[GoLUG] If firefox really cared about security

Kyle Terrien kyle at terren.us
Thu Aug 28 02:21:56 EDT 2025 

On Wed, Aug 27, 2025 at 01:44:15AM -0700, Ron wrote:
> kc-golug at chadwicks.me.uk wrote on 2025-08-20 01:18:
> 
> > If firefox really cared about security
> 
> When Mozilla changed the way add-ons work for better security, half
> their users set their hair on fire, whined incessantly, and threatened
> to leave for ... Chromium? A less secure fork of Firefox maybe?
> 
> Per a Firefox developer's blog:
> 
> https://yoric.github.io/post/why-did-mozilla-remove-xul-addons/
> 
> > One of the topics that came back a few times was the removal of
> > XUL- based add-ons during the move to Firefox Quantum. I was very
> > surprised to see that, years after it happened, some community members
> > still felt hurt by this choice.
> > 
> > I realized that we still haven’t taken the time to explain in-depth why
> > we had no choice but to remove XUL-based add-ons.
> 
> So, they made a change to enhance security and speed and got pilloried
> for it. People were still mad years later.

Mozilla got pilloried for their decisions about extensions because
they constantly lie in blog posts like that one.

Mozilla did have a choice.  In fact, they had several.  However, at
every turn, they ignored their users and sacrificed freedom for
security.

1. Addon system became a walled garden, because “security”.
2. Mozilla banned everything except Chromium-style WebExtensions,
because “security”.

The people who cared enough developed a fork called Pale Moon, which
to this day still allows you to write and install XPCOM and XUL
overlay extensions, and you don’t need to ask Mozilla to
cryptographically sign your extension.

> It's kinda funny to see a bunch of browser developers called clueless
> though. I guess when the peanut gallery knows nothing, everything looks
> simple.

I don’t know much about browser development, but I do know hypocrisy
when I see it.

> From the link above:
> 
> > Note: Having read in comments that some users apparently do not care
> > about security, let me add that being secure is a really, really
> > important point for Mozilla and has been since the first day.
> >
> > Firefox developers fight this threat daily by all sorts of means,
> > including code reviews, defensive programming, crash scene
> > investigations, several types of sandboxing, static analysis,
> > memory-safe languages, … Consequently, for Mozilla, if a feature
> > prevents us from achieving great security, we always pick security
> > over features.

Blog author lies again.  Mozilla, a company that supposedly campaigns
for a free and open internet implemented EME DRM in Firefox and
enabled it by default in 2013.  Back then, Mozilla engineers used the
same trite refrain to justify their decision: “We had no choice.”

Bullscat!  They did have a choice, and they decided to cower in fear
while their users got cheated by large companies who hate them.

With regards to the extension fiasco, Pale Moon has proved “security
versus XUL overlays” is a false dichotomy.  Pale Moon regularly fixes
old crufty code, most of which they inherited from Firefox.  Take a
look at how many DiD (Defense in Depth) entries there are in the
Release Notes.

https://www.palemoon.org/releasenotes.shtml

(It’s funny how most of the security bugs they fix are from the rapid
API creep of ECMAScript standards, and also the reason web browser
developers (especially small teams like Pale Moon) have trouble
keeping up with web standards is because of the rapid API creep of
ECMAScript standards.  Firefox and Chromium are not immune to these
kinds of security bugs either; they are in a constant chase to patch
things.  Might the problem be the rapid API creep of ECMAScript
standards?)

Remember that extensions running as first class citizens were
Firefox’s selling point.  The sky was the limit, and extension
developers added entire new features to Firefox.  That was the one
thing Chrome couldn’t do and the primary reason users preferred
Firefox over Chrome.

With regards to so-called “security” being the intention, remember
Thomas Jefferson:

“Those who would give up essential liberty to purchase a little
temporary safety, deserve neither liberty nor safety.”
	-- Thomas Jefferson

Mozilla is paying for their mistakes dearly.  Firefox usage share is
below 5%, and once the Google antitrust suit goes through, Mozilla
will likely loose its funding.  History will remember Mozilla as a
tragic case of a prodigal son losing everything because of hubris.

-- 
[*] Kyle Terrien
    Terrenus => from the Earth, to the Cloud
    https://terren.us/

Dilexisti justitiam, et odisti iniquitatem.  -- Psalmus 44:8

More information about the GoLUG mailing list