Mozilla Says It Will Ban Firefox Add-ons With Obfuscated Code (betanews.com) 148
DarkRookie2 writes: As Mozilla continues to try to make it safer than ever to use Firefox, the organization has updated its Add-on Policy so that any updates that include obfuscated code are explicitly banned. Mozilla has also set out in plain terms its blocking process for add-ons and extensions. While there is nothing surprising here, the clarification should mean that there are fewer causes for disputes when an add-on is blocklisted. The updated Add-on policy comes into force on June 10, so add-on developers have a little more than a month to take note of the changes and comply. Mozilla says that the move is designed to help it better deal with malicious extensions. Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a heavy focus on security issues. ZDNet adds: [...] Starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies."We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.
but obfuscated javascript (Score:2, Interesting)
is totally ok right?
Re:but obfuscated javascript (Score:5, Informative)
Minified JavaScript saves bandwidth, but it does nothing for performance. All JavaScript code - minified or not - gets JIT compiled to machine code. Having short variable names and less whitespace does nothing to the end result.
Re: (Score:1)
Then you're using a crappy minifier.
Minifiers exist for two reasons: the one you're talking about, where they just obfuscate the variable names, but also to optimize legible code into unreadable but faster JavaScript code.
A lot of JavaScript development these days doesn't use JavaScript. It uses things like TypeScript or CoffeeScript that are then later compiled into minified JavaScript. Plus, most minifiers will take expressions that are more legible, and do various optimization passes to make them faster.
Re: (Score:2)
Then minifier is a crappy name. Something that optimizes code performance is an optimizer (optimizer is also a crappy name as the result isn't actually optimal).
Re: (Score:1)
Then minifier is a crappy name.
Blame feature creep and the lack of following the Unix philosophy. When first developed, it only minimized. There could have been a minifier tool and an optimizer tool, but instead the minifiers were extended.
Re: (Score:2)
The code is completely unreadable, it looks a bit like assembler for a machine with an infinite amount of registers.
Sounds like code no harder to read than code with obfuscated variable names to me. Just start putting names back onto the things that you are calling registers (variables.)
Generally a project will go with a stack-based intermediate language of some kind because arbitrary abstract syntax trees (ASTs) can be exactly specified in them.
If all you've done is infix languages like C/C++ and the mainstream OOPs then maybe its hard to read, but thats because of unfamiliarity. If you've done LISP or any of the o
Re: (Score:2)
but also to optimize legible code into unreadable but faster JavaScript code.
So they are duplicating the job of the JIT compiler which does this anyway? *yay*.
Re: (Score:1)
Is that really a concern for browser add-on/extension?
Re: (Score:2)
No - but commercial companies don't want to release their add-on as open source, so they want to obfuscate. That's the only reason for using it.
Re:but obfuscated javascript (Score:4, Interesting)
Add-ons can bypass the built in security and protection systems built into Firefox. Javascript is running against Firefoxes security systems.
So Javascript normally cannot get all the files in your documents folder and upload them in the background to the website owner. While with an Add-on you can.
Minimized Javascript is mostly done to reduce the download size of the file.
Re: (Score:2)
Not sure that's true for add-ons any more. Firefox adopted the Chrome model for add-ons, which doesn't allow them to randomly access files on your computer. They can store data on your machine but only in their own, controlled directories. Saving can only be done via the standard Chrome file download dialogue. Uploads only via the standard browse button or drag and drop.
It's true that add-ons can have more power than Javascript loaded from websites, which is why they have a permission system, but I don't th
Re: (Score:2)
old add-on could change everything in firefox, but new add-on API is limited, you can only access what you announce and those APIs are limited, so unless there is a bug, you can't really get outside the add-on jail.
What they can do is request full webpage access to add some pretty icon in all pages, but hidden in the obfuscated code they are also parsing and stealing your authentication data. They want to block code that is hard to read so reviewers can quickly confirm if the add-on only do what it say and
Hey Captain Obvious (Score:3, Insightful)
Re: (Score:2)
So is your stance on the GPL political or Religious?
Re: (Score:2)
Re: (Score:2)
It's "real world" stance!
you can call it whatever you want, but the true is that he is right.... he is crazy and difficult (and this just to be nice!) , but we got what we have today thanks to him (and of course, many others, better yet, all of us, everyone contributes a little)
BSD/MIT is perfect in a perfect world, but the world is not perfect
Closed source is full of broken things, unsupported software, backdoors, stolen code and hidden "features"
GPL is the necessary push to BSD/MIT to be applied in the re
Open Specification is better then Open Source (Score:3)
Source Code can be Obfuscated. Heck you can open a Hex editor and read the binary machine code of a program, and track it out to see what it is doing. Granted that you are gave the specifications.
I remember a while back I was trying to debug an output file from a program. I have the source code but the output wasn't readable (without a bunch of recoding) because the system handled integers in Big Endian while my PC used Little Endian so I needed to do bit level transposition. Also a lot of programmers will assume the language defaults will be consistent. Will int x; be 0 or some random number based on the states the RAM had during allocation. All these issues happen even without trying to obfuscate code. However an open specifications would save hours or more of research and retries.
Re:Open Specification is better then Open Source (Score:5, Informative)
Source Code can be Obfuscated.
Both GPLv2 and GPLv3 define a work's source code as "the preferred form of a work for making modifications to it". I don't understand how something can simultaneously be "the preferred form of a work for making modifications to it" and obfuscated.
Heck you can open a Hex editor and read the binary machine code of a program, and track it out to see what it is doing.
With very few exceptions, such as developing on and for an 8-bit computer using a "mini-assembler" or bootstrapping a system from a hex monitor [gnu.org], object code is not "the preferred form of a work for making modifications to it".
Re: (Score:2)
Unless you're dealing with a legal issue regarding the GPL, it doesn't matter how the GPL defines source code.
In this context, source code means "whatever Firefox's JavaScript engine recognizes as valid code". The Firefox team decided that standard wasn't good enou
Re: (Score:2)
Granted, IOCCC exists. But those are proofs of concept, not commercial products distributed to the public that some publisher must maintain. The input to an obfuscator is source code; the output is not because it is not intended for modification.
Better way? (Score:2)
Why don't the have a test container to simulate user actions and track bad actions? I guessing this would be much better way to find bad actors.
Re: (Score:3, Interesting)
You're years behind the state of the art.
They may actually do that, but it's not good enough in today's world. Malware tries to detect that it's under test, and acts innocent. There's an arms race over making it hard to detect that you're under test, but the natural advantage there falls to the malware; it's almost impossible to totally simulate the real environment.
I'm not saying manual review works well either, but I think it's healthy to assume that any code that actively tries to avoid being reviewed is
Re: (Score:1)
Why does their fragile browser depend on the script code not being "malicious"?
It doesn't, their hosting of your plugin depends on it. Try reading next time. You're completely welcome to install any malicious code on your own copy if you like.
Re: (Score:2)
because if you want to run in a free and open source browser, maintained by then, you have to follow their rules or fork your own browser.
Is your code so awesome that everyone wants to stole it? probably not!
Does having open code allow someone to steal your code? Other than make it easier, it's still ilegal to steal it, you are still the copyright owner. You can choose a license to either allow or deny the copy.
Does closed source protects from having your code stolen? nope, it's harder but we have many exam
This calls for new obfuscation techniques (Score:3)
Re: (Score:2)
I guess maybe that would be called "code stenography"? You'd need lots of mundane-looking code interspersed with a few lines here and there that subtly did the "real" work. Tough to pull off, but certainly not impossible.
Re: (Score:2)
steganography
Oops, you're right, we're not typing courtroom transcripts. Bad brain!
Re: (Score:1)
Obfuscate in a way such that resulting code appears to not be obfuscated.
Hardly new: http://www.underhanded-c.org/ [underhanded-c.org]
see The Underhanded C Contest (Score:2)
I can't believe no one has mentioned this yet.
"The Underhanded C Contest [underhanded-c.org] is an annual contest to write innocent-looking C code implementing malicious behavior. ... The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil. Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious be
Re: (Score:2)
But I know a couple of people that can do the reverse: writing non-obfuscated code that appears obfuscated to everyone else.
Re: (Score:1)
Re: (Score:2)
you can still run in firefox, you just have to install on every startup, as IIRC, it only removes on shutdown/startup.
And this feature isn't there because of this add-on, its there because of security problems with add-on. When they are added to the mozilla blacklist, they stop being allowed and are automatically removed to protect users (how many users even read ANY tech news or security warnings)
the fact that they blocked this add-on, it will apply the same rule as all other blacklisted add-on, not that t
Firefox is extention controlled by Google (Score:3)
Are there enough people in Mozilla to do that? (Score:2)
Re: (Score:3)
they've had a required review and signing process for years already, they're just tightening down the screws on the bad guys. If someone submits a piece of malware or spyware they can be banned, so it's not like each version has to be checked after that.
Re: (Score:2)
they've had a required review and signing process for years already
But are they prepared for the influx of extension clones with small harmful additions?
...now it will be easy for any random script kiddie to "secretly fork" - search-and-replace out the origins of popular addons, cut-and-paste some harm in, call it the krad ad blocker man.
The obfuscations arent only harmful. In some ways they have been helpful too.
Re: (Score:2)
Common types of javascript obfuscation are easy to detect programmatically. And the fact that a determined bad actor may be able to devise a unique obfuscation to slip through (such as code that appears readable at first glance but doesn't do what it appears to do) doesn't mean there's no point in limiting obfuscation.
Re: (Score:2)
without code obfuscation, its easier for tools to parse and check automatically code. With it, they may bypass the filters and still have bad code, requiring manual and slow code review. So this not only allow easier review by humans, but also make it easier for tools to detect bad "features" hidden in the code
"blocklisted" (Score:1)
The newspeak is strong with this one.
Why was my plug-in rejected? (Score:2)
Itâ(TM)s not obfuscated, thatâ(TM)s just the way I write code!
Re: (Score:3)
I write in perl, you insensitive clod!
Re: (Score:2)
It doesn't really matter whether an add-on was intentionally or unintentionally obfuscated: the fact that it's not easy to review is a good enough reason to reject it.
Re: (Score:2)
the fact that it's not easy to review is a good enough reason to reject it.
Whose definition of "easy"? While you may think that Mozilla will set some reasonable standard, it is the reviewers that measure their efforts and they of course want jobs that require little effort.
Re: (Score:2)
The path of least resistance for a lazy reviewer is approving the add-on; rejecting it will likely require discussion with the submitter.
Dear Mozilla (Score:2)
What about code that only *looks* obfuscated because it's actually just really poorly written, can you ban that too? :-)
Meh (Score:3)
Obfuscation is not a true or false thing.
It's more like fifty shades of brown.
Read it backwards (Score:2)
My views on Mozilla are dark apparently. When I read the headline, the meaning I got from it that Mozilla was going to obfuscate their code to make it more difficult for add-ons to work.
The only addon I use is noscript, and Mozilla worked REALLY hard to prevent it from being effective and they are working VERY hard to make sure nobody uses it. The only way to find noscript is to type its name in. You can not browse and easily find noscript without manually searching for it. When searching for script blocker
They are joking right? (Score:2)
And one day later fuck up the entire add-on system with a broken certificate, compromising every users privacy and circumventing user consent or control
Re: (Score:1)
Then fork and run your own browser. Mozilla doesn't owe you anything.
Re: (Score:2)
Apparently you missed the "open" part of "free and open". This is simply enforcing the "open" clause in a way that benefits everyone. It's source code, not your fucking bathroom window.
Re: (Score:1)
The purpose of "open" was that people should be able to know what the fuck is executing on their computer. Obfuscation is the antithesis of this. No one's saying you can't obfuscate your own shit. Mozilla is saying "the point is to know what the fuck you're running, so we won't serve as a platform for people trying to sneak shit onto your pc." Learn to read and think - clearly you're failing at one of the two.
Re: (Score:1)
I don't disagree with you. It kind of reminds me of Stallman's point on running proprietary firmware modules in the kernel (with a notably less crazy tone).
It really does contradict. But if the kernel weren't able to use this feature, many, many users who have made the switch from systems like Windows, wouldn't have. I mean, I guess one's own opinions, and levels of trust need to come into the mix. Should a user have the right to install something closed into something otherwise open? When I think of fre
Re: (Score:2)
Where do you go to school? With it being open hunting season on liberals, sounds like an opportunity
Re: (Score:3)
..leader of the "free and open web"
This looks like it's time for an obligatory Inigo Montoya reference:
"You Keep Using That Word, I Do Not Think It Means What You Think It Means"
Re: (Score:3, Insightful)
not allowing obfuscated code simply allows those who maintain the public repository to do their job more efficiently. just surprised it took this long to make that change.
it has nothing to do with the illegal content and hate that spews from the flaming fingers of dissenter users. go run off to your little 4chan playground where you belong.
Re: (Score:1)
Lots of loaded language in that link, lmao.
Nobody has to give racists a platform. Kicking bad actors that don't engage public discourse in good faith is a good thing.
Good riddance. Look forward to doing it again in the future.
Re: (Score:2, Insightful)
That is a valid theory, but It seems that an examination of history and recent events suggests otherwise.
The real danger of radicalization is in fact the normalization and softening of extremist ideas in the public sphere. It's when the public becomes numb and decentralized to atrocity is when the real horror happens.
General, widespread public exposure is a much greater catalyst for radicalization than small cloisters of extremists.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Informative)
Sorry, but your legal free speech does NOT EXTEND TO MOZILLA.
See, you get to have your speech, but Mozilla isn't obligated to give you a platform.
You wish to submit to Mozilla's add-on ecosystem, you play by their rules.
You want to whine about your free speech being infringed because they said you can't submit obfuscated code? You can cram it up your ass and realize you're subject to their ToS same as any other site.
Don't like it, don't submit add
+1 Informative (Score:2)
Re:You mean heavy focus on censoring free speech. (Score:5, Insightful)
Obfuscating code is a an example of free speech? That's hilarious. Well maybe not, it limits the freedom of scammers to manipulate us.
Re: (Score:2)
> That's hilarious
It's not. It's unfortunate that you don't understand what we're talking about, because of a fixation on terminology that you think is agreed upon.
eg American Sign Language is a form of protected expression, under the classic (First Amendment) freedom of speech provisions. Obfuscation is a voluntary and legitimate choice in how to express ideas.
How you express yourself, in voluntary communication, is generally protected. There have been...*ahem* restrictions from time to time.
https://www [aclu.org]
Re:You mean heavy focus on censoring free speech. (Score:4, Insightful)
Gosh what evil.
If only they made an open browser where you could install any third party extension you liked.
Oh wait they do. Mozilla supports an open internet. That doesn't require them to host your shit. It requires them to let you get or wherever it's hosted. And that's exactly what they do.
Re: (Score:1)
Hey look, serviscope_minor is being retarded again.
Firefox restricts you to addons from their store. If you want to use an add-on not graced by the blessing of their store, you have to manually load it EVERY TIME you launch the browser. That loophole will go away soon, I bet.
Re: (Score:3)
Firefox restricts you to addons from their store.
Or you can use Firefox Developer Edition [mozilla.org], which allows you to disable [mozilla.org] the requirement to use signed add-ons.
Sorry to ruin your rant.
Re: (Score:2)
Private companies can do what ever they want.
Re: (Score:1)
Responding to some of the replies in no particular order:
Of course obfuscated code needs to be policed in some manner, some of the code contest results I have seen in the past are just stunningly awesome in what they can accomplish with so few bytes.
But the point of my first comment was, if we all agree that the ideal way forward is with actual Free Speech then its incumbent upon everyone to point out the bad actors, so in this regard Mozilla is a bad actor against Free Speech.
If you do not agree that Free
Re: (Score:2)
You're confusing obfuscation with efficiency. If efficient code is naturally obscure, then it needs lots of documentation.
Re: (Score:2)
Its 2 separate things, not conflating anything, at best/worst its offtopic, I blatantly used this article as a jumping off point to bring the banning of the Dissenter plugin forward for a conversation.
At no point did I say nor mean to suggest Mozilla would be forced to do anything nor did I say obfuscated code ought to be protected at all.
lrn2reednub
Re: (Score:3)
You can still freely install that addon or any other manually as an .xpi file. But Mozilla is not obligated to host any and every addon in their official addon library.
It's also funny when the speech someone is defending is so vile that the only defense of it is that it isn't illegal to say.
Re: (Score:2)
Nitpick: No, you cannot install addon that is not signed by Mozilla.
Re: (Score:2)
Sure you can, just not in the main release or beta of the main release for certain types of extensions:
https://wiki.mozilla.org/Add-o... [mozilla.org]
Re: (Score:2)
Re:You mean heavy focus on censoring free speech. (Score:5, Interesting)
Not a great lover of context, are you?
Gab browser extension puts a far-right comments section on every site [engadget.com] — 1 March 2019
PayPal bans Gab in wake of Pittsburgh mass shooting [engadget.com] — 28 October 2018
Gab loses hosting provider following Pittsburgh mass shooting [engadget.com] — 28 October 2018
Anyone can stand up their own dedicated hosting service, whereas fully replicating Paypal requires deep ties into the financial sector.
Somehow I don't think Mozilla is your biggest problem here.
move along, nothing to see here... (Score:2)
or simply run the forked version of the add-on, that is not full of racists and hate-speech, that one is perfectly allowed
https://addons.mozilla.org/en-... [mozilla.org]
This one was removed because of that, it's simply as facebook and twitter removing hate-speech users. Nothing to see here, just racists complaining
Re: (Score:2)
mod parent up