Last Comment Bug 721258 - Stop third party add-ons from altering our opt-in screen
: Stop third party add-ons from altering our opt-in screen
Status: RESOLVED WONTFIX
:
Product: Toolkit
Classification: Components
Component: Add-ons Manager (show other bugs)
: unspecified
: All All
: -- normal with 5 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-25 16:13 PST by Verdi [:verdi]
Modified: 2012-02-25 05:14 PST (History)
32 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Ask toolbar tries to get users to opt-in (143.40 KB, image/jpeg)
2012-01-25 16:13 PST, Verdi [:verdi]
no flags Details

Description Verdi [:verdi] 2012-01-25 16:13:32 PST
Created attachment 591649 [details]
Ask toolbar tries to get users to opt-in

Now that we make users confirm third part add-on installs, some add-ons (Ask toolbar in this case) have started hijacking our screen to try to get users to opt-in. We should prevent this. If that's not possible maybe we should block the add-ons that do this.
Comment 1 Dave Townsend [:mossop] 2012-01-25 16:20:58 PST
The only way they could do this is if they already have code running in Firefox, either another add-on or an injected dll perhaps. It'd be interesting to find out what it is in this case but I'm not sure there is anything we can do about it.
Comment 2 Mike Kaply [:mkaply] 2012-02-20 11:43:26 PST
Verdi, please provide additional information.

As Dave said, this is not possible unless another addon was installed.

What other add-ons did you have installed?
Comment 3 Asa Dotzler [:asa] 2012-02-20 11:48:54 PST
Could it be that thy had a Windows app inject a dll into Firefox to bypass our prompt and replace it with their own "more usable" prompt?
Comment 4 Asa Dotzler [:asa] 2012-02-20 11:51:06 PST
(In reply to Asa Dotzler [:asa] from comment #3)
> Could it be that thy had a Windows app inject a dll into Firefox to bypass
> our prompt and replace it with their own "more usable" prompt?

If so, I'd call this badware, blocklist it, and go on a PR offensive against the perpetrators.
Comment 5 Mike Kaply [:mkaply] 2012-02-20 12:04:55 PST
All I have to say is wow. Someone put a lot of thought into this.

This download:

http://sp.ask.com/toolbar/install/web/ask/download.php

is the download.

After the setup runs, it's just as Verdi pointed out.

The way it works is that the ask installer starts an updater.exe that appears to simply monitor firefox.

When it sees that dialog/tab appear, it overlays it with the pointer. It's just a static image.

If you switch to another tab, it hangs around for a second or two.

If you kill updater.exe, the arrow goes away.

There's really not much we can do here. That's kind of the problem with third-party installs. They are executables running on the system. They can do whatever they want. In this case, it's not really even touching firefox. It's just overlaying an image on the window.
Comment 6 Asa Dotzler [:asa] 2012-02-20 13:20:30 PST
(In reply to Michael Kaply (mkaply) from comment #5)

> There's really not much we can do here. That's kind of the problem with
> third-party installs. They are executables running on the system. They can
> do whatever they want. In this case, it's not really even touching firefox.
> It's just overlaying an image on the window.

There's a lot we can do. We can have a policy that describes what we consider OK and not OK and when someone violates it, we can blocklist their extension. If they attempt to rout around our user controls, they should be labeled as malware and we should mount an aggressive public campaign to destroy the reputation of the add-on and the company making the add-on.

In this case, I don't think they're doing anything terrible.  Users are getting a slightly stronger push in the 'yes' direction, but it doesn't seem overly aggressive to me.
Comment 7 Mike Kaply [:mkaply] 2012-02-20 13:26:37 PST
Sorry, I wasn't clear.

When I said "There's really not much we can do here." I was making a purely technical statement.

There's nothing Firefox can do to prevent an external application from doing something like this.

Obviously we can publicly humiliate whoever does it. That's always possible.
Comment 8 Mike Kaply [:mkaply] 2012-02-20 13:36:52 PST
I propose that this bug is "WONTFIX" because we can't prevent an external application from overlaying our dialogs.
Comment 9 Justin Scott [:fligtar] 2012-02-20 14:07:53 PST
Ask.com discussed this dialog with us several months ago. Kev and I were both busy at the time, and I think Kev may have had a call with them, so I'm not sure if I know the latest.

But they tried very hard to make it clear the arrow is not from Firefox and not to tamper with the actual flow. I much prefer this to them altering their install flow to bypass the screen entirely.
Comment 10 Kev Needham [:kev] 2012-02-20 16:33:13 PST
The updater also updates the toolbar independently from Firefox's updater system, and has the added function of watching for windows on win32/64 systems with a specific title and applying an overlay with an image to help improve install conversions when it detects that window. The installer does inform the user of the changes it will make on install and, as comment #9 states, I'd much rather it follows our guidelines versus doing something to subvert them entirely.

The bigger question I have around this kind of thing is whether or not users are making a choice vs. being opted out. Do we think the UI for the third party addon opt-in is sufficient? Clearly Ask doesn't, and I have heard the same from a number of development orgs. Is there more we can do to help users make an informed choice?
Comment 11 Mike Kaply [:mkaply] 2012-02-20 18:17:45 PST
I'll repeat what I said in the other bug because it is relevant in this discussion:

The problem with the way it works today is that it assumes that for all third-party add-ons, the user did not give consent. When you choose to download and install the Ask toolbar and run their EXE, for instance, you are giving consent. It doesn't make sense that Firefox then says "are you sure you want to give consent"

There really should be a better way to say to Firefox "the user said this was OK"

We assume all third-party add-ons were maliciously installed.
Comment 12 :Gijs Kruitbosch (Gone July 28 - Aug 11) 2012-02-20 22:23:10 PST
(In reply to Michael Kaply (mkaply) from comment #11)
> I'll repeat what I said in the other bug because it is relevant in this
> discussion:
> 
> The problem with the way it works today is that it assumes that for all
> third-party add-ons, the user did not give consent. When you choose to
> download and install the Ask toolbar and run their EXE, for instance, you
> are giving consent. It doesn't make sense that Firefox then says "are you
> sure you want to give consent"
> 
> There really should be a better way to say to Firefox "the user said this
> was OK"
> 
> We assume all third-party add-ons were maliciously installed.

But from the other side: why are they not using an XPI like 'normal people'? Then they wouldn't be confronted with this UI, either...

AIUI, the UI is meant for tools which have an add-on as *part* of their (')functionality('), and ship one without informing the user (eg. antivirus tools). If this is *just* an Ask toolbar, why do they need to install as an external user rather than just shipping only the add-on (either on AMO or by rolling their own update.rdf system etc.)?
Comment 13 Mike Kaply [:mkaply] 2012-02-21 05:26:45 PST
> AIUI, the UI is meant for tools which have an add-on as *part* of their (')functionality('), and ship one without informing the user (eg. antivirus tools).

That's your opinion. The documentation:

https://developer.mozilla.org/en/Adding_Extensions_using_the_Windows_Registry

certainly has never said that. As a matter of fact, that documentation encourages the third-party mechanism.

> But from the other side: why are they not using an XPI like 'normal people'?

Why doesn't Mozilla uses EXEs and installers like 'normal people' (at least on Windows)?


My guess is because they would rather provide one executable and allow users to uninstall via the Window Control Panel which is a mechanism that users already know.

And they would rather update via mechanisms they already have in place instead of having to invent new ones.
Comment 14 :Gijs Kruitbosch (Gone July 28 - Aug 11) 2012-02-21 06:21:45 PST
(In reply to Michael Kaply (mkaply) from comment #13)
> > AIUI, the UI is meant for tools which have an add-on as *part* of their (')functionality('), and ship one without informing the user (eg. antivirus tools).
> 
> That's your opinion.

It is my understanding of the consensus when this UI was designed and related decisions were taken. I don't think this bug is the right place for a discussion about it (you mentioned another bug in comment #11 - which bug?), and it is a side-show in the end.

Right now, I don't understand why/whether the solution that Ask chose is acceptable, or under what circumstances it would be for other add-ons. On AMO, updating your add-on to include advertisement or handle user data without a clear opt-in/opt-out is considered 'bad'. This is, IMHO, worse. So, I figured there must have been a reason for it to be allowed. :-)

(In reply to Justin Scott [:fligtar] from comment #9)
> I much prefer this to them altering
> their install flow to bypass the screen entirely.

Did they mention why they couldn't use an XPI (on AMO)? What other alternatives did they/you consider that were worse? Could they switch to using AMO now the review situation is much better (assuming it had anything to do with that...)?
Comment 15 Verdi [:verdi] 2012-02-21 08:55:30 PST
(In reply to Justin Scott [:fligtar] from comment #9)
> But they tried very hard to make it clear the arrow is not from Firefox and
> not to tamper with the actual flow. I much prefer this to them altering
> their install flow to bypass the screen entirely.

I don't think it's at all clear that the arrow is not coming from Firefox (this is why ads disguised as dialog boxes work). Also, I don't think we should be thankful that they aren't doing something worse. This kind of stuff kills the Firefox user experience - look at our support forum http://mzl.la/xCdIya Ask, in particular, is known for this kind of stuff http://en.wikipedia.org/wiki/Ask.com#Ask_Toolbar_browser_add-on_controversy

Here's a video I made http://people.mozilla.org/~mverdi/video/ask.webm where I install some software that bundles the ask toolbar. You can see how ask hijacks the process. What's more, when I decide to uninstall everything, my ask home page and ask search are left behind. Of course I can get rid of those but most people can't (it's one of our biggest questions on SUMO - resetting home page and search). And after all of that, I discovered that my location bar search was messed with and I can't figure out how to fix it. I had to create a new profile to "fix" that.
Comment 16 Mike Kaply [:mkaply] 2012-02-21 09:32:11 PST
Verdi:

No about:config preference was changed. Firefox was changed a few releases ago such that keyword searches (url bar searches) use your default search engine (which makes sense).

So when you had ask installed, it went to ask. When you removed ask, it went back to google.

The preference is keyword.URL if you want to check that and make sure.


I don't disagree that what ask does is spammy. You probably also didn't notice that when you install the ask EXE, it puts the ask toolbar in chrome, Firefox and IE all at the same time.

What I'm saying is there really isn't much we can do to control an external application from doing what ask is doing.
Comment 17 Mike Kaply [:mkaply] 2012-02-21 09:36:27 PST
Gijs: 

The other bug is 728227

The third-party UI sucks. Plain and simple. Look at IE for how to do it correctly. Firefox uses a double opt-in and a restart. It discourages people from enabling the add-on. Period.


As far as putting your stuff on AMO, as I pointed out, AMO doesn't allow click through licenses. So everything has to be opt-in. You can have your opinion on whether that is right or wrong, but for something like Ask, they'd rather use a click through license and make the changes upon install. That's their right.

AMO is simply not the right distribution point for any add-on that wants to use Search or any other mechanism for revenue. That's why a lot of people distribute off AMO.

If Mozilla had simply provided the add-on marketplace they promised 2 1/2 years ago, maybe we wouldn't be having this discussion :)
Comment 18 Mike Kaply [:mkaply] 2012-02-21 09:45:31 PST
And another random thought for you.

Firefox provides no way to add an engine silently via the addEngine API and NOT make it the default (yes, you can use addEngineWithDetails but that is a different beast).

https://bugzilla.mozilla.org/show_bug.cgi?id=493051

So even if an add-on wanted to be nice, Firefox makes it hard.
Comment 19 Verdi [:verdi] 2012-02-21 11:03:36 PST
(In reply to Michael Kaply (mkaply) from comment #16)
> Verdi:
> 
> No about:config preference was changed. Firefox was changed a few releases
> ago such that keyword searches (url bar searches) use your default search
> engine (which makes sense).
> 
> So when you had ask installed, it went to ask. When you removed ask, it went
> back to google.
> 
> The preference is keyword.URL if you want to check that and make sure.

I'm clear about that. What they changed is that searching from the location bar now uses the old (Firefox 3.6) behavior - domain guessing. It takes you to a best guess url or performs a search if it can't guess. The weird thing is, about:config seems to be correct (for modern Firefox). So, if I look at keyword.enabled I find that it's set to the default which is true. Domain guessing is only supposed to be enabled if this is set to false (try it out). On this profile, after uninstalling ask, domain guessing happens even though keyword.enabled is set to the default. I'd love to know how to fix that. In the video I could only fix it by creating a new profile.
Comment 20 Mike Kaply [:mkaply] 2012-02-21 11:19:00 PST
I'm still researching, but for the record, Ask at least doesn't do the typical third-party thing. The install their toolbar as an add-on into the users profile.

so it can be uninstalled and disabled.
Comment 21 Mike Kaply [:mkaply] 2012-02-21 11:28:22 PST
So the reason you were seeing domain guessing is because of the keywords you chose.

If you type in firefox, tries firefox, it fails, then tries www.firefox.com and it redirects to http://www.mozilla.org/en-US/firefox/fx/

This is the browser fixup code which is different than the keyword enabled stuff.

That had nothing to do with Ask.

Ask does hork things up, I agree and when you uninstall it leaves a lot of crap behind.

But to be blunt, that's how you make money with this stuff. Firefox is making money the same way (via search). Other companies looks for ways to get a piece of that same pie.
Comment 22 Asa Dotzler [:asa] 2012-02-21 11:34:13 PST
(In reply to Michael Kaply (mkaply) from comment #21)
> Ask does hork things up, I agree and when you uninstall it leaves a lot of
> crap behind.
> 
> But to be blunt, that's how you make money with this stuff. Firefox is
> making money the same way (via search). Other companies looks for ways to
> get a piece of that same pie.

And that is unacceptable. Horking Firefox users so you can make money is not a right. No one is owed the ability to screw up Firefox users. I appreciate that you and others want to make money by attaching yourselves to Firefox. I'm not anti-commercial here. I am anti-hork Firefox users and shrug it off as "that's how the game is played". As I said, no third party has any right to be integrated into Firefox. It's a privilege. If it's abused, we can and should revoke it.
Comment 23 Verdi [:verdi] 2012-02-21 11:41:23 PST
(In reply to Michael Kaply (mkaply) from comment #21)
> So the reason you were seeing domain guessing is because of the keywords you
> chose.
> 
> If you type in firefox, tries firefox, it fails, then tries www.firefox.com
> and it redirects to http://www.mozilla.org/en-US/firefox/fx/
> 
> This is the browser fixup code which is different than the keyword enabled
> stuff.
> 
> That had nothing to do with Ask.
> 
> Ask does hork things up, I agree and when you uninstall it leaves a lot of
> crap behind.
> 
> But to be blunt, that's how you make money with this stuff. Firefox is
> making money the same way (via search). Other companies looks for ways to
> get a piece of that same pie.

The way I understand it (and the way our sumo article explains it http://support.mozilla.org/kb/Location+bar+search ) browser.fixup.alternate.enabled is the "Domain guessing" preference that I talked about. It's only supposed to work if keyword.enabled is set to false. After installing ask keyword.enabled was still set to true (the default) yet Firefox behaved as if it was set to true thereby turning on domain guessing.
Comment 24 Mike Kaply [:mkaply] 2012-02-21 11:45:50 PST
Asa:

A big part of this is that Firefox continue to fail at giving users the ability to fix things.

keyword.URL has never been exposed via prefs panel, so it horks people miserably and is the source of a ton of support issues.


And I agree with you. I don't like what Ask does per say. The fact that it installed an add-on in all three of my browsers was unbelievable.

But let's be clear. Users can choose to optout at install:

http://sp.ask.com/toolbar/install/web/ask/download.php

There are two checkboxes:

Make Ask.com my browser
default search provider
Set my home page to Ask.com

And there is a EULA that is agreed to.

So they are perfectly within their rights to leave the homepage and the search engine behind.
Comment 25 Verdi [:verdi] 2012-02-21 11:52:01 PST
(In reply to Michael Kaply (mkaply) from comment #24)

> But let's be clear. Users can choose to optout at install:
> 
> http://sp.ask.com/toolbar/install/web/ask/download.php
> 
> There are two checkboxes:
> 
> Make Ask.com my browser
> default search provider
> Set my home page to Ask.com
> 
> And there is a EULA that is agreed to.
> 
> So they are perfectly within their rights to leave the homepage and the
> search engine behind.

Mike, watch my video http://people.mozilla.org/~mverdi/video/ask.webm  I didn't download Ask. I downloaded Trillian and just hit next during the install (the ask stuff is cleverly snuck in there as opt-out stuff.) Also the Trillian download page http://www.trillian.im/ doesn't say anything about Ask at all.
Comment 26 Mike Kaply [:mkaply] 2012-02-21 12:02:40 PST
Verdi:

I'm sorry, but I don't buy it.

That page of the wizard clearly says "Install the Trillian Toolbar" and it has checkboxes for install, for ask as the default search, and for ask as a search provider.

If you chose to click next without reading the content of the pages, that's your problem.

Bundled software installs have been around since before Firefox even existed. It's not like we're dealing with a new problem here.

<snark on>
Not everyone can be paid millions of dollars by Google. This is how Trillian makes some money to support its software development.
<snark off>
Comment 27 :Gijs Kruitbosch (Gone July 28 - Aug 11) 2012-02-21 12:06:11 PST
(In reply to Michael Kaply (mkaply) from comment #24)
> Asa:
> 
> A big part of this is that Firefox continue to fail at giving users the
> ability to fix things.
> 
> keyword.URL has never been exposed via prefs panel, so it horks people
> miserably and is the source of a ton of support issues.

Now you're saying Firefox should fix what is broken by the add-on. That's just wrong. There are uninstall hooks for add-ons, to the best of my knowledge it's perfectly possible for Ask to clean up its changes, it just doesn't do it.

> <snip>
> But let's be clear. Users can choose to optout at install:
> <snip>
> So they are perfectly within their rights to leave the homepage and the
> search engine behind.

By the same logic, they are also perfectly within their rights to opt-in on install to Firefox, and should be given that choice rather than a giant arrow that looks like it's part of Firefox saying "click me, click me!".

I very much disagree that 'this is how the game is played'. If it were, Firefox would install affiliated search engines into IE, Safari and Chrome, if found on install, to make it get the revenue for those searches. Brilliant idea financially, horrible for user privacy, choice, and quite possibly illegal without that lengthy EULA (and even then...).

-----

I still believe it is important to get to the bottom of what the alternatives are here. Blocklisting is a strong measure, and if we previously told them what they're doing is OK it might not be quite fair. Let's wait for Justin and/or Kev to clarify this.
Comment 28 Mike Kaply [:mkaply] 2012-02-21 12:10:03 PST
> Now you're saying Firefox should fix what is broken by the add-on. That's just wrong. There are uninstall hooks for add-ons, to the best of my knowledge it's perfectly possible for Ask to clean up its changes, it just doesn't do it.

The add-on didn't break it. The Ask toolbar provides an option to take over keyword searches. It's in their preferences. Firefox doesn't provide a way to undo it. Firefox allows you to reset your homepage, your search engines. keyword.URL has always been hidden. This has been a problem since Firefox 1 (and before)

And even if the add-on did the right thing and cleaned up on uninstall, that doesn't always work. If you disable and then uninstall, the add-on uninstall code is not invoked. That's why add-on developers have been asking for uninstall hooks. (which we got with restartless add-ons)

If Firefox had chosen not to go overboard with their third-party opt-in, the arrow would not have been necessary.
Comment 29 :ibai 2012-02-21 12:11:10 PST
But the truth is that users don't read that and we need to protect our users.

We know about a lot of cases where the EULA are outrageous, users still accept them because nobody reads them...until the press recognizes how bad they are.

Crapware has been around since the beginning and it always has been one of the major issues with Firefox performance. We need to improve the situation. It's not too late.

And to your comment, they are plenty of ways of making money without molesting your users. Trillian could do plenty of stuff (micropayments for instance) instead of hijacking the browser behavior.
Comment 30 Mike Kaply [:mkaply] 2012-02-21 12:19:29 PST
(In reply to Ibai from comment #29)

> Crapware has been around since the beginning and it always has been one of
> the major issues with Firefox performance. We need to improve the situation.
> It's not too late.

Show me the data. You didn't say user experience, you said performance. Besides the Mcafee situation (which isn't crapware), where are these crapware add-ons?

> And to your comment, they are plenty of ways of making money without
> molesting your users. Trillian could do plenty of stuff (micropayments for
> instance) instead of hijacking the browser behavior.

They've tried that (look on their site - they offer dollar subscriptions). That doesn't work. You try selling a low price piece of software and see if it works for you.
Comment 31 Verdi [:verdi] 2012-02-21 12:28:07 PST
(In reply to Michael Kaply (mkaply) from comment #26)
> Verdi:
> 
> I'm sorry, but I don't buy it.
> 
> That page of the wizard clearly says "Install the Trillian Toolbar" and it
> has checkboxes for install, for ask as the default search, and for ask as a
> search provider.
> 
> If you chose to click next without reading the content of the pages, that's
> your problem.
> 

Well this is where you and I differ. I don't think it's a user's fault for being fooled by this stuff. It's the software makers who practice this crap who have a "problem." Like I said, the download page doesn't inform the user about Ask. The install wizard is designed to social engineer the user into agreeing to the installation. Even if the user were to read the installation wizard carefully, it doesn't fully explain the consequences of the choice it presents. My job is to look out for our users. Whether that is good for Trillian or Ask is not a concern for me. I'm concerned about the Firefox users that I deal with on a daily basis who continually get screwed by this kind of stuff (again look for yourself http://mzl.la/xCdIya ). This the reason we decided to change this stuff to begin with Bug 596343, Bug 693743, Bug 693698
Comment 32 Mike Kaply [:mkaply] 2012-02-21 12:33:21 PST
If your job is to protect users from themselves, you have a really big job ahead of you.
Comment 33 Jesse Ruderman 2012-02-21 14:43:38 PST
http://people.mozilla.org/~mverdi/video/ask.webm#t=26 does not make it clear that it is asking to modify Firefox. It sounds like it's offering to add something to Trillian.
Comment 34 Mike Kaply [:mkaply] 2012-02-21 14:46:22 PST
(In reply to Jesse Ruderman from comment #33)
> http://people.mozilla.org/~mverdi/video/ask.webm#t=26 does not make it clear
> that it is asking to modify Firefox. It sounds like it's offering to add
> something to Trillian.

As I pointed out earlier, it installs a toolbar in every browser in your system, Chrome, IE and Firefox.

This definitely could be better worded. It should at least say "browser toolbar".
Comment 35 Tanner Filip [:tanner] 2012-02-21 14:54:44 PST
(In reply to Michael Kaply (mkaply) from comment #32)
> If your job is to protect users from themselves, you have a really big job
> ahead of you.

The problem is, most users will see this, and think that it's Firefox doing it. This is can be used maliciously, and even a simple line in the page saying "If something is encouraging you to check this box, you don't have to!" might help. You have to understand that the average web user doesn't know much, if anything about how crapware works, and how to protect themselves against it. 

Another solution that might work, if it's checking for about:newaddon?id=toolbar@ask.com is to partially hash the ID of the addon, though it'd simply add another step for the developers of said crapware. My last idea is to use something that generates an ID that matches with the addon's UUID. Think of Google Authenticator, or an RSA SecurID. That has its flaws as well, because it would be pretty difficult, if not impossible to implement.
Comment 36 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-02-21 14:57:08 PST
(In reply to Tanner Filip [:Tanner] from comment #35)
> Another solution that might work, if it's checking for
> about:newaddon?id=toolbar@ask.com is to partially hash the ID of the addon,
> though it'd simply add another step for the developers of said crapware. My
> last idea is to use something that generates an ID that matches with the
> addon's UUID. Think of Google Authenticator, or an RSA SecurID. That has its
> flaws as well, because it would be pretty difficult, if not impossible to
> implement.

I don't think that'll help, you just key it to about:newaddon?* instead of your specific addon.

I don't think there are any technical steps that we can take here.
Comment 37 Blair McBride [:Unfocused] (mostly unavailable, needinfo open, reviews not) 2012-02-21 17:58:05 PST
Indeed, there's nothing we can do to that dialog to make it so 3rd parties can't modify it or overlay an image on it.

I do think we need to make it easier for 3rd parties to do the right thing, though. Gonna ponder that some more, and post to a mailing list - this bug isn't the place for that.

Note You need to log in before you can comment on or make changes to this bug.