Ask Toolbar is changing the Firefox add-on process

Verdi

17

Note: This is my personal opinion and is not meant to reflect Mozilla’s views.

We’ve done a lot of work to help Firefox users have control over their add-ons (for example, bug 596343 and follow-ups 693743 and 693698) but some software companies are hard at work circumnavigating these protections. A while ago I filed bug 721258 concerned about the way the Ask Toolbar changes our 3rd party add-on confirmation screen. Today, in a follow-up comment I posted this screencast which shows an example of it in action:

Planet Mozilla viewers – you can watch this video on YouTube.

Some suggested that this isn’t that bad or that it could be worse. As someone charged with looking out for our users it’s pretty frustrating to run into that kind of opposition – just take a look at our support forum. Ask is known for this kind of stuff. And in fact, “how do I uninstall the Ask toolbar” is their top support question. It looks like we can’t do anything technical to prevent this at the moment. Maybe by drawing attention to it we can come up with another solution that protects people.

Clarification: At the end of the video, when I’m trying to fix the location bar search – the problem is that “domain guessing” is happening when it shouldn’t be (documented here).

17 responses

  1. Stephan Sokolow wrote on ::

    Maybe it’s because I’m a Linux geek and Linux comes with more tools, but the first thing I’d have done in your situation is use a command like diff -u old_profile/prefs.js new_profile/prefs.js and, if that doesn’t turn up anything useful, I’d have flushed all caches and then run diff -ur old_profile new_profile.

    If none of the non-binary results did the trick, I’d have next tried sqlite3 .dump on the various SQLite databases (eg. places.sqlite) followed by diff on the resultant SQL files.

    Yes, Firefox could really use a simpler, cleaner way to figure out what happened.

  2. Boris wrote on :

    Can you post the prefs.js from the broken profile?

  3. Verdi wrote on :

    Hi Boris – here it is http://people.mozilla.org/~mverdi/files/prefs.js.txt

  4. Verdi wrote on :

    This should have occurred to me while making the video but restarting in safe mode and selecting “Reset all user preferences to Firefox defaults” did the trick.

  5. sysKin wrote on :

    I once filed bug 650477 for small part of the problem, but unfortunately it was WONTFIXd without any further indication of what to do with this pain.

  6. Fred Wenzel wrote on ::

    OMG, that is horrendous :(

  7. Mike Ratcliffe wrote on ::

    In my opinion all misbehaving addons should be blacklisted.

  8. Boris wrote on :

    That’s odd. Nothing in that prefs.js should affect the url bar, offhand….

  9. Nicholas Nethercote wrote on :

    It looks to me like the address bar search is just doing “I’m feeling lucky” style search instead of normal Google search.

  10. Mook wrote on :

    Unfortunately, I suspect this will keep happening with Firefox treating all other apps as malicious and not providing hooks for other people to interact cleanly. As long as there’s no way of nicely informing Firefox that the toolbar is being installed (and have it, for example, prompt the user at install time), people will end up trying weird things to remind their users that they at one point wanted this stuff.

    Firefox really doesn’t play well with others…

  11. Asa Dotzler wrote on :

    Mook, the problem is that most users don’t really want most of this stuff. They’re tricked into installing it. And if there weren’t lucrative economics associated with tricking users into installing most of it, many of these add-ons would have next to no usage. This is not in the best interest of users. It’s more often than not sleezy vendor behavior driven by the easy economics of search.

    – A

  12. Mook wrote on :

    Asa: I agree that many of the installs are unwanted; that’s why I only attempted to describe a flow that includes user opt-in. I feel that by assuming all other entities are malicious, Firefox-the-project breeds a reality where this is true. After all, people who would rather respect the user and do nice things are forced to go through weird hacks anyway to get a reasonable user experience – so more effort overall is being poured into working against the system.

    I’m not asking Firefox to just allow everything; I’m asking for doing the right thing to be significantly easier to implement than doing the wrong thing.

  13. Pingback from Ask Toolbar is changing the Firefox add-on process | Verdi helps you with Firefox on ::

    […] Reposted from the Support blog. Note: This is my personal opinion and is not meant to reflect Mozilla’s views. […]

  14. Jigar Shah wrote on ::

    How about mandating a section in addon installation which tells what regular browser features are being changed by given addon.

    Or may be that section is auto generated by FF installation script ?

  15. Verdi wrote on :

    I like that but it may fall into the category of yet another screen that people automatically don’t read and just click next.

  16. Concerned User wrote on :

    Maybe this has already been mentioned but here goes:

    Allow the addon to install only if it is hosted in the official repository (https://addons.mozilla.org). Otherwise, it will not get installed. This way:

    1. Mozilla can monitor the addons.
    2. Users can post reviews and crapware will be automatically minimized and perhaps eliminated.
    3. If ask wants to dump their toolbar on Mozilla users, they would have to create a user account at addons.mozilla.org, upload their addon and users would download it if they needed it, rate it etc..etc… The same would go for McAfee, AVG or anyone (big company, small time addon creator etc.).

    This would eliminate third party addons completely. But for most users, this would work out.

    I understand that this could go against Mozilla’s principles of the open web etc.. But wouldn’t it solve half the problems? Or am I missing something?

  17. Verdi wrote on :

    The key is like you said, that could go against our principles. I don’t believe we want to force developers and users to only be able to use AMO. That would be kind of like Apple’s app store. But there is a proposal that might accomplish something like this – https://bugzilla.mozilla.org/show_bug.cgi?id=728227