Should Mibbit be removed as an IRC handler?
Categories
(Firefox :: File Handling, task, P5)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox98 | --- | fixed |
People
(Reporter: vandor2012, Assigned: mhoye)
References
Details
Attachments
(3 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Steps to reproduce:
Click ircs:// and irc:// links
Actual results:
Goes to Mibbit
Expected results:
Should go to KiwiIRC instead:
- KiwiIRC supports more features than Mibbit
- KiwiIRC has better ssllabs ranking than Mibbit
- Active development and contribution with irc.com, IRCv3, and ircdocs communities
Below is the diff for the file to change the default IRC client from Mibbit to KiwiIRC:
diff old/browser/locales/en-US/chrome/browser-region/region.properties new/browser/locales/en-US/chrome/browser-region/region.properties
19,20c19,20
< gecko.handlerService.schemes.irc.0.name=Mibbit
< gecko.handlerService.schemes.irc.0.uriTemplate=https://www.mibbit.com/?url=%s
gecko.handlerService.schemes.irc.0.name=KiwiIRC
gecko.handlerService.schemes.irc.0.uriTemplate=https://kiwiirc.com/nextclient/#%s
23,24c23,24
< gecko.handlerService.schemes.ircs.0.name=Mibbit
< gecko.handlerService.schemes.ircs.0.uriTemplate=https://www.mibbit.com/?url=%s
gecko.handlerService.schemes.ircs.0.name=KiwiIRC
gecko.handlerService.schemes.ircs.0.uriTemplate=https://kiwiirc.com/nextclient/#%s
|
Reporter | |
Comment 1•6 years ago
|
||
Reformatted:
19,20c19,20
< gecko.handlerService.schemes.irc.0.name=Mibbit
< gecko.handlerService.schemes.irc.0.uriTemplate=https://www.mibbit.com/?url=%s
---
> gecko.handlerService.schemes.irc.0.name=KiwiIRC
> gecko.handlerService.schemes.irc.0.uriTemplate=https://kiwiirc.com/nextclient/#%s
23,24c23,24
< gecko.handlerService.schemes.ircs.0.name=Mibbit
< gecko.handlerService.schemes.ircs.0.uriTemplate=https://www.mibbit.com/?url=%s
---
> gecko.handlerService.schemes.ircs.0.name=KiwiIRC
> gecko.handlerService.schemes.ircs.0.uriTemplate=https://kiwiirc.com/nextclient/#%s
|
|
Reporter | |
Comment 2•6 years ago
|
||
Bit of discussion on IRC:
12:26 [LordRyan] prawnsalad: can kiwiirc's URL link mechanism allow for
ircs://andirc://links passed in the URL?
12:27 [prawnsalad] yup
12:27 [prawnsalad] https://kiwiirc.com/nextclient/#irc://irc.freenode.net/#ircv3
12:27 [KindOna] is nextclient a permanent domain
12:27 [KindOna] might scare off people
12:28 [LordRyan] yeah i'm trying to submit a patch to gecko so i'd like something futureproof
12:28 [prawnsalad] it will always be there, yea. though eventually will auto redirect to /client/ once that old version is removed
12:28 [LordRyan] alright :+1:
12:44 [prawnsalad] LordRyan: if you can add to it, that kiwiirc is open source which is more inline with mozillas own goals too
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 3•6 years ago
|
||
Also important to note that Mibbit's client has an F in the ssllabs test: https://www.ssllabs.com/ssltest/analyze.html?d=chat.mibbit.com. KiwiIRC got an A.
|
||
Comment 4•6 years ago
|
||
Can you submit a proper patch using phabricator, or, failing that, attach a unified patch file? Please also adjust the patch to not remove mibbit. By default, clicking a link will open a dialog that prompts the user to make a choice, and I don't see any convincing reason to remove mibbit entirely. Users can make up their own mind.
|
|
||
Comment 5•6 years ago
|
||
Also, I suspect you'll need to change the version number to make Firefox actually pick up the changes.
|
|
Reporter | |
Comment 6•6 years ago
|
||
Mibbit has horrible security and the IRC protocol in general isn't that secure when it comes to transmitting passwords, leading to it being a security risk to use the client. I don't think that keeping it included is a good option.
|
|
||
Comment 7•6 years ago
|
||
(In reply to vandor2012 from comment #6)
Mibbit has horrible security
Look, I have no personal knowledge of mibbit's security, but this is pretty clearly [citation needed]. Just an SSL Labs score isn't a very good argument on its own. Furthermore, the best way to fix those types of issues would be to tell mibbit what the problems are, instead of just getting us to remove the entry.
and the IRC protocol in general isn't that secure when it comes to transmitting passwords, leading to it being a security risk to use the client
I don't understand this argument. It doesn't seem specific to mibbit; if anything it applies to kiwiirc just as much. The web-based client means you're submitting everything over TLS to the operator of the web client, and so you're explicitly trusting them with everything you send, on top of trusting them to use sensible security to send it to the IRC server, which you also implicitly trust because you're connecting to it...
I don't think that keeping it included is a good option.
Your patch doesn't actually remove it though. Removing items is not straightforward. See my recent patch in bug 1252831 for some ideas on how to actually remove it - though as said, if there are actually serious security concerns with mibbit I suggest you attempt to contact them instead of trying to get us to remove the entry...
Adding entries is pretty easy and I'm happy to review patches to add KiwiIRC. But the bar for removing entries should be higher than "ssl labs doesn't like this website". It's probably easier to do the two things (add KiwiIRC, remove mibbit) in separate bugs.
|
|
||
Comment 8•6 years ago
|
||
Looks like Mibbit were involved in their addition in bug 435687, perhaps they'd like to comment on some of the issues raised here.
|
|
Reporter | |
Comment 9•6 years ago
|
||
As of the IRCv3 support table listing here, Mibbit does not support SCRAM-SHA-256 (which makes sense as it's in-browser) which means that passwords are sent, in plaintext, over weak TLS ciphers. From what I've heard from some IRCv3 discussions, the issue has been brought up with Mibbit. I looked on their website for a way to contact them about it and found nothing useful so I can't contact them myself about it.
I don't understand this argument. It doesn't seem specific to mibbit; if anything it applies to kiwiirc just as much.
That's valid. KiwiIRC does send passwords using the PLAIN mechanism. The difference is, KiwiIRC is less likely to be MITM'd and users are less likely to have their passwords taken.
Additionally, there's more practical issues with using Mibbit
- Many channels on Esper, Mozilla, etc. are banning or requiring registration for Mibbit due to abuse
- This is why the issues about password security are relevant; if a user is required to register, they'll probably use just any password they're accustomed to using, which has the security issues as mentioned above.
- Mibbit is flat out banned on Freenode (
12:22 <emerson> LordRyan: you can use me for a reference about freenode banning mibbit)
|
||
Comment 10•6 years ago
|
||
So, there's two separate issues to decide upon:
a) should Mibbit be retained as a option. If it's widely banned, or there's documented security issues with the current implementation and no indication that they're being fixed, we should remove them as an option. I think this bug is mostly about concerns with Mibbit, so we should focus this bug on the request to remove Mibbit.
b) should we include KiwiIRC? It's been a long time since we've included a new handler, so we don't have a modern policy on inclusion criteria. I think we should have a separate bug on that, where we can evaluate KiwiIRC on its own merits.
|
||
Comment 11•6 years ago
|
||
Morphing the bugs into two, so that the proposals can be evaluated separately. I'll make this one about the proposed removal since the information presented here was more about that.
|
||
Comment 12•5 years ago
|
||
Hi All,
My name is Tom and I have recently acquired Mibbit. Just wanted to let you know the site is once again being actively developed. I will be updating the protocols Mibbit uses as soon as I can and will let you know when complete.
Please let me know if you have any questions!
|
Assignee | |
Comment 13•5 years ago
•
|
||
In light of our move to Matrix, I think that there's a new option on the table, and I'm taking this bug.
|
|
||
Comment 14•5 years ago
|
||
(In reply to Mike Hoye [:mhoye] from comment #13)
In light of our move to Matrix, I think that there's a new option on the table, and I'm taking this bug.
Mike, can you elaborate on the status of this issue? :-)
|
|
Assignee | |
Comment 15•5 years ago
|
||
(In reply to :Gijs (he/him) from comment #14)
Mike, can you elaborate on the status of this issue? :-)
I don't think that Mozilla or Firefox have a significant investment in, or meaningful role to play in, the IRC ecosystem at this point. I also don't believe Mozilla, Firefox or the overall health of the IRC ecosystem are well-served by our endorsing a particular default protocol handler without investing some effort to making sure that handler is well-aligned with our values, mission and quality standards, and don't see a future where we'd be willing to make that investment.
In light of that I intend to remove the IRC default handlers from Firefox shortly.
|
|
Assignee | |
Comment 16•5 years ago
|
||
|
|
||
Comment 17•5 years ago
|
||
Hi Mike,
I understand your points. It does seem odd to remove Mibbit as a handler for potentially not being aligned with Mozilla's aims when Yahoo mail + Gmail are the default handlers for email. I think most would agree that Gmail is definitely at odds in several places.
https://en.wikipedia.org/wiki/Gmail#Criticism (Privacy + Automated scanning of email content specifically).
However, I believe it's worth overlooking these points for mailto + irc because having links work is more useful to users than having them not work and it would be a shame to break this...
Incidentally, I can't think of anything Mibbit does that conflicts with Mozilla's goals. It's free for everyone to use and has no unnecessary censorship among other things.
If anyone has issues that need to be improved on my end I am happy to work on them. (The issue that this ticket was opened with was the F grade on SSL labs. Now a B!)
|
|
Assignee | |
Comment 18•5 years ago
|
||
I intended no disrespect to Mibbit there, only to say that we simply haven't the work on our side.
In the patch I proposed above we took the simplest approach possible, and won't modify or remove any users' current default settings; in a practical sense this means that all of the current Firefox user base will still use Mibbit as the default IRC handler, and it will only be new Firefox users or people creating new profiles that will be prompted to choose their IRC client rather than being directed towards Mibbit automatically.
|
||
Comment 19•4 years ago
|
||
|
||
Comment 20•4 years ago
|
||
Backed out for causing xpc failures in test_handlerService_store
Backout link: https://hg.mozilla.org/integration/autoland/rev/a68bf71d261cb931ae2796f52e46e95bbfafbd03
|
|
Assignee | |
Comment 21•4 years ago
|
||
|
|
Assignee | |
Comment 22•4 years ago
|
||
Depends on D110703
|
|
Assignee | |
Comment 23•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 24•4 years ago
|
||
|
|
||
Comment 25•4 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 26•3 years ago
|
||
This will be done in the removal of region.properties
|
|
||
Comment 27•3 years ago
|
||
Your patch in bug 1733497 doesn't actually remove mibbit (or yahoo mail...) for existing profiles. Do we want to do that or not?
|
|
||
Comment 28•3 years ago
|
||
No, we aren't removing anything for existing profiles. That was a deliberate decision, especially for yahoo mail.
|
|
||
Updated•3 years ago
|
Description
•