[GoLUG] If firefox really cared about security

Kyle Terrien kyle at terren.us
Fri Aug 29 02:13:52 EDT 2025 

On Thu, Aug 28, 2025 at 10:26:22AM -0500, Barry Fishman wrote:
> 
> On 2025-08-27 23:21:56 -07, Kyle Terrien wrote:
> > Remember that extensions running as first class citizens were
> > Firefox’s selling point.  The sky was the limit, and extension
> > developers added entire new features to Firefox.  That was the one
> > thing Chrome couldn’t do and the primary reason users preferred
> > Firefox over Chrome.
> >
> > With regards to so-called “security” being the intention, remember
> > Thomas Jefferson:
> >
> > “Those who would give up essential liberty to purchase a little
> > temporary safety, deserve neither liberty nor safety.”
> > 	-- Thomas Jefferson
> >
> > Mozilla is paying for their mistakes dearly.  Firefox usage share is
> > below 5%, and once the Google antitrust suit goes through, Mozilla
> > will likely loose its funding.  History will remember Mozilla as a
> > tragic case of a prodigal son losing everything because of hubris.
> 
> A fine example of pipikism.
> 
> I like the part basically saying that letting people play most streaming
> media (which is unfortunately DRM locked) is part of an assault on
> essential liberty.
> 
> There are plenty of choices in the browser world thanks to the fact that
> Mozilla, Google, and even Apple (webkit) release their core code as open
> source.
> 
> I am a long time member of the EFF and FSF, and really think DRM and the
> Digital Millennium Copyright Act (DMCA) was an outrageous perversion of
> human rights and the US constitution.  I still can't see why the fact that
> Mozilla allows the user the choice of enabling it (or not) in there
> browser could be somehow be interpreted as a constraint on their users
> freedom.

I’m not sure if I’m parsing the last sentence correctly, but if you
mean “why is the choice of enabling it or not” a problem, here is an
explanation:

The problem is that in 2013, the world’s second most popular web
browser changed from not supporting EME at all to all of sudden
supporting it out of the box.  Think about it from the perspective of
a product owner of a legitimate streaming website.  Any strong-armed
suggestion from upper management to use EME could no longer be
countered with “but it will break in Firefox, one of the major web
browsers.”

> Your other points also seem to disregard basic reality.  That somehow
> the security/usability tradeoffs made by Mozilla were "essential
> liberties" vs "temporary safety" rather that what Mozilla considered a
> balance of some nice features that still could be re-implemented with
> code changes rather than plugins, vs major security vulnerability's.

Of course security and usability is a balance.  With great power (XUL
overlays) comes great responsibility (vouch what you install).

I am referring to the freedom to extend the browser chrome code (at
runtime with droppable extension modules) as an “essential liberty” of
Firefox because it is essential in the philosophical sense.  I.e. if
you were to remove the ability to extend the browser chrome code, then
the browser would cease to be Firefox in the traditional sense.
Without the distinguishing feature of XUL and XUL overlay extensions,
it would just be another free and open source browser.

Think of Emacs.  Suppose no one was allowed to write Emacs packages,
or suppose you need to get permission from Stallman himself to install
a module.  It would be a fiasco because an “essential liberty” of
Emacs is missing.

Obviously, the above happened to Firefox, and Mozilla still tries to
call the new browser “Firefox”.  However, is it really the same
browser it used to be, or is it a Chrome wannabe?  The large number of
users who left it seem to believe it’s the latter.

> Personally I had relied heavily on the old plugin system to get Emacs
> style key bindings in Firefox.  I used Pale Moon for a while, but mostly
> to launch the Conkeror browser.  The security issues eventually got me
> back using Firefox, because UBlock Origin was more important to me, and
> now I use the Edit with Emacs extension when I have a lot of text to put
> in a Web form.  In some sense editing in an Emacs window allows me to
> use the full functionality of Emacs at the expense of some unpleasant
> setup time.

I used one of those extensions too, and I was sad to see Mozilla
decide it was a “security problem” and then demand that both the
browser extension and the text editor talk to each other over HTTP
websockets listening on the loopback adapter.  The architecture went
from “fork/exec emacsclient foo” to “run websockets server in Emacs,
make browser talk to websockets server, and have the browser request
the websockets server to find-file foo”.

Interestingly, while the new architecture reduces the attack surface
of the browser by disallowing fork/exec, it increases the attack
surface of the text editor by requiring the editor to run an HTTP
server.

> As with the DMCA, the Copyright lobby is using European courts to get
> into international law things that they can't pass in the US congress,
> and then push them through via US trade deals.  In this case using
> German courts to charge that UBlock origin is an abridgment of their
> copyrights in that they modify the content of web pages with their
> removal of some of its content (i.e. Ads).
> 
> Maybe this might be a better target of your anger (or at Google who have
> already restricted some of their blocking features in Chrome) than a
> browser that has had trouble staying alive.

That’s very disappointing to hear, and yes, I do get angry if I dwell
on it too much, so I try to not dwell on it.  DMCA is ripe for abuse
and needs to be repealed.  Stallman was right.

The reason I have such antipathy toward the ones in charge of Mozilla
is because while appearing like sheep, inwardly they are ravenous
wolves.  They play their fiddles to convince everyone that they are
the last bulwark of a free/open Internet, and that they are looking
out for their users, and their campaign of seductive lies has worked.

However, at every possible choice, Mozilla management have made the
wrong decisions.  They decided they knew better than their users when
users complained, repeatedly.  They removed the features that
distinguished Firefox from other browsers.  They bent over for the
“Hollyweb”.  They fired their competent leaders and hired political
activists.  They overpaid their CEO (who was a political activist).
They sold out to an advertising company.  The list goes on.

While everyone was distracted by the sleight-of-hand, the truly
nefarious parties silently took over web standards.  Now, we are
cooked because there is no organized resistance to the 1984-esque
totalitarian control that the nefarious parties are about to unleash
upon everyone.

I hope that doesn’t sound out of touch with reality.  It’s already
starting to happen.

With regards to Manifest v3 limiting the ability to block malicious
resources, that is a good demonstration for why things like XUL
overlays should still be around.  If you can’t run your extension as a
first-class citizen in your browser, then your browser’s vendor
ultimately controls what the extension can do.

And that is why Brave Browser has an ad/malware blocker built-in.
No big tech company can limit the size of its lists because it is part
of the browser chrome.

-- 
[*] Kyle Terrien
    Terrenus => from the Earth, to the Cloud
    https://terren.us/

Dilexisti justitiam, et odisti iniquitatem.  -- Psalmus 44:8

More information about the GoLUG mailing list