391 comments

[ 4.2 ms ] story [ 219 ms ] thread
Yet the official download on download.mozilla.org is still the old, broken version.
The new version is there now.
A good outcome of this certificate fiasco is that many firefox users learned about the "studies" and "Normandy" brain-damage and promptly disabled them.
Having a capability for widespread A/B testing is brain-damage?
Yes, running experiments on unknowning and unconsenting users is unethical, especially when the metrics being optimized for usually aren't in the users' best interests. The widespread acceptance for this behaviour could definitely be classified as brain damage.
So when deploying changes it should just go to every single user with no incremental rollout?
Yes. The testing should be done on users that opt in (likely less than 0.1% but that should be OK if it's done properly) and it should be rolled out by releasing an update to everyone.

These so-called "best practices" often aren't.

By relying on opt-in you won't test whether a feature actually works for the average user, so if you don't test it, you might roll something useless/confusing/actively harmful out to all of them instead of just a few.
Exactly. The recent Windows 10 update fiascos demonstrate this perfectly: they are opt-in (Insider program) and there were too few users experiencing the bugs to overcome the noise of those who weren't. You need a truly random sample.
I think they updated too many parts of Windows at once, not too many computers at once. And I'm not certain that a delayed rollout would have fixed it. Is it fair that a random sampling of people are given the problem?
So instead of having enough voluntary or paid testers to detect catastrophic, file deleting bugs in a new version, your solution is to just roll out the new changes to random users expecting a stable system?

Something went terrible wrong somewhere, that we got to this.

And that's OK. Being honest to your users is much more important that having the most efficient deploy system.

I, for one, as a matter of principle, opt-in to all user tracking systems that are disabled by default, and try to opt-out whenever they are enabled by default. In the case of firefox, it was never clear to me that the tracking/remote install capability was enabled by default.

I don't see the purpose. There seems to be an assumption that A/B testing is inherently bad, therefor should be opt-in.

A/B testing is necessary for stable rollouts, that much seems self evident.

So what is the evidence that A/B testing is harmful to users?

It isn't A/B testing that is bad, it is running and/or modifying stuff in the user's computer without their knowledge that is bad. If a site modifies some part of their layout or whatever isn't bad, but a browser installing addons or changing settings to see if it will crash is bad.
Well, it's not like they're hoping it will crash. Presumably they're hoping it won't.

Wouldn't it be more irresponsible to deploy to every user without first testing it out?

that's what the stable/experimental channels are for - a user who don't want to be tested on (such as a business user) can easily be sure that they are getting a stable release and their settings won't update under them.

Experimental/beta channels can have these changes pushed to it, since that's implied by the name, and those people who like living on the edge of new features do so knowingly.

Let the users control their destiny, let the users decide when. That's the hallmark of a trustworthy company.

Users who intentionally run beta / nightly are not normal users. How many of them run on cheap "desktop" computers they bought on sale at Target, do you think?
Wait, so running and modifying stuff on all users' computers is good, but a random sample isn't? That's what A/B testing deals with.

The discussion isn't "modify stuff" vs. "don't modify stuff". The discussion is "some users" vs. "all users".

And obviously if you have an auto-update mechanism you're modifying stuff on the user's computer. Chrome updates are near invisible on modern machines. That's a good thing. It keeps the browser evergreen and protects users. If everything were opt-in because "Google shouldn't modify stuff on my computer" that would be an absolute disaster for everyone. No way.

This is a technicality, users do not care about technicalities, they have their own expectations and if you are on -say- a stable branch with autoupdates enabled your expectation is that you'll get the latest version that everyone else is using.

A/B testing through that branch breaks that expectation (and no, mentioning it somewhere hidden in some EULA or equally obfuscated place does not mean people will not have the expectation - hell, even mentioning it right below the download wont make a difference).

Isn't that the entire point of the nightly and beta branches?
Those populations are not representative of the release population.
> the metrics being optimized for usually aren't in the users' best interests

Do you have any source for that? If you truly believe that Firefox is optimizing metrics that aren't in the users' best interest in general, why are you even using said software in the first place?

What other browser can you use if you are interested in some sort of privacy?

Is Chrome compiled from source safe from tracking?

>What other browser can you use if you are interested in some sort of privacy?

Waterfox, Safari. Some others too but they're a pain to use (ungoogled-chromium for example). Chrome itself has a bunch of binary blobs so I would stay away from that.

For starters, Mozilla dropped RSS support after shoving proprietary closed source software down our throats in the form of Pocket.

I don't see this as having users best interests in mind.

> especially when the metrics being optimized for usually aren't in the users' best interests

I don't think so. Mozilla is not google, and apart from the mr. Robot error, that they apologized for, I am sure Mozilla is using it for making the browser better, and not to use you for targeted ads like the other browser maker does.

When has Chrome used A/B testing for ad targeting in the past? Can you link to an example?
Google Chrome uses the RLZ tracking identifier for some installations.

"RLZ gives us the ability to accurately measure the success of marketing promotions and distribution partnerships in order to meet our contractual and financial obligations."

https://blog.chromium.org/2010/06/in-open-for-rlz.html

I think this can be compared to McDonald's slightly altering the recipe of something for part of the country. I don't find that unethical at all, and frankly the things we put in our body are a lot more personal than which web browser we use.
Yes, but it isn't (well should not be if they want to stay within the law) adding completely random drugs an garbage to the food. It may be seeking cheaper recipes with no sales losses, better recipes to improve sales, or something else, but it all has to be within the context of proper regulation, i.e.,, FDA. (we can argue elsewhere about the effectiveness of that system).

This unlimited testing can easily be seeking to better maximize psychological exploits with no regulation.

So, yes, I'm happy to see someone putting in a bit of control.

That is dismissive of how much value people place on their selves and digital aspects thereof. My identity, private conversations, and sexuality are infinitely more personal than the food I consume.

I agree that it’s appropriate to A/B test changes, within reasonable bounds. I wish the debate would focus more on what the reasonable bounds are to each objector.

It's just the usual tug of war between developers and users for control of the computer.

A completely careful open source project would normally leave such controversial things off by default, and moz which leans corporate will go part of the way towards enabling such features. I don't mind their compromise, they do good.

> It's just the usual tug of war between developers and users for control of the computer.

And the annoying part of this being developers who act as if they do not understand (or just brush off) the concerns that the users have.

Like, people want control over their own machines. How is that hard to understand?

Because functionality like that can be used to enable/disable features outside of tests as well. For example gating new things which could become a stability issue. Sometimes it's a choice between control or no control. Sometimes it's between your browser crashing or not. The power users will care about control, but the general population of users not really.
> For example gating new things which could become a stability issue.

And yet we were somehow able to ship stable software to millions of people in the days before telemetry/studies. What telemetry/studies truly provides is offloading QA costs to users.

The software was also simpler. And we were not really great to shipping stable software in the past.
Sure we were. I have video games that were pressed to CDs with no possibility of updates and they still run to this day. On a complete play through of many of them you wouldn't notice a single bug.

Using users for QA has made us lazy and borderline incompetent.

I think you're thinking of extreme cases here like games which are released with bugs these days for holiday rush, because the patching is easy / built-in. That's not the case for everything and not the case for Firefox.

And the stable software in the past may be due to nostalgia. They had bugs. Even before dialup was common, games were patched: Diablo 1 had a number of patches for example, Quake 3 went up to 1.32, Dune 2 (1992) got 1.07. We just accepted bugs, because... what can you do?

And yet none of those updates that I can think of had such ridiculous regressions like you see in todays "ship daily" software.
It certainly is not brain-damage, but it is however very user-hostile.

Are you the unlucky one that ended up with the broken A/B testing change? Well, sucks for you and nobody will be able to help you. Do you want to try a specific testing change because you like it/something is broken on your end and that will fix it? Sucks to be you again, you get no choice on this. Do you want to analyze the change to see if they have something bad in it? Nope, not possible unless if you end up being one of the lucky ones. In addition if Mozilla were to get compromised (either as an organization or in software side) could use it as a backdoor on unsuspecting users or even do targeted attacks.

None of that would not be an issue if they depended on nightly/beta for changes and error detection, nor would it be if they had a list of possible tests somewhere that the user could manually enable and possibly ask some users explicitly if they want to enable one on the browser startup.

Having a backdoor on by default while you’re pretending to be ‘the good guy’ is brain damage. It’s taking an age to build trust and then throwing it away in a second.
The Mozilla / Firefox teams must have a bunch of people monitoring HN threads. I always notice very aggressive downvoting whenever FF is criticized.
Or you know, maybe it's just people like myself who don't like unnecessary toxic behavior towards open source maintainers?
It was and is multiple comments, on a regular basis, which is why I mentioned it. Open source, especially when very well-funded, isn’t a shield from criticism.
Please don't insinuate astroturfing etc.; this is in the site guidelines: https://news.ycombinator.com/newsguidelines.html.

HN has strong open-source and free-software constituencies. Many of those people feel strongly about Mozilla and Firefox. There's no need to assume bad faith (also in the site guidelines!)

If you see unfairly downvoted comments, give them a corrective upvote. That corrects most cases. If the problem persists, emailing us at hn@ycombinator.com so we can take a look, and possibly intervene, would be a helpful thing to do.

Calling people shills without proof is not an honest argument. Sometimes people just have different views. I downvote those comments because they're unsubstantiated and needlessly pessimistic. Mozilla is still one of the better organizations out there.
As author of the original "pessimistic" comment, I want to say that I agree 100% with you. Mozilla is indeed the most important free software project today. Thus, I am very sad and pessimistic when they exhibit subpar behavior such as this.
Given the HN guidelines on this, I’ll lay off on the specific type of comment I made. (Although it’s quite a normal thing to notice and point out in other communities).

However, precisely because of the importance projects like Mozilla and browser technology in general, I think it is perfectly reasonable to expect the highest standard of behavior. I personally have concerns about certain aspects of their activities (not related to downvoting) in recent years and am well within my rights to express them.

And Mozilla should respect your rights, that is, after all what they claim to champion.
You are well within your rights to express your criticisms of the project, but claiming bad faith with no evidence to back it isn't.
What I observed would not be an instance of bad faith.
I enabled it for the bugfix and it made some additional changes to the config that weren't related to the bug fix and not mentioned on about:studies. Changed the behavior of the browser.

Very strange and unsettling.

> A good outcome of this certificate fiasco is that many firefox users learned about the "studies" and "Normandy" brain-damage and promptly disabled them.

I'm actually curious about how the common user reacted to this. There isn't a clue about this on (1) the add-on page, (2) Mozilla's home page, (3) no emails sent out (I get plenty of other emails from Mozilla).

Currently, when you try and (re)install an "unsupported" add-on, you get a cryptic message stating: "Download failed. Please check your connection."

So the only communication from Mozilla is that it's my fault and I need to "check" my connection.

Honestly... there's so much fail here - even at the communication level.

>I'm actually curious about how the common user reacted to this. There isn't a clue about this on (1) the add-on page, (2) Mozilla's home page, (3) no emails sent out (I get plenty of other emails from Mozilla).

That's a good question. Of course we have to assume we're talking about the common add-on user, since some users don't have addons.

An incredible 3.2 million users (out of 10 million daily active) attempted to download Adblock Plus on Saturday, after it was disabled. Some of these might be duplicates of course, but I think this suggests:

(1) most users who use addons noticed when they were disabled (2) most of them were confused (at least initially) about the reason this happened, since there was no direct communication from Mozilla about the problem in the browser itself (3) many of these attempted to redownload their extensions as a solution to the problem

https://addons.mozilla.org/en-us/firefox/addon/adblock-plus/...

Not seeing any updates in `apt`.
This is the Mozilla release. It will take a bit for the Linux distros to get it packaged and into the repos. Even the Firefox install on my windows machine here doesn't see it as an automatic update yet.
I tried Firefox recently because I want to ditch my Chrome habit and I love Mozilla but it had serious performance issues on all of my macs (fans would spin at max after 5 min, a long standing and known issue I guess) along with some real oddities on my android.

Between bad performance and these many recent missteps I ended up ditching it for just another chromium based browser out there. Though my experience is somewhat anecdotal I have to wonder how much longer Mozilla can keep it up before they end up as just another chromium flavor.

Edit: Wow I woke a beast I guess. Not sure what the insta-downvotes right at the start there were about.

If you’re on a Mac, you have Safari installed as well which is better than Chrome (or most Chromium flavors) on the privacy and security front, not to mention battery life and performance.

However, I’m sure Mozilla would like a bug report, because I’ve never seen performance issues with Firefox on a Mac. Edit: I should note that the couple of MacBook Airs I had it installed on were pre-Retina so that might explain why I hadn’t seen this particular issue.

Safari occasionally crashes for me on OS X with a massive stacktrace. One time it was because it couldn't create a directory locally in my Preferences.

Never had that trouble with Chrome. Flawless browser.

Firefox on mac used to be like that, but recent versions (last year or two) haven't had that issue

You're probably being downvoted for negging others' beloved browser

I gave it a spin about 4 months ago and stuck with it for about 2 months and was still having the issue. A Mozilla employee pointed me here to watch for updates on the issue:

https://bugzilla.mozilla.org/show_bug.cgi?id=1404042

Edit: Also relevant: https://github.com/servo/webrender/issues/3115

I still have severe performance issues with Firefox on my Mac also. When I mentioned it a couple of weeks ago in a post here I was downvoted and basically accused on making it up.
Yeah, I gave Firefox a second chance with the quantum updates but, I ran into all the same performance issues I’ve associated with Firefox since version 3
If you used addons in all tests, and/or have ever opened about:config, consider creating a fresh profile without any addons and leaving the settings at the defaults. If you still see problems after a week, that would confirm it’s Firefox rather than whatever third-party modifications you and/or your addons are making to the browser.

For example, one of the popular cargo-cult ‘fixes’ for the addons issue instructs Firefox via about:config changes to make 86,400 extra network requests per day, because the instructions are extremely badly written by people who don’t know/care about that impact on your battery life.

Expert user footguns are responsible for far more performance issues than expert users realize, both in Firefox and in all other software they operate. It’s so reliably a problem that I’ve been using “are you an expert” as the most important triage question for the past two decades of IT support.

I recommend to at least enable uBlock Origin as it will save you a lot of resources whilst browsing the web. There's a whole bunch of other privacy and resource related addons I also like, but it goes a bit too far to mention those.
uBlock Origin, AdBlock Plus, and other random flavor-of-the-year ad blockers are IIRC the #1 contributor to Firefox slowness, resource usage, and crashes for some years now. They are key examples of “expert user footguns” and I shudder to think how many users are incapable of repairing their browser when damaged by one or more of these addons. Yes, they can reduce bytes over the wire, but they do often come at the cost of reliability and efficiency that disabling them is often sufficient to diagnose browser problems with no other steps taken. “This site doesn’t show any ads, how could it possibly be uBlock?” is the most depressing question an expert has ever asked me about Firefox.

Previously: https://news.ycombinator.com/item?id=8802424

Please provide a source that uBlock Origin is the #1 contributor to Firefox slowness, resource usage, and crashes.
I have only my memories, which is what IIRC means: “if I remember correctly”. A few seconds of searching offers no better answer, so you’ll simply have to downvote me and move on.

(For those who want to investigate further, I believe it was about a year ago and would have been on planet.mozilla.org at the time. No, I didn’t post it to HN because I don’t usually consider anti-adblock positions to be safe to discuss here.)

After I made my previous post you added a source about _ABP_ being a memory hog. Show me a source that uBlock Origin is a memory hog compared to vanilla and ABP.

This article [1] shows how ABP is, indeed, a resource hog, compared to uBlock Origin. It also shows that pages load quicker with uBlock Origin than vanilla. Its an article from 2 years ago though.

This article [2] talks about how in december 2018 uBlock Origin uses WASM for better performance. It includes a link to benchmark the software.

This article [3] from begin 2019 compares the performance of different adblockers (the article is by the authors of Ghostery though therefore I link to the Reddit discussion).

[1] https://www.raymond.cc/blog/10-ad-blocking-extensions-tested...

[2] https://www.ghacks.net/2018/12/03/ublock-origin-performance-...

[3] https://www.reddit.com/r/uBlockOrigin/comments/ar7a3m/adbloc...

I found Quantum gave noticeable performance improvements. Not enough to justify crippling the extensions I use constantly and insultingly taking away the ability to make the UI look the way I want it to look, but improvements nonetheless.
The past two years with Firefox have made me gradually dislike Chrome less. Yesterday, I pulled the plug and switched to Vivaldi completely.

I wouldn't be surprised if Firefox 75-or-so is based on Chrome anyway.

I've seen people expecting such a switch since... Firefox 6 or so? I wouldn't hold my breath.
Let's hope for the best. With Firefox 57, most Firefox add-ons and all Firefox themes must be Chrome-compatible already. The steps are smaller these days.
Edge's switch to Chromium was a bit surprising, even if it makes complete sense to do so on both the browser and OS level. At this point, I'm not sure if Mozilla's involvement with the Chromium project would be such a bad thing. In regards to web standards and freedom, having Google, Microsoft and Mozilla having their hand in that pot doesn't seem a lot different from each maintaining their own.
It would be a terrible loss to us all if Mozilla made Firefox chromium based, since it would mean Google basically controls the internet via Chromium

EDIT: also Mozilla putting more and more rust code into Firefox is great for memory safety which is something that is a cause of many security issues these days

Is that a fact, that Google controls the Chromium project with such an iron grip? I don't know, but don't know if I agree that it's a foregone conclusion. I find it hard to swallow if Microsoft is now involved with Chromium. My guess is that Mozilla joining would take even more power from Google.

My second thought is that they already control the internet either way with Chromium. I'm not sure my (beloved) Firefox has any meaningful sway, or often even gets tested. A lot of web developers who probably don't frequent HN, want to have a single IE6-style monoculture to make their job that much more straightforward.

For sure, I can't say I disagree about Firefox adopting Rust. Definitely a nice technical perk to being a Firefox user. I've been here since 2002 and never left. Can't say I've ever had all the issues that everyone else insists existed. I think a FF reset would have resolved most issues, for most people. I certainly never came across any deal breakers. If there have been any, they were all very recent. The removal of Live Bookmarks, adoption of Pocket and the ousting of Brendan Eich was not a good look in my view.

I'm still on 66.0.3 and the issue resolved itself, I believe, yesterday...
Resolved as in you're opted in to studies?
I never did opt in. SO if it's not the default setting, it must have been off.
They made it default. It's called Normandy.
A place most people associate with the largest amphibious invasion in history seems a curious choice of codeword.
The name fits the feature imo.
That'd mean all Firefox users are Nazis.

Which may or may not be true.

They invaded nazis, so it's all good.
Same. I found some pretty good instructions[1] so all my plugins started working this morning, CET. And you can disable the studies when you're done.

1. https://forums.informaction.com/viewtopic.php?p=100053#p1000...

Please don't lower the value of run_interval_seconds like suggested there. If many people do that it will cause those of us on the ops team for Firefox's backend services some headaches.
I understand the sentiment, but "Please turn on studies and wait for an undefined amount of hours to get the fix" is also causing quite a bit of headache, so especially without a good (publicly given) reason to not tell people to download the studies XPI directly and fix it immediately you might want to overthink the impression that leaves on users.
Mozilla pushed a hotfix yesterday but it only worked on certain builds of Firefox, and only for users which had the user studies setting activated. Today's update should be a more permanent fix.
What about older versions? Does this mean that older versions of firefox can never be used with addons (even matching older versions) anymore?
Good question. Looks like they do have a release for 60 (the current ESR):

https://archive.mozilla.org/pub/firefox/releases/60.6.2esr/

Just export the key from a current version and import it into the old version. Worked for me.
How do you do this?
From an updated Firefox navigate to

Preferences -> Privacy & Security -> Security -> Certificates -> View Certificates

Now find:

  Mozilla Corporation
    signingca1.addons.mozilla.org
Select signingca1.addons.mozilla.org and then choose export. This is what you would import into the older version of Firefox.
BTW that certificate list if fairly long, has no scrollbar and no search box. That's a bad UI.

Is there a way to report this without spending hours to register at Bugzilla and file a proper bug report?

Not sure why you don't have a scrollbar. On my version of Firefox (Firefox Developer Edition 67-0b16) the certificate list does have a scroll bar and can be navigated using the mousewheel. Can't speak for stable Firefox since I don't use that version.

No, not that I am aware of. In my own experience it actually took me longer to find alternative ways of bringing awareness to a bug I was having than it did to signup to Bugzilla and report it there.

Which older versions, specifically?
I don't have any particular in mind, but also future versions when they are old: will every version of firefox have a certificate that expires at some point in it?
A fix for the ESR is coming, are there any other supported old versions of firefox out there?

If you're using an unsupported version, then it's probably safe to assume you won't get a fix.

Link where the release notes will be posted:

https://www.mozilla.org/en-US/firefox/66.0.4/releasenotes/

They're published now.
Right now, the Firefox for Android version is still not available in the Google Play Store.
Surprising no one. The real question is whether the apk is available somewhere so people don't have to wait for our favorite walled garden to mercifully pass the update.
I am not interested in finding out what they'll break next unless I want to participate in their Normandy botnet.

Goodbye, Mozilla.

So... Hello, Google?
A large part of the problem is that too many people are happy with not having a choice anymore.
That's a pretty uncharitable characterization of their experiments framework. Have you ever worked on large-scale software with tens of millions of users or end-points? Then no doubt you'll know the tremendous value incremental deployments and test/control groups have.
A botnet for a good cause is still a botnet.
I was pretty pissed about the issue and the reasons that led to it, would you please introduce me to the trusted browser provider you are heading to?

Because despite this and all the previous issues, I don't see any alternative that is half as good or cares about me as a user.

Currently, Vivaldi. Yes, I know about the privacy implications, but at least they're trying to get better, not worse.

I wish Netsurf had more manpower.

Oh well, I do use chromium as a last resort, every few months. If this the alternative, I prefer to suffer Firefox shenanigans every now and then.

I was seriously annoyed by the move to the new add-ons framework, and stayed way too long on unsupported, unpatched old version, until everything I needed was available, to some degree at least, in the new framework. I tried but didn't stick to Chromium as my main tool.

As it is, Firefox is ugly on some days, but for me at least, it still the best tool available, and it still feel pretty much like mine.

Have you tried Firefox?
It's my main driver since ~2003, so yeah, I did and still do.
No release for android yet, at least not on [1], where I am getting the apk files from. As of now, latest release uploaded there is 66.0.2 from March.

[1]: https://archive.mozilla.org/pub/mobile/releases/

EDIT it's up: https://archive.mozilla.org/pub/mobile/releases/66.0.4/

Well, at least you didn't get hit with 66.0.3.
What did 66.0.3 break?
66.0.3 didn't break anything, but it was the last version to ship with certs that expired on Friday.
xpinstall.signatures.required = false worked for me on android
Yeah, this also worked for me on Android. Not sure why the downvotes.
It works on the main branch now too, so quickfix or not try to update from the play store asap (or whatever repo you use)
Probably because this workaround consists in deactivating add-on security.
Because it's not working right now..
Worked on my 2 android devices. Did not work on windows desktop. That needed the nightly or probably this build.
Referring to plugin security.
And what's the problem with not having that? Does it suddenly make my installed extensions insecure?

I (somewhat) get it for the standard windows user who gives admin rights to everything, but I think this crowd is a bit more aware of what they install.

I haven't installed an add-on in years.
Then you're not affected. What's the matter?
That means: the installation is a while old, installation security is not useful now because the add-ons were installed ages ago, but using them is.
No, it does not. David, this is just wrong. Existing add-ons do not become suddenly insecure.

What it does is allow you to install add-ons not signed by mozilla. Essentially the same thing as installing software not originating from the iOS and/or Mac AppStore, or the Ubuntu/Fedora/etc distro repositories, or the Windows Store, or the Play Store.

The signing stuff might protect some less tech-savvy users from installing "You need this codec to play this porn video" malware add-ons, same as the other walled gardens I listed do too (tho most I listed have still a door in the wall that you can unlock and open yourself, unlike Firefox Desktop).

But that's it. It is a "seal of approval" scheme saying that mozilla reviewers decided something is secure enough and has an OK quality (and wasn't forced to remove by US laws/authorities courts yet), implemented using DRM. It reduces the chances that users will install something malicious by accident/incompetence.

If users still run their add-ons from AMO, then there is no difference. Unless a bad actor can either MITM AMO connections or compromise the AMO servers. At which point the users has a lot more problems already than potentially malicious browser add-ons.

Last I checked Firefox still gives at least a warning + confirmation dialog if you try to install an unsigned / improperly signed extension with xpinstall.signatures.required = false, no?
You're better off waiting a few more hours that disabling important security features.
Disabling all add-ons doesn't help security either.

So far I have neither an update on ubuntu-desktop nor on android (with default package managers) so without this option I'm supposed to use the internet without adblock & umatrix? lol no thx

Disabling noscript is a bigger security issue.
It only got disabled if you installed the version from addons.mozilla.org and not the noscript.net.

Some sort of pinning mechanism would be nice though without having to rely on manual installs and signing.

It's a trade-off, you could end up with a version having a gaping security hole.

The only "security" it provided was to prevent people from installing add-ons that Mozilla didn't approve of, ostensibly ones it thinks are malicious, and I'd bet that on Android (which has its own app isolation features anyway) that's even less of a problem.
Not exactly. You can install add-ons from outside of Mozilla add-ons site. The extra certificate is more of Mozilla's seal of approval.

This is why quite a few of my add-ons were not disabled - they were installed with trust from another site and this intermediate certificate was never in chain.

You could even manually sign these add-ons you trust with custom imported CA key for your personal or corporare vetting.

Given that all my extensions are privacy and/or adblocking features -- that seems unlikely. I can re-activate it when the Mozilla fixes the issue.
We've lived without the walled garden for more than 10 years, I'm sure we can manage a few more days.
My add-ons are more important security features, that are needed right now, whereas the signing thing only protects when you install a new add-on from an unreliable source. (EDIT: it actually only applies for add-ons installed from the Mozilla add-on store website ... silly me for trusting that place)

Come to think of it, why did my add-ons get disabled, given that they already had been checked against the signing key when they got installed? Why is this (literally, it seems) being checked constantly instead of only when something about the add-ons changes?

This did NOT work for me with the Windows version.

Had to install that .xpi from the previous HN thread on the subject.

When will it appear in the Play store?
installing and running this version did not resolve the issue for me

is there something else I need to do?

I don't understand why renewing the certificate wouldn't fix the issue ?

How does the 66.0.4 fix the problem exactly ?

It's a signing certificate that is built into the browser to verify add-ons, not a normal TLS certificate that they can just update on a web server.

The change basically just imports the new certificate into the database: https://hg.mozilla.org/releases/mozilla-release/rev/848b1502...

That is not a complete statement of the changes shown. In addition to the unexpired certificate, it takes step to reenable any addons that were disabled by the expiration of the prior certificate.
> It's a signing certificate that is built into the browser to verify add-ons, not a normal TLS certificate that they can just update on a web server.

Ah, so that's why. Thanks.

What was the signing certificate validity period ?

Two years, iirc.
Don't know about the old one, but the new one from the patch is:

    Not Before: Apr  4 00:00:00 2015 GMT
    Not After : Apr  4 00:00:00 2025 GMT
So are the extensions checked at startup time for disk integrity issues?

My extensions on FF have not stopped working but I hadn't restarted the browser in that interim

I have to say I was very pleased that the Debian-ESR package a) disables telemetry in the build and b) ESR still allows you to override the extension signing for now...
Is there a little more background to what is happening here? The link is to an ftp, so I have no idea what is broken, fixed or why it matters.
About time. Embarrassing bug. The only reason i didn't permanently swap browser is because of the lack of alternatives since none has the functionality I apply through the addons.
Personally, I've switched to waterfox -which is a fork of an older firefox branch, and it supports addons (at least the ones I use).

I'm pretty happy with it, and I'm strongly considering staying with it even after firefox is fixed.

You'll be several revisions' worth of security patches behind. For an application that is usually one's main means of accessing the rest of the internet, that would be a deal-breaker for me.
But even more security bugs behind.
Possibly, but I'll take the actively-developed codebase with the eyes of security experts all over it over one with no manpower.
In this case, I was more insecure being subjected to advertising networks (and the malware carried on them) because of Firefox's mistake which meant I wasn't able to load ublock origin. I'm also not sure how many of those "security patches" are intended to make my browsing experience safer, or simply meant to implement bizarre policies that might blow up in my face at any time (as this certificate issue has).

It's a trade off.

I assume (and hope) Firefox will eventually get their act together so I can go back to using it, but if not at least I don't have to jump ship to chrome.

It's a bad trade off. Every security related bug Firefox fixes is a how to guide for ruining waterfox users day for anywhere from weeks to years.

This will grow increasingly challenging if the code bases diverge in order to keep old school add-ons working given that waterfox has virtually no man power.

One solution would be to have a dedicated computer which is considered compromised from the start. Don't store importent stuff there, don't do money related activities etc. This way you have a convenient browser for 99% of the time - without stupid restrictions and Mozilla control.

In case of infection, restore from image.

edit: replaced spyware with control.

This is a highly impractical way to live life just to make some stand. It's cutting one's nose to spite one's face.

There are other actively maintained browsers with plenty of eyes on them and manpower behind them, many with vibrant plugin ecosystems, just use one of those.

This "bizarre policy" was software signing, which is in fact a security feature.

I don't understand what "getting their act together" means here, when you're posting it on an announcement that the problem has already been fixed. Should Firefox proactively remove all security features that risk ever posing some modicum of inconvenience to users? Because that would be... all of them.

Firefox could allow people to sign their own add-ons. Let's not pretend that the terms "software signing" and "walled garden" are synonymous.
Okay. Now malware addons are signed, and nothing has been accomplished.
In this scenario, malware add-ons would be signed only for that particular Firefox installation.

Essentially, I am arguing that Firefox should let you create your own signing key pair (which would be valid only on that single Firefox installation) and sign any add-on using it.

It's a large enough hoop that most users would not jump over it, not least because they would not know what they're doing, but it would be there for those who need it and relinquish the central point of failure that is the AMO.

The current situation is basically the Secure Boot fiasco all over again.

>I was more insecure being subjected to advertising networks

>2019

>not running your own ad network blocking DNS

Why even bother?

A 4-channer on HN. A rare sight indeed!
I've been using Waterfox on Windows for awhile along with the new Firefox, but now I am going to replace the Firefox install with Brave. Best of both worlds.
I switched to Chrome before this after Firefox started randomly requiring me to close it out and re-open when switching wifi hotspots too often, and connecting/disconnecting from VPN too often and this was on multiple laptops and fairly recently.
I haven't Switched yet but I fired up my Vivaldi install and have been impressed. A lot of little annoyances that I got used to with the new extension restrictions aren't there because the functionality is built in (like mouse gestures and tabs on left).

I first started using Firefox as my default when I unzipped a version of Phoenix off a CD which came with a computer magazine.

I installed Vivaldi, and moved shortly back to Firefox. The two things that did it:

1. I accidentally saved the wrong password to a site. When I went to fix it, it said I needed to login to my Google account to change my stored password.

Wait, wat?! You are sending my passwords to Google, unencrypted, without telling me?! Thai is not acceptable, aside from - What else are you sending?

1b. I see that it saves non password fields without my asking me to save them, and sending that to Google as well. Hmmmmm.

2. It has twice crashed and lost all my open tabs (yes, I have a tendency to keep many open tabs).

Also, for all I know, they are selling my bank account login. Research into the history of Vivaldi (semi fork of Opera) and its dev team left me unsatisfied who they are and that I can trust them.

It probably sends less data to Google than Chrome (which gets every single page, its contents, how long it was open, etc. but is hardly a contender if you want a browser and not just spyware.

Vivaldi doesn't save passwords using Google. Did you perhaps click on a help link that sent you to a Google support page for Chrome?

I see that if you click the password icon the address bar and click the "Manage passwords" button it opens the default password settings page inherited from Chromium (vivaldi://settings/passwords) which includes a link to a support page for Google Chrome (https://support.google.com/chrome/?p=settings_password), but not all the information on that page is applicable to Vivaldi. In particular, Vivaldi doesn't use Google but rather its own account system for browser sync (which is optional, same as Firefox and Chrome).

That appears to be a bug, since that legacy Chromium password settings page isn't Vivaldi's normal password settings page (vivaldi://settings/privacy/). But it doesn't seem malicious.

Incidentally, the built-in password manager in Vivaldi (as well as in Chrome and other browsers based on Chromium) doesn't let you manually edit an existing password, whether or not you use an account to sync them. You can only update an entry by signing into a site with a new password and confirming the password change if the browser detects it, or deleting the old entry and saving a new one. A limitation compared to Firefox's password manager, though I do appreciate the native ability to generate random passwords in Chromium-based browsers. I hope Firefox and Chrome copy each other in those regards.

I haven't experienced any crashes with Vivaldi, though I don't use it as much as other browsers such as Firefox so perhaps I've just been luckier.

Vivaldi's background seems clear enough: https://en.wikipedia.org/wiki/Vivaldi_(web_browser)

It was founded by Norwegian developers who left the original Opera (either due to switch from the old Opera browser to the new interface, or because the company was sold to Chinese investors). I do wish they were more open with the source code, but anyone who was comfortable with using the original Opera back in the day should be okay with Vivaldi. More so than the current Opera, I think, which I still see many people using due to brand recognition I assume.

I switched to the Dev build[1] with 'xpinstall.signatures.required = false', and now that it's fixed I don't know if I'll go back. There seems to be a bunch of new features in Dev that I assume will arrive in Firefox eventually, but everything else being equal, I think I'll stick with it.

I'll probably turn 'xpinstall.signatures.required' back to true though.

[1] https://www.mozilla.org/en-US/firefox/developer/

Mine says Developer edition beta 16 Version 67.0b16 (64-bit) Last updated = 03May2019.

do I need to make this change? is it in the about:config ? 'xpinstall.signatures.required = false

Yeah, so if you set 'xpinstall.signatures.required = false' in the about:config it'll let you use your extensions, but this is just a workaround.

When a fix is fully rolled out (which should include Developer edition), then you won't need that (and probably should re-enable signature checking).

thanks . I have toggled that in about:config and extensions are back to working. internally, what does this toggle turn off?
It is actually much much faster than Firefox "standard". Might stick with it too!
This is what I run and that fix worked. Are they planning on patching the dev build anytime soon? Doesn't look like there is an update for it. At least one can turn that stupid feature off until there is.
I was already a bit mad at them for removing RSS support and claiming their proprietary service that's built in is an alternative, now their proprietary service keeps working (presumably, I didn't use it but it's not an addon so I doubt it's signed the same way) and I can't use the RSS addon.

I know this was a mistake, but I can't help but be mad that their proprietary built in stuff effectively gets a free pass and special treatment and meanwhile I can't use RSS and all my containers were deleted (those didn't come back after the study was pushed either).

I use containers too. I didn't loose any data after I enabled dev mode and added the extension back. Perhaps you removed the existing extension first and lost data that way?
It's odd - on my laptops, my multi-container settings were preserved, but I opened firefox on my desktop last night and they had vanished. I did not remove any add-ons myself.
Same here.

Only difference is that I restarted the desktop Firefox and also enabled Shield studies to get the temporary fix. On the laptop I just upgraded to 66.0.4 and only then restarted it.

I did not disable or remove the extension, my containers were just all gone after the study was pushed and extensions came back.
To the best of my understanding, here's what happens.

* containers.json is reset to default

* if you have any non-default containers, they are lost

* the underlying data is still in IndexDB (??) but isn't connected to the custom containers that were wiped out

* if you're clever and can read the IndexDB (or wherever the data is, it's moved a few times) then you could probably rebuild your containers.json file

Never hear Mozilla claiming anything about a prioprietary service being an alternative to add-ons. The reason for which built-in RSS support was removed is that it was much crappier than the add-ons available.

Doesn't solve your problems, though :/

Pocket was promoted as the replacement for RSS. Pocket is a closed source SaaS product, despite the fact Mozilla now owns it.
Huh? When was it promoted as a replacement, by whom? It’s not even in the same product category/

RSS aggregates updates to websites without needing to check them. Pocket takes an article you have open in your browser right now and saves a local offline copy on your phone. They’re apples and oranges. Apples and orangutangs, even.

https://www.theverge.com/2018/6/13/17446660/mozilla-firefox-...

This sounds a lot like pushing it as an alternative to RSS to me.

That interview with the Pocket CEO never mentions RSS.

(Disclaimer: I work for Mozilla but not on any functionality related to this)

How odd to construe an attention-grabbing headline for Mozilla's official party line. As another comment said, RSS isn't mentioned once — actually, it is, but it's an advertisement for the Verge's own RSS feed.
You’re being obtuse. At no point does that mention RSS nor describe anything like RSS at all.

If I was not being generous, I’d think you were being intentionally obtuse to justify a preconceived opinion.

But whatever. I work on that very product.

I can't find the link right now (I could swear I commented on the article here, but maybe I'm grepping for the wrong things in my comments), but in one of the blog posts where they announced removing RSS they advertised Pocket as the alternative that was still built in. Their RSS support was pretty terrible, but even so this sort of attitude was infuriating already, and now to see it have a leg up because they get to own the platform and the app just puts me over the edge. Not to mention that I have to dig through like three levels of settings to disable the damn thing and remove it from their stupid cluttered home screen every time something happens to my settings in the mobile version (which is alarmingly often).

I like Mozilla as a company, but I desperately wish there was an alternative sometimes. Anyways, sorry for the rant, I'm done (for now).

LiveMarks really is a fantastic addon to bring back Live Bookmarks functionality. That said, I've always been a fan of native browsers for their inherent advantages. Never felt the desire to use anything else, unless it has significant usability improvements. Phoenix/Firefox was always that browser for me. I usually suggest people use their native browser (Edge/Safari), and if they want an upgrade, to go to Firefox. With all of these recent debacles, it would be hard for me to not suggest the new Chromium-based Edge to Windows users and crossplatform.
This is pretty bad for Firefox. I wonder how much people straight up & left for Chrome as a result of it.
It will be possible to roughly deduct this from the following statistics during the next days/weeks:

https://addons.mozilla.org/en-us/firefox/addon/adblock-plus/...

https://data.firefox.com

Note that these statistics would, presumably, exclude all users who disable telemetry in Firefox. Since many of those outraged at the interruption to addons seem to overlap frequently with those who object to and disable telemetry and studies on principle, their departure over this incident could well have no impact whatsoever on the metrics you linked above.

It must be a nightmare for the Firefox team to have a minority group of quick-to-anger users that refuse to allow themselves to be taken into account by usage metrics, refuse to allow their browser to participate in studies, and then object loudly when decisions are made that discount them.

I doubt this. There are extension update pings, and my guess is that the number of users is deducted from the update pings, but I could be wrong.
“How dare Firefox check for updates from a remote server” is a real thing that’s been said in support of many “privacy” guides that disable all Firefox and addons autoupdates, so I wouldn’t bet the farm either way.
Yea but there is valid reasons for controlling random network access with an iron fist. It's not usual user behaviour but it's one of Firefoxes many niche audiences. Alienating them will just fragment the base. Also remember these vocal niches bring in a lot of family and friends as well.
Who's fault is that, at the end of the day?

Mozilla didn't have to structure their addon system in such a way that their (in)actions could disable the addons of every Firefox user on the planet.

Mozilla did not have to abuse the studies mechanism (also on by default) to ship a workaround.

Mozilla did not have to disable the option that would let me work around this problem by myself (which is going to cause me no end of fun when I get into work tomorrow). If the Firefox team thinks their development concessions are a pain in the ass, try being directly accountable for the repercussions, in the "I will be fired if I don't fix this", not the "I will be talked mean about on the internet if I don't fix this" senses.

Mozilla didn't have to bundle junk like Pocket and the now-scuppered Hello, both of which could have just as easily been addons suggested on first run.

Mozilla didn't have to push promotional addons (the Mr Robot thing) without my express prior consent.

I grow exceedingly weary of this narrative that Firefox is above all reproach and criticism because they produce a web browser.

How about this instead; if Mozilla wishes for its users to respect them, they can start by respecting their users. That means no opt-out telemetry period, no paternalism about what I can and cannot install, or what options I can change, and so forth.

I am beyond sick of this shit. I would love nothing more than a true third option for browsers right now. Firefox hates its users, Chrome sees them as cattle - what's left? I have to use one of the two and take ridiculous steps to cover my own interests, because neither of these companies have them in mind.

"Opt-out telemetry" creates precisely the scenario I describe, where the users who care most are least visible to Mozilla, at which point their needs would go unconsidered; no one knows they exist, how many of them there are, or why they're opting out. This remains true regardless of why, which negates your entire list of issues, replacing them with a simple question that is very difficult to answer:

How could Mozilla respect the needs of users who opt-out of Mozilla knowing they, and their needs, exist at all?

How could any creator of anything?

If you can't identify who your users are, you can't ask them questions, and you can't tell if they're "vocal 0.001%" or "vocal 40%" of your userbase — then what consideration could you give, as a software developer, for their needs?

You can refuse to change, and simply always offer the one thing you offer, and accept that you're the best option for a minority of users over time. You can continue developing to your own needs, and let them stay or go as they see fit. You can try to read the tea leaves of internet forum posts, but that comes with a huge penalty to significance. You can try new things and try to tell from the howls of outrage whether it's a wording error or a direction error or simply "change is bad, I hate you all".

Opting out is not free. Opting out comes at a price to you. Your needs will be less likely to be considered, and your solutions may change in ways that are not to your liking. You have every right to opt out, but is the price of that acceptable to you?

ps. If you can solve how to let users of something influence its creator in a fair and just manner, such that all users have equal influence, while opting out of being known to that creator to exist at all, you will be a billionaire within five years.

In the old days, and today in every other industry but tech, if you want to understand your customers you survey them, do focus groups and listen to unsolicited feedback.
>If you can't identify who your users are, you can't ask them questions, and you can't tell if they're "vocal 0.001%" or "vocal 40%" of your userbase — then what consideration could you give, as a software developer, for their needs?

I'd ask for feedback, and when that feedback is given freely, even when unsolicited, I'd take it on board and act accordingly. I would ask if people want to participate in "telemetry" and "studies", not assume they do without affirmative prior consent.

Mozilla is breathtakingly bad at this. They're about as responsive to feedback as GNOME/Freedesktop.

I most certainly would not put spyware in the product and turn it on without asking first. I'd most certainly never get myself into a situation where an oversight can simultaneously break every copy of my software ever deployed.

This idea that you require all copies of your software to phone home to make effective development decisions is bunk. We got along just fine without that garbage for decades.

> "Opt-out telemetry" creates precisely the scenario I describe, where ... no one knows ... why they're opting out.

Telemetry doesn't tell you why users do anything. They would have to ask, which doesn't require telemetry. There used to be a form for submitting feedback.

> How could Mozilla respect the needs of users who opt-out of Mozilla knowing they, and their needs, exist at all?

Because of the values and principles that Mozilla used to share with its users, the principles that underpinned the first implemenation of Firefox Sync and were completely abandoned in the current implementation.

I trusted Mozilla because they didn't require our trust. They understood this principle and designed their systems in accordance with it.

> How could Mozilla respect the needs of users who opt-out of Mozilla knowing they, and their needs, exist at all?

How about surveys or well, common sense?

I'm a tech oriented person who cares about privacy. I want software that is lightweight, configurable, with sensible defaults. For any features besides the basic functionality (in this case: browsing the web), I don't want to opt-out, I want to opt-in.

Privacy oriented means for me that the software I use doesn't send one bit of data that isn't necessary for its basic functionality. I use a "dumb phone" because of this. I never understood how anybody can think telemetry and privacy can co-exist.

I want a Firefox without Pocket, Send, Screenshot Tools, Sync, Clickz, any cloud based service. I only want a fast, lightweight browser that doesn't send any unnecessary data anywhere without me explicitly configuring it. That's a sensible default for me, really. Software used to be like that.

I'd also like to configure when my software looks for updates. My Linux distro let's me do that.

And it would be awesome if all other functionality (like Send/Sync/Pocket, etc.) is available via optional plugins, or in another "full-featured" version of Firefox. The deluxe edition or whatever.

I believe I'm not alone with these ideas about software. In discussions about Firefox these things always come up. There are github projects [1,2] with 1600 and 1200 stars about hardening Firefox. People care about privacy. It's not hard to find this part of the userbase.

The idea that you can't create software for your users without telemetry, is what leads Mozilla to disregard their privacy oriented users in the first place. It's depressing.

And even if I allowed telemetry on my system Mozilla wouldn't learn anything about what I wrote here. It's useless.

1: https://github.com/pyllyukko/user.js/ 2: https://github.com/ghacksuserjs/ghacks-user.js

A brief search of "site:blog.mozilla.org inurl:2019 survey" shows a bunch of results, and even more for inurl:2018. Have you signed up to receive unsolicited email from Mozilla in any venue? If you've opted-out, then you may be experiencing observer bias.
>no one knows they exist, how many of them there are, or why they're opting out //

They're burning half-a-billion a year of Google's money, they can afford to have an intern run filters to capture stories on HN, reddit, slashdot, ... amalgamate the main points and make them available as part of the user feedback.

Presumably many of the devs at Mozilla have been using it for the last 15 years too and also value a privacy-centric advertising-lite web.

So you're going to complain about the software breaking and also complain about them pushing a hotfix for it?

This whole situation isn't ideal but it's absurd to me that people are upset about hotfixes for a bug that they found extremely inconvenient. Do you like the bug or not? The option to turn off the system they used for hotfixes is right there in the privacy settings and they even show you what it's currently being used for (and what it was used for in the past). Like it or not, as far as I know every major browser (maybe not Safari?) is doing the exact same thing except they're less transparent about it.

I have literally no idea how to identify what experiments and rollout flags are quietly turned on for my install of Chrome and not for other people because it's not documented anywhere. At least in Firefox the option is right there and so is info on what the option does.

"No opt-out telemetry" is a great idea that doesn't function in the real world. If you ship online-connected software with 1m+ users that doesn't have a way to deploy hotfixes or a killswitch for dangerous features or basic telemetry, that is incredible negligence because all it takes is a single bug or a single unanticipated act by a third party and you're DDoSing someone or causing other kinds of mayhem. I'm quite serious. This is why most vendors operating at Mozilla's scale have the same set of tools at their disposal, even if they don't tell you about it. You cannot deploy large-scale connected software in the real world without doing this. It's one thing to go 'Word shouldn't have any telemetry' (okay, sure) and another to go 'this app that connects to thousands of servers, is left open all the time, and runs remote code should not have any telemetry or automatic update mechanism'. The latter is naive on the level of 'just don't write any bugs and your software won't need updates'.

So you're going to complain about the software breaking and also complain about them pushing a hotfix for it?

The right way to do this is to push a new release, which they've done. The absolutely wrong way to do this is to silently push a fix through a back door that's open by default and rightly shouldn't exist in the first place.

Yes, you can do things more efficiently when you ignore the rules and subvert reasonable expectations. Generally though, society takes a dim view of this.

>If you ship online-connected software with 1m+ users that doesn't have a way to deploy hotfixes ..

That way is checking for updates, and then asking me if I want to install them. Most software does this and it works fine. There are no privacy implications for hitting an API for a number and checking locally if it's higher than a number I have. All clean, all above-board.

That way is emphatically NOT playing like a sneak and making changes silently and remotely without asking me about it first. I don't care what you think your good reason is, you don't have the ethical/moral right to make changes on my property without that affirmative consent.

If you want a browser that never changes anything, doesn't know what its users use it for, and has no opinions on what kinds of plugins you install...

Might I interest you in Internet Explorer 6?

If Mozilla has you that angry, I can't imagine what you must go through every time you interact with any other company. Your points are not completely invalid (most of them anyway) but you might want to rethink where you spend your time ranting in some fury, encouraging people to move away from the only open browser with any sort of market share in favor of our new monopolist. Firefox is not beyond criticism but I think they get plenty of it already for all the good they do compared to everyone else, and a mad fury like this might be better spent contributing to the project.
Mozilla does not "hate" its users. This comment is way too emotional and dogmatic. Firefox is not above reproach but the presentation of your message leaves a lot to be desired.
So why do they ignore their feedback at every step? Why do they continue taking anti-user moves seemingly at every opportunity when there's a choice?

If what we see here is how you think Mozilla treats its users well, I'd hate to see what it would take to get you to agree they treat them badly.

I see nothing but naked contempt. YMMV.

What if what you see as “anti-user moves” turned out to be directly beneficial to a thousand times as many people as a few that agree with you?

If you see all instances of someone disagreeing with your ethical and logical judgements as naked contempt, then you will never be able to perceive anyone’s true motivations, in order to argue your case more persuasively and find out whether they understand your views.

Outrage has jumped the shark. Everyone disagrees about everything, which is hard enough to address without declaring “naked contempt” any time a choice is made that isn’t in your favor.

Their departure where? Considering the group in question I can't imagine them wanting to switch to Chromium or Opera.
Where do you see issues with Brave or Vivaldi?
Uses Blink and therefore dependent on Google for security updates.
I left for Chrome in a way via Brave. Brave is based on Chrome minus being owned by the All-Seeing-Eye Company in Mountainview.
I really like brave, but right now FF is still my main. Brave is still needs some features. The whole syncing bookmarks and wallets thing is really annoying. I'm glad the way they devised is secure, and privacy sensitive, but it's still a pain in the ass.
Doesn't using Chromium solve the same issue, as long as you're not signed in to Google?
Probably many, but don't forget that there are many firefox users that never install a single addon.
Which ironically means that the people most affected by this debacle have the most to lose by switching.

Although that also means that firefox managed to piss off it's most loyal group of users. Again.

Or they just lived with it for a few days. They were probably using FF because the addon doesn’t exist for chrome in the first olace
It was also over the weekend.

All it did was cement how much I despise Chrome's inability to sandbox it's network config.

Yay gotta close down all chrome instances to turn a proxy on and off.

Probably fuck all because chrome still has no add-ons on mobile.

People will bitch for a few days then they'll get over it.

This is a shitty screwup but I'm not about to jump ship over it.

I took the opportunity to check out Vivaldi again. Wow. It's so polished compared to Firefox. The downside is I'm now supporting the Chromium monoculture.
(comment deleted)
It's about 10-15% on my app but Firefox users are generally super smart so they provide great feedback.

One thing Firefox ROCKS at is that they support extensions/addons on mobile!

Chrome won't add them on mobile because they don't want adblock there.

I was on the reddit thread when it happened - was super confused as I just updated my firefox and it happened at a very similar time frame so I assumed it was from the update

I personally found the issue trivial, my main addon is ublock origin. There was a workaround using about:debugging and installing UBO on there which worked so it's not like the fix was a long process.

Being committed to a single browser, if anyone was using firefox for as long as me, I can't fathom someone leaving their main browser over something like this. I haven't been using it for THAT long but what if Chrome did something like this too? Then they'd move to another browser that's not FF/Chrome?

I too use only two extensions, uBlock Origin and HTTPS Everywhere and the hotfix pushed by Mozilla re-enabled them within half an hour of disabling. I do sympathise with those who apparently lost the settings of certain addons, notably Container based ones. Fortunately I always found the UX of Containers so clunky that I never bothered.

Sticking with Firefox as an open competition to the browser monopoly is critical now more than ever before.

(comment deleted)
Mozilla fine tuning some of their practices is as critical. These hn threads might give good pointers by concerned, well-meaning users.
> Sticking with Firefox as an open competition to the browser monopoly is critical now more than ever before.

I think this fact cannot be emphasized enough. Or we'll have the 90s monopolized web again: "Optimized for Chrome" - not that there'd be a lack of websites already doing that as of now.

I have been on the tipping edge of switching from FF to another browser for a long time now.

Short-lived bugs such as this one do not annoy me as much as the terrible performance of FF. It is not rare that FF uses 2 cores at full utilization all the time.

I always end up installing a new browser out of anger, but I _always_ come back to FF for its great features that I have become addicted to.

I've switched to Vivaldi on my desktop and Brave on my smartphone. For now. It's been three days and I'm still waiting for an official release with the add-on fix, can't wait forever.
>open ff >lastpass gone >google error messages >please update ff >update >browser works

I'm sorry to break it to you Chrome fanboys but it'll take a lot more than a minor extensions goof up (that was fixed in a day) for me to switch my browser.

>using meme arrows on HN
(comment deleted)
For you, sure.

For all the people that had their browser completely broken for the whole day, without any reason, however…

And your one-day fix, how much time do you think it will take to be deployed on people’s linux system? Probably a few days or more. Probably enough for them to realize that they can just switch to Chrome to have a working browser.

my linux system already had the studies hotfix 24 hours ago
Is the TOR browser update out soon?
What about updating also the beta channel, I am using 67.0b16 and I still think I am affected because, not updates since and all the addons are shown as "ALLOWED IN PRIVATE WINDOWS"
I've been waiting to see this. Just updated from 65.0 to 66.0.3. My addons are still disabled. Tried to install ublock origin, and it's not letting me. I'm getting a "Download failed. Please check your connection."

This is crazy, and I'm really disappointed with Mozilla. I'd leave firefox right now, but I don't want to contribute to the destruction of one of the last good pieces of software not owned by Google.

> Just updated from 65.0 to 66.0.3

The fix is in 66.0.4.

I noticed that after posting. :o EDIT: "gorhill"... I was seriously just on your GitHub account, like 15 minutes ago. I knew I've seen that username before. Thanks for making uBlock Origin!
I installed Opera yesterday. So far so good. Hope others will chime in with more alternatives
opera is now just the chrome engine. I don't think there's any alternative to chrome but firefox now-a-days, as even microsoft gave in and started using chrome's blink engine.
Safari or any Webkit browser maybe? I don't know how far Blink has diverged from Webkit.
Opera is proprietary and it is unclear what kind of telemetry it has.
Switched to Chrome and Brave.
I wish I could switch to something else, but I still trust Mozilla the most.