I am appalled and dismayed by what has happened to Firefox in the past years. It has gone from being the obviously best browser to being unpleasant -- and now, sufddenly, even dangerous -- to use.
We use Firefox for two main reasons, it's Open Source, which give me more confidence that it can be trusted, and it has the NoScript Add-on, which adds security to browsing sessions. What just happened with NoScript is, in my judgment, a security *emergency*, not a mere security bug. Security bugs in a new version of software can often be avoided by reverting to the previous version. That does not seem to apply here, as it is not a bug in a new version of Firefox, but a bug in the Mozilla infrastructure. On Saturday May 4, it was stated that Mozilla is working on a fix. However, my running instance of NoScript was disabled on Sunday May 5. This indicates that Mozilla does not view this as an emergency, but as an annoyance. It is hard to think of any analogs to this situation: it's on the order of a Windows Update that cripples the OS. Granted, Mozilla then published a workaround that suggested setting "xpinstall.signatures.required" to "false" in "about:config", but that hardly compensates for the fact that suddenly and without warning *all* Javascript is enabled in active browsing sessions, putting private information at risk. (And users of the Firefox derivative TOR might possibly even have their lives endangered.) Also, in my opinion, the requirement that Add-ons be signed by Mozilla is a violation of the intent of Open Source software if not of the details of the MPL (and other Open Source licenses). Because it disallows arbitrary Add-ons, it removes final control of Firefox from the hands of the user and places it in the hands of Mozilla. It also makes Firefox unsuitable for organizations which wish to develop proprietary Add-ons which they either do not want revealed to Mozilla or perhaps even are legally forbidden to reveal them. (And the idea that nightly builds or local builds could be used is usually impractical or even legally forbidden for such organizations.) A much better approach would be something along the lines of the way Firefox handles normal HTTPS certificate problems, such as expired, or no chain of trust. Running or installing an Add-on which is not, or no longer, "properly" signed should give rise to a stern warning, and then allow the user to proceed to use the Add-on temporarily or even add a permanent exception. And, since some organizations might not want users to run unsigned Add-ons, there should be a "policy" mechanism to prevent that. In conjunction with this, there should be a way to allow local signing of Add-ons private to the organization. (The Firefox or OS certificate mechanism must already handle this sort of thing.) P.S. The details reported in the article at https://www.zdnet.com/article/mozilla-announces-ban-on-firefox-extensions-containing-obfuscated-code/ suggest that Mozilla's latest policies are moving further away from allowing the user or organization to control their own browser -- all in the name of "security" of course. ---------------- On Sat, 4 May 2019 09:29:22 +0200 Sylvestre Ledru <[email protected]> wrote: > Hello, > > Le 04/05/2019 à 03:15, Stephen Carville (Mozilla List) a écrit : > > What the heck just happened? I was informed in the middle of a > > session that that No Script and Blur are no longer compatible with > > Firefox. Now all my add-ons except Web Developer are disabled. > > This is probably this issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1548973 and we are > working on a fix. > > Sylvestre _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
