Waterfox: Addons blocked due to security or stability issues

S3.Translator

A workaround was posted around a month ago:

• https://www.reddit.com/r/waterfox/comments/dl42c9/-/f6smdrj/

Thank you for your reply, however it doesn't address the actual problem.
The issue is that my extensions can be remotely disabled "for my protection" and I have absolutely no say over it.

Additionally, your guide uses the webextension version of the plugin, which does not have the translation bar that my older version does.

Please consider adding a way to re-enable such addons,

https://github.com/andreicristianpetcu/google_translate_this/issues/19#issuecomment-549145086 @dessant asked:

is Waterfox planning to override the blocklist for these two extensions? I think not participating in this security theater would be a great differentiator for the Waterfox project.

There was a down-vote from the developer of the blocked extension, @andreicristianpetcu and I referred to https://github.com/jeremiahlee/page-translator/issues/26#issuecomment-545636643 – please follow the bugzilla.mozilla.org link there.

https://github.com/andreicristianpetcu/google_translate_this/issues/19#issuecomment-549697281 @dessant clarified:

I agree that disabling blocklisting in the browser is a bad idea, I was asking if Waterfox maintainers would consider overriding the block for these two specific extensions, since they're safe to use, and offer a better user experience than an user script.

I invited discussion at https://redd.it/dl42c9 and:

… Any browser/project that begins selectively picking holes in a primary blocklist – setting the precedent for any number of future hole-picking dramas – might be perceived as engaging in theatrics. …

Then https://github.com/jeremiahlee/page-translator/issues/26#issuecomment-550173251 (note the entire comment) and https://github.com/jeremiahlee/page-translator/issues/26#issuecomment-557800954

Cautioning against disabling the block-list

Think beyond installation. Think updates, automated updates, and so on.

Mozilla bug 1598242 - Extension Block Request: YOUTUBE to MP3 might have been a good example. Two 6.0 versions of extensions released on the same day. 6.1 for one of the two had a nasty effect, nearly six thousand users of the two extensions, both extensions are now blocked.

Another block following a report by me:

• Mozilla bug 1601546 - Extension Block Request: Free Online Video Downloader – use of www.onlinevideoconverter.com services

Please note, the side note therein:

• another spin-off from the full recording is theconversionpros.com - Newest IP or URL Threats - Malwarebytes Forums

I encourage readers to register and gain access to this members-only area of Malwarebytes Forums. In the meantime, I'm happy for this much (from me) to be public:

I imagined that just one extension would be blocked. However where (before the block) there were eleven extensions associated with the developer, now there are nine:

https://addons.mozilla.org/fr/firefox/user/4835094/

I should charitably assume that the developer was unaware of the troublesome nature of the onlinevideoconverter.com site. As a courtesy I will send him an e-mail, with reference to this post.

Through correspondence with the developer, I understand that he subsequently chose to remove other extensions.

A few days ago:

• Thousands of extension IDs blocked in recent days : firefox

Generally

Please do not underestimate the time and effort required to assess for oneself, or for others, whether use of a blocked extension is advisable. It can be unexpectedly, excruciatingly time-consuming and complex. Blink, and you might miss an offensive or malicious activity that's intentionally or unintentionally associated with an extension.

… your guide … does not have the translation bar …

Please do read the linked information. The translation bar is clearly visible.

@Frogging101 please can you expand upon your downvote? Or do you disagree with _everything_ that's written, including all linked information?

@grahamperrin The S3.Translator addon was simply an example of a more general occurrence; specifically that of add-ons which are blacklisted by an external entity being categorically prevented from running on a user's browser, with no way for the user to override it.

The specifics of the situation surrounding the S3.Translator add-on, and the arguments about whether the Waterfox project itself should override upstream blacklists is an irrelevant non-sequitur. The question was not about this add-on or the Waterfox project's blacklisting policies. It's about allowing the user to override the suggestions of an external blacklist should they choose to do so. Your assertion that it is impossible for a user to understand the implications of doing so is irrelevant. That is a valid argument for arranging the user interface such that non-expert users will not blindly click enable insecure code to run, but not to prevent the user from doing so entirely on the basis that they cannot possibly know better.

I also disagree with your approach to responding to this issue by downvoting the submitter and taking a condescending attitude while dumping a bunch of information that does not address the actual question.

downvoting the submitter

Did you not read my previous comment, which explained the downvote?

The downvote there was for rushing to respond without reading; for saying that something was not there when truly it was …

https://github.com/MrAlex94/Waterfox/issues/1294#issuecomment-563484090

… I have absolutely no say over it. …

https://github.com/MrAlex94/Waterfox/issues/1294#issuecomment-563501763

… no way for the user to override it. …

Can I politely draw readers' attention to the method of overriding blocks; the method that was down-voted by a developer whose own extension was blocked.

This is not intended to be condescending, especially given the polite nature of the opening post. I'm simply trying to draw attention to facts, some of which are not well-known.

Re: the opening post,

… a possible disclaimer and appropriate warnings. …

Inarguably nice ideas.

However for such things to be truly effective there must be a degree of certainty that users will take notice – and understand – before e.g. clicking through a warning.

Waterfox Classic and Waterfox Current do already include the standard warning.

politely draw readers' attention to the method of overriding blocks;

@jorg35 please, was that the reason for your down-vote?

If it helps readers to find the required information:

1. above Cautioning against disabling the block-list
2. the phrase "https://github.com/jeremiahlee/page-translator/issues/26#issuecomment-550173251 (note the entire comment)"

– there's the preference, in the first line of the comment.

@steinex please, what was the reason for your down-vote?

Can you not find what's required?

I think what needed to be said was said already.
The request was to add a way to override the blacklist per extension.

I do not wish to disable the blacklist entirely due to the concerns you have also mentioned above.

For the moment I have modified the xpi and changed the id so that it doesn't match against the blacklist.
I also do believe I am qualified to audit an extension if I wish to do so.

If a user decides to override a big red warning, then it's up to them to deal with the consequences, in my opinion.

Finally, I did, in fact, look through your first post, and I did read.
The translation bar is not present in any of your screenshots. WebExtensions do not support such features, which is what all the addons from the chrome web store are.

But again, that is out of context, as the issue was created to allow overriding the blacklist on a per-extension basis.
I do not wish to argue any further. If any of the people responsible decide they do wish to implement such a feature, then it would be appreciated. Otherwise, they can close this issue.

The translation bar is not present in any of your screenshots.

I thought that you meant the S3.Translator translation bar that appears at the head of the page.

Here (the screenshot from 7th November):

all the addons from the chrome web store

What's above was from the Chrome Web Store.

If you doubt this, please see the video tutorial that I added to Mozilla Discourse.

@grahamperrin For what it's worth, I do appreciate your contributions and your thoroughness. I'm sure you are acting in good faith. I just found your second reply confusing because of all the different discussion threads referenced and all the context needed to understand them. While it is valuable (and these days, often neglected) to fully understand the issues at hand, I think it would have been beneficial to narrow the focus at first to avoid information overload, as not everyone has spent as much time reading and engaging in the prior discussions about this.

Thanks, I do prefer concise.

https://github.com/MrAlex94/Waterfox/issues/1294#issuecomment-563489360 was primarily for @MrAlex94 but I didn't name him because doing so might have been misinterpreted as ignoring the OP :-)

It's certainly an emotive issue!

there is no obvious way to force-enable it, other than perhaps manually changing the addon id

While I do agree that having relevant UI option would be nice I see no problem with leaving it as it is.

It takes less than 1 minute to change addon GUID and it's not like Mozilla blacklists your favorite addon every day. In my opinion this option should be left to advanced users who know what they are doing because majority of blocked addons are actually malicious.

Maybe make it a hidden pref with whitelist in about:config for the sake of convenience.

Nit:

majority of blocked addons are actually malicious.

Certainly many but _maybe not_ a majority.

https://extensionworkshop.com/documentation/publish/add-ons-blocking-process/#blocking-criteria

From https://extensionworkshop.com/documentation/publish/add-on-policies/#data-disclosure-collection-and-management:

Collecting ancillary information (e.g. any data not explicitly required for the add-on’s basic functionality) is prohibited.

One recent request https://bugzilla.mozilla.org/show_bug.cgi?id=1598770 blocked 1,771 GUIDs:

… violates Mozilla's add-on policies by collecting ancillary data and/or by overriding search behavior without user consent or control. …

– block pushed on 2019-11-26 with multiple listings around three weeks later (2019-12-19) at https://blocked.cdn.mozilla.net/ … undesirable but AFAICT, not classified as _malicious_.

https://bugzilla.mozilla.org/show_bug.cgi?id=1552164 for malicious extensions is interesting because whilst the most recent activity was in May, a related block listing appeared in December: https://blocked.cdn.mozilla.net/2a4b5087-eca0-43e8-96f4-6632aabd83d3.html.

Given such things, I'll not attempt to estimate the percentage of extensions that are malicious.

https://bugzilla.mozilla.org/show_bug.cgi?id=1554606 for execution of remote code includes four extensions that originated from Chrome Web Store. Chrome Extensions Archive links:

• https://crx.dam.io/ext/akjbfncbadcmnkopckegnmjgihagponf.html HD for YouTube™ (409,271 users)
• https://crx.dam.io/ext/cidchfadpgepemappcgeafeicnjomaad.html Военный Трибунал (court-martial) (1,835 users)
• https://crx.dam.io/ext/edmdnjinnadgoalbaojbhkbognfappih.html MusicSig для Вконтакте (Vkontakte) (49,403 users)
• https://crx.dam.io/ext/kadbillinepbjlgenaliokdhejdmmlgp.html Flatbook (494,809 users)

Three of the four have already disappeared from Google's store.

HD for YouTube™ still has a web page http://youtubehd.oneted.de/ and here's a Wayback Machine view of its former listing in Chrome Web Store:

Flatbook remains: https://chrome.google.com/webstore/detail/flatbook/kadbillinepbjlgenaliokdhejdmmlgp but its user base has more than halved (215,104). From Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by BrowserExtensions (2017):

… injects analytic scripts when users visit Facebook pages to receive statistics about their browsing sessions. …

I do not appreciate anyone having control over what code I can or can't run on my computer.

This is understandable.

How do people feel about code that promises to do one thing then covertly does the opposite?