Closed Bug 299466 Opened 19 years ago Closed 19 years ago

Poor policy decision: Non-latest version Firefox users banned from browsing extensions/themes.

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: kyzer, Assigned: Bugzilla-alanjstrBugs)

References

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.7) Gecko/20050421 Firefox/1.0.3

This is not a duplicate of bug 294020. That bug deals with the technical
chichanery required to get around a stupid policy decision by the Mozilla
Foundation and completely avoids discussing the policy itself. Also, that bug
(and duplicates of it) are mostly because people really have upgraded to 1.0.4
and the StumbleUpon extension makes it seem they're running 1.0.3. I don't have
this problem, I really am running 1.0.3.

This bug is for the policy decision to keep all Firefox users out of Mozilla
Update until they've upgraded to the latest Firefox, or pretended to upgrade by
setting a bogus User Agent string.

This is not bug 294020 because I am perfectly capable of deceiving the scripts
of incompetent webmasters who decide "you must have Internet Explorer 6 for this
website to function". I am appalled that I now have to do the same thing for the
Mozilla Foundation, which is otherwise a fount of goodness in this troubled
world. This is an extreme dissatisfier.

While users appreciate being told their software is out of date, and the Mozilla
Foundation stresses that they do not support anything except the very latest
release of Firefox, users do not necessarily want to upgrade it right there and
then. They did not come to the extensions and themes site to be badgered into
upgrading their main application. In some cases, they have only come for
information and do not intend to install an extension/theme on their outdated
Firefox - yet they are denied even the information page.

Often, users can't immediately upgrade - administrators have installed the
software for them, or centrally installed it. Firefox's strength is that each
user can install their own extensions, scripts and themes in their home
directory. They can't do that when they're locked out of the entire site!

Also, a number of users rely on their vendors (e.g. Debian or Red Hat) to
provide them with binary packages, and would refuse to install the Mozilla
Foundation's binaries. These people are antagonised by the Mozilla Foundation's
insistence on tying the themes/extensions repository to the latest binary
release of the browser. The themes/extensions might not even <i>work</i> on the
latest release!

What I desire is for the current "complete lockout" policy upon detecting an
outdated Firefox User Agent string to be replaced with a "warn, but allow"
policy. Firefox users surfing to addons.mozilla.org should be warned on their
first visit that their Firefox is out of date and unsupported, but an "Upgrade
later" option should be made available, so they can actually see what they came
to see.

Reproducible: Always

Steps to Reproduce:
1. Use any version of Firefox other than the latest.
2. Visit any arbitrary theme/extension link, e.g.
https://addons.mozilla.org/extensions/moreinfo.php?id=722
3. 
Actual Results:  
Confronted with a boneheaded "you <b>must</b> update or we won't let you in"
policy. Have to pretend I'm running MSIE before the site will let me in.


Expected Results:  
Should be shown a "you <i>should</i> update" page instead, and allowed to see
the addons.mozilla.org page that I originally requested upon acknowledging that
I realise there's no official support for anything but the latest version.
Allowing Firefox 1.0.3 and older to access Mozilla Update would make an
extremely severe security hole in those browsers exploitable, allowing full
remote compromise.  Blocking older versions of Firefox is done for security
reasons only.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Firstly, if you're referring to MFSA2005-42, the problem can be resolved without
blocking anyone from the updates site - just send Firefox 1.0.3 users to
addons2.mozilla.org or or any other URL that isn't literally
"addons.mozilla.org". There is no need to permanently block users from the data.
If this is the solution to the security problem, it has caused a new problem in
its place.

Secondly, please don't close this bug as INVALID. You have given no reasons as
to why it's invalid. Be honest and close it as WONTFIX if you simply intend to
do nothing about the bug.


(In reply to comment #2)
> Firstly, if you're referring to MFSA2005-42, the problem can be resolved without
> blocking anyone from the updates site - just send Firefox 1.0.3 users to
> addons2.mozilla.org or or any other URL that isn't literally
> "addons.mozilla.org". There is no need to permanently block users from the data.
> If this is the solution to the security problem, it has caused a new problem in
> its place.

We considered doing that, but the problem is that as an untrusted site, users
would have to manually download and install extensions, which is not something
we want to have to support.  Additionally, there is a risk that users would
whitelist the new domain anyway, thus effectively reopening the hole.

> Secondly, please don't close this bug as INVALID. You have given no reasons as
> to why it's invalid. Be honest and close it as WONTFIX if you simply intend to
> do nothing about the bug.

I marked it as INVALID because I see the policy decision as correct, and not a bug.
(In reply to comment #3)
> We considered doing that, but the problem is that as an untrusted site, users
> would have to manually download and install extensions, which is not something
> we want to have to support.  Additionally, there is a risk that users would
> whitelist the new domain anyway, thus effectively reopening the hole.

So users are stuck between a rock and a hard place.

Could you at least put some sort of documentation (or a link to documentation)
about this decision on the blocking page? Having switched my User Agent to get
around the vapid "gotta upgrade! don't matter if you can't, you gotta upgrade!"
message, I am now theoretically vulnerable whenever I turn Javascript on. This
blocking page does not inform me of this at all, it just says I have to upgrade,
which I ignore because I can't do that. The page doesn't say anything about
security beyond the glib, canned phrase "In order to keep your computer safe
when using the Internet".
"In order to be safe, please do not work around our security measures."

Go read bug 294781
Status: RESOLVED → VERIFIED
*** Bug 303290 has been marked as a duplicate of this bug. ***
*** Bug 306111 has been marked as a duplicate of this bug. ***
*** Bug 306998 has been marked as a duplicate of this bug. ***
(In reply to comment #3)
> (In reply to comment #2)
> > instead of blocking anyone from the updates site - just send 
> > Firefox 1.0.3 users to addons2.mozilla.org There is no need to 
> > permanently block users from the data.

> We considered doing that, but the problem is that as an untrusted site, users
> would have to manually download and install extensions, which is not something
> we want to have to support.  Additionally, there is a risk that users would
> whitelist the new domain anyway, thus effectively reopening the hole.

You don't want to support manual download and installation of extension.
Moreover, you don't want user to whitelist any new domain. WHY?? If you
think a user can be affected that way, WARN him. No need to block.

I can take care of security of my system. Mozilla people don't need to worry.
Just let me install (or atleast download, or atleast view the list) the
extensions. I can NOT upgrade firefox because I don't have administrator
privileges (or my dialup is too slow and can not download 8.2 MBs).

The bottom line is--do not FORCE security, just make people aware.
(In reply to comment #9)
> I can take care of security of my system.

If you're running into this security enforcement, you obviously DON'T take care
of your security, because you're running a very out-of-date version of Firefox.
 This one hole isn't the only hole that was fixed between 1.0.3 and 1.0.6.
(In reply to comment #10)
> (In reply to comment #9)
> > I can take care of security of my system.
> 
> If you're running into this security enforcement, you obviously DON'T take care
> of your security, because you're running a very out-of-date version of Firefox.
>  This one hole isn't the only hole that was fixed between 1.0.3 and 1.0.6.

You need to read the sentence after the one you quoted, namely:
> I can NOT upgrade firefox because I don't have administrator
privileges

Many users, particularly those in corporate environments, DON'T have sysadmin
privileges to their systems.

And hey, as long as we're reading for understanding today, there's this line:
> The bottom line is--do not FORCE security, just make people aware.

To put that in smaller words: The moz web site is not the cops.  Don't try to be
the sysadmin.

Since several of the developrs whose job it is to fix this bug are so oblivious
to it, why don't all of us who need it fixed start VOTING on it.  I just cast my
vote.  Let's all go cast ours, till they wake up and correct this gapng flaw.
> Allowing Firefox 1.0.3 and older to access Mozilla Update would make an
> extremely severe security hole in those browsers exploitable, allowing full
> remote compromise.  Blocking older versions of Firefox is done for security
> reasons only.

Yet I am able to access the Mozilla Update site just fine with Firefox 1.0.4 on
Sun Solaris.  MFSA2005-42 makes no mention of the bug being platform-specific. 
So shouldn't my browser be blocked as well?  Or is this only a Windows-specific bug?

Additionally, MFSA2005-42 states that the problem also exists in Mozilla Suite
1.7.7.  Yet I can get to the themes/extensions pages with Mozilla 1.7.7 also on
Sun Solaris.


Additionally:

> If you're running into this security enforcement, you obviously DON'T take
> care of your security, because you're running a very out-of-date version of
> Firefox.

This implies that the latest and greatest Firefox version is always the best. 
But we all know what happened with Firefox 1.0.5 and various extensions.

The fact is, the latest is not always the greatest.  A great many people wait
for the dust to settle on the latest stuff, before upgrading.  Windows XP SP2 is
a notable example of some institutions waiting months before they upgraded to SP2.

This a poor policy decision made by programmers and, worst yet, it's poorly
implemented.

(In reply to comment #12)
> > Allowing Firefox 1.0.3 and older to access Mozilla Update would make an
> > extremely severe security hole in those browsers exploitable, allowing full
> > remote compromise.  Blocking older versions of Firefox is done for security
> > reasons only.
> 
> Yet I am able to access the Mozilla Update site just fine with Firefox 1.0.4
We block 1.0.3 and lower - it's a 1.0.3 bug that is the issue here.

> Additionally, MFSA2005-42 states that the problem also exists in Mozilla Suite
> 1.7.7.
The problem of interest is only exploitable if you have something on your
whitelist.  Firefox whitelists Mozilla Update by default; the Mozilla Suite
ships with an empty whitelist and thus can't be exploited.

> This implies that the latest and greatest Firefox version is always the best. 
> But we all know what happened with Firefox 1.0.5 and various extensions.
We aren't requiring the latest release - presently we're allowing the most
recent 3 versions.

> This a poor policy decision made by programmers and, worst yet, it's poorly
> implemented.
None of your points showed poor implementation, given the issues we chose to
address.  Please let us know what exactly we missed.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.