On Fri, Feb 24, 2012 at 8:54 PM, Justin Lebar <
justin...@gmail.com> wrote:
>
> Any of the following would be a great improvement, IMO:
>
> (1) disallowing add-ons installed by third parties, as suggested here.
> (2) requiring that all add-ons installed by third parties be signed
> by the AMO team [2].
> (3) testing the most popular add-ons installed by third parties and
> aggressively courting fixes from the relevant developers.
>
> Judging by how poorly (2) was received by the add-ons people, I don't
> think (1) or (2) is likely to fly. (3) seems worse to me, but it
> would still be a huge step forward.
I gathered a list of the ~100 top add-ons and filed
https://bugzilla.mozilla.org/show_bug.cgi?id=730737 for this.
----
This has been an interesting thread. It's also been very abstract.
Let's make things more concrete.
Clint said:
> I think we need to solve this by turning it around from a "how do we defend
> Firefox against X" question to a "what do the users want from these addons,
> and what do the developers of the legitimate sets of these addons hope to
> provide" question. With the users squarely in mind, I believe we can make
> much better decisions.
Here's my answer to what users want from add-ons:
Adblock Plus
Video DownloadHelper
Greasemonkey
Firebug
Download Statusbar
Personas Plus
FlashGot
NoScript
DownThemAll!
WOT - Know Which Websites to Trust
Tab Mix Plus
Flagfox
Easy YouTube Video Downloader
Flashblock
Element Hiding Helper for Adblock Plus
ImTranslator - Online Translator, Dictionary, TTS
FireFTP
Web Developer
IE Tab
IE Tab V2 (FF 3.5, 4, 5, 6, 7+)
That's the top 20 most popular add-ons on AMO. These are excellent
add-ons, you've probably heard of a lot of them, you may have some of
them installed yourself. These are add-ons that users have taken
effort to install. Every add-on on that list makes me happy (well,
except for
https://bugzilla.mozilla.org/show_bug.cgi?id=669730). When
people say things like "The only reason I haven't switched to Chrome
is because of Firefox's add-ons", this is what they're talking about.
In many cases even if you've never heard of one of these add-ons, you
can tell just from its name roughly what it does.
In contrast, when I look at the top 20 most popular add-ons (including
AMO and non-AMO add-ons) my heart sinks. The only ones I'm genuinely
happy to see are the AMO ones. A few others make me think "hmm" and
the rest make me think "oh god". Unfortunately this list is
considered sensitive so I can't discuss it directly in a public forum.
But I can point you at
https://bugzilla.mozilla.org/attachment.cgi?id=600823, which has the
top ~100 add-ons, including non-AMO ones, listed in alphabetical
order. I spent some time looking some of these up. I've put some
interesting links and data points in a list at the bottom of this
email. I did some cherry-picking when making that list, certainly,
but I still feel like I've been diving through dumpsters in the bad
part of town. Some notable things I learnt:
- For many of these, even the ones where the name is known, it's hard
to find any kind of official website to deliberately download the
add-on.
- The fact that third-party add-ons cannot be uninstalled from within
Firefox is hugely confusing to users. The number of "how do I disable
the XYZ add-on" hits you see is astounding.
- It's interesting that several add-ons (e.g. Yahoo! Toolbar,
Microsoft .NET Framework Assistant) are hosted on AMO but the vast
majority of the installations are not from AMO. This could mean
there's a prominent alternative location that the add-on can be
installed from, but I suspect third-party installs are mostly
responsible.
- Apart from the anti-virus add-ons, I don't recognize anything in
that list that provided integration between Firefox and other apps. I
could well be missing some, though.
- There are 17 add-ons that have "toolbar" in their name.
> If we frame the problem as "defending Firefox from
> malicious crap" then the solution we create isn't going to be as complete as
> it could otherwise be.
That's true. But the evidence suggests that "defending Firefox from
malicious crap" has to be a sizeable part of the solution.
In my opinion, user control should be the #1 principle when it comes
to add-ons -- users should be able to run exactly the add-ons they
want to, no more and no less. Third-party add-ons are an enormous
loophole in the "no more" part of that. The Firefox 8 opt-in check
made that loophole much smaller (and if we lived in a perfect world
where users always read and understood all warnings it would even
smaller). Do we have any data about how effective that opt-in check
is? E.g. how many third-party installs were disabled and how many
were re-enabled by users? I'd love to see any such data.
Nick
----
Results of my searches. Most of the links were in the top handful of
Google search results. I randomized this list so they're in no
particular order.
- Conduit Engine: 6 of the top 10 Google search results are about how
to remove it.
- Anti-banner (Kaspersky):
http://www.ghacks.net/2010/10/02/remove-kaspersky-anti-banner-and-url-advisor-from-firefox/
- PC Sync 2 Synchronisation Extension (Nokia) - AMO: #4 Google hit:
How to remove PC Sync 2 Synchronisation Extension
(
http://www.techyforums.com/index.php?showtopic=307)
- Java Quick Starter: #1 hit on Google is "Removing the Java Quick
Starter Add-on"
(
http://forums.mozillazine.org/viewtopic.php?f=38&t=921325&start=15)
- Microsoft .NET Framework Assistant: Remarkably popular for an
add-on that doesn't do much.
- {22C7F6C6-8D67-4534-92B5-529A0EC09405} , a.k.a. Trend Micro NSC
Firefox Extension:
http://community.trendmicro.com/t5/Home-and-Home-Office-Forum/how-to-remove-Trend-Micro-NSC-Firefox-Extension-6-5-0-1234/td-p/38616
- Ask toolbar:
http://blog.mozilla.com/sumo/2012/02/21/ask-toolbar-is-changing-the-firefox-add-on-process/
- DataMngr (???): SpyBot Search and Destroy classifies it as malware:
http://forums.spybot.info/showthread.php?t=62634. And it was
nominated for blocklisting last year due to crashes but nothing
happened:
https://bugzilla.mozilla.org/show_bug.cgi?id=665775.
- Babylon: #1 hit on Google is
http://www.ghacks.net/2011/08/17/how-to-uninstall-the-babylon-toolbar-completely/.
#3 hit is "Manual Removal Guide for Babylon.Toolbar"
(
http://forums.spybot.info/showthread.php?t=64962)
- {4ED1F68A-5463-4931-9384-8FFF5ED91D92}, a.k.a. McAfee SiteAdvisor:
The old version was by far the leakiest add-on I've ever seen:
https://bugzilla.mozilla.org/show_bug.cgi?id=727938. The new version
(3.4.1.195) is better, but still easily the 2nd leakiest add-on I've
ever seen:
https://bugzilla.mozilla.org/show_bug.cgi?id=729608
- Java Console: Lots of Firefox installations have multiple old
versions hanging around uselessly. Remarkably popular for an add-on
that doesn't do much.
- Garmin Communicator: has 51,249 AMO users, and *many* more non-AMO
users.
https://addons.mozilla.org/en-US/firefox/addon/garmin-communicator/reviews/295748/
is interesting, too.
- ShopperReports: 7 of the top 10 google hits are about how to remove
it. (At least it has a home site,
www.shopperreports.com.)
- Search Helper Extension:
http://arstechnica.com/microsoft/news/2010/06/microsoft-slips-ie-firefox-add-on-into-toolbar-update.ars