Closed Bug 1177628 Opened 9 years ago Closed 6 years ago

Automatically detect changed settings from blacklist and suggest reverting

Categories

(Firefox Health Report Graveyard :: Client: Desktop, defect)

Product:
Firefox Health Report Graveyard
Component:
Client: Desktop
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: sawrubh, Assigned: glind)

References

Details

So I noticed that some softwares change various things in the browser like the default home page, newtab page url, default search engine etc. Most of the time, this is without the user's consent or even if it's a consent it was a misleading consent (the user thought he was agreeing to the T&C of the primary software he was installing while he actually agreed to the installation of some adware bundled with that primary software). In addition to that, this happens mostly to people who aren't technically advanced and have more trouble fixing/reverting things to normalcy compared to the more technically advanced who don't fall into this trap itself (of agreeing to install adware).

What I feel is a solution (which Chrome does too) is inform users about the changes to their settings made when they open 'Options' in Firefox and to allow them to revert those changes easily. In addition Firefox could maintain a blacklist of potential changes (like if your newtab url or homepage has been changed to http://shadysite.com then Firefox will inform you that you might have been duped) and allows you to revert it.

Another thing is these adwares create a user.js file in the profile folder, which is read and hence even after resetting the prefs in about:config, the next time Firefox is opened the story is still the same. So that needs to be deleted as well.
Component: General → Untriaged
(In reply to Saurabh Anand [:sawrubh] from comment #0)
> What I feel is a solution (which Chrome does too) is inform users about the
> changes to their settings made when they open 'Options' in Firefox and to
> allow them to revert those changes easily.

This is pretty hard to do reliably, I think. (and might be impossible, in general)

There's no reliable way for Firefox to distinguish between "the user tweaked this thing in their profile" vs. "Some other piece of software tweaked this thing in the user's profile". All of these settings are just stored in configuration files on-disk, and other software can edit those files to make the same changes that would happen if a user made a configuration change in Firefox.

(There could be some tricky things we could do with e.g. having Firefox cryptographically sign the user's configuration file for each edit that it makes (and reject the file if it has an invalid signature), but that would be a huge undertaking, and we'd have to protect the key from other software.)

As mentioned on IRC, we probably need a more concrete proposal here before a Bugzilla bug can be useful.

Maybe think about this a bit more (particularly, how can Firefox tell if a config file has been tweaked by mal/adware), and start a thread on the firefox-dev list? (https://mail.mozilla.org/listinfo/firefox-dev )

Thanks!
I feel your pain Saurabh.  I've added this as a wish on uservoice. I know this is not a devtools issue perse, but we need this issue to gain traction.

https://ffdevtools.uservoice.com/forums/246087-firefox-developer-tools-ideas/suggestions/8909023-protect-against-compromised-user-js-and-critical-c
1.  I totally agree that this situation is completely terrible.
2.  Feedback so far is awesome.  I am more optimistic that we can we do something here, (and am taking the bug).
3.  Solving this is the endgoal of Firefox Self Repair (https://github.com/mozilla/self-repair-server/).
4.  Thanks for the specific suggestions, which I will consider!

Gregg Lind
(Mozilla User Advocacy)
Assignee: nobody → glind
Component: Untriaged → General
Hi Gregg, we are cleaning up items that are marked as untriaged, I need to find a component for this - thinking Firefox Preferences? Do you have any suggestions that would help.
Thanks!
Component: General → Untriaged
Flags: needinfo?(saurabhanandiit)
See Also: → 966733
See Also: → 912741
Flags: needinfo?(glind)
Kanchan, I think this could live with Self-repair or shield. I don't think we have a component yet.
Flags: needinfo?(glind)
Flags: needinfo?(saurabhanandiit)
Many of the existing bugs live in selfsupport/selfrepair/shield bugs live in "Firefox Health Report :: Client Desktop".
There might be a duplicate in the depencies for the tracking bug 1031506.
Blocks: 1031506
Component: Untriaged → Client: Desktop
Product: Firefox → Firefox Health Report
See https://bugzilla.mozilla.org/show_bug.cgi?id=1497137; component has been deprecated.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Product: Firefox Health Report → Firefox Health Report Graveyard
You need to log in before you can comment on or make changes to this bug.