Location: Linlithgow, Scotland
Contact:

Post by Thumper »

No it doesn't. Breaking a couple of extensions is completely different to leaving open a large security bug until people like yourself bother upgrading. As previously stated, the Mozilla Foundation knows what is bets for you. if you disagree, remove u.m.o from the whitelist and carry on with your life.

- Chris
Post Reply