965812 - RFE an "About plugincheck" page, visible from plugincheck

Status: RESOLVED DUPLICATE of bug 1121456

(Websites :: plugins.mozilla.org, defect, P3)

Description

[DJ-Leith]

Plugincheck is a wonderful service, I use it daily.

https://www.mozilla.org/%LOCALE%/plugincheck/

The US version of 'plugincheck' is at https://www.mozilla.org/en-US/plugincheck/

RFE
Please provide information about:
A. The scope of the 'plugincheck service' (which browsers, which Operating Systems).
B. A list of the 'actual plugins that are being assessed / tested'.

In the 'new plugincheck service' there will be no "Unknown Plugins". This may lead to a false sense of security if users assume that 'all the plugins have been tested'.

I suggest that there could be an "About plugincheck" page, visible from plugincheck, that would give this information (or links to it).


Introduction
At the moment the plugincheck website has Javascript that uses enumeration to discover the 'visiting browser's plugins'.
These 'discovered plugins' are then checked against a database to see if they are up to date.
If a 'discovered plugin' is 'not in the database' then it is listed under "Unknown Plugins".
If it is out of date, warnings are given etc - all VERY useful.

From Firefox 28+ enumeration will not be used.

See
"disallow enumeration of navigator.plugins"
bug 757726
This is the code that cloaks plugins, see [1] below, in 28+.  This breaks the 'plugincheck' web site.

There are two bugs open to update the 'plugincheck service':

"Fix plugincheck to not use plugin enumeration" 
bug 938885
This is the bug to 'do the plugincheck without using the enumeration', i.e. to 'fix plugincheck web site'.


"Publish JSON list of all plugins for use on /plugincheck"
bug 956905
This is the bug to 'get the database server to produce a list(s) of known plugins (with their versions)' for the 'plugincheck web site' to use. I envisage that there may be several lists: one for each OS & browser combination, e.g. Windows & IE, Mac & Firefox, Linux & Firefox etc.

Instead of enumerating the 'visiting browser's plugins', the new 'plugincheck web site' will now 'go through the appropriate list (from the JSON)' of plugins, one by one, and see if it is installed and, if it is, if it is up to date.

So, there will no longer be any "Unknown Plugins" - the service will be 'driven by the list'.

Apparently there is human-readable list of the 'plugins that are tracked in the database', IIUC, available at:
https://plugins.mozilla.org/en-us
However, this requires a LDAP login (so I've not seen it).

Scope see
"Plugin Check for Everyone"
by Johnathan Nightingale
11 May 2010
http://blog.mozilla.org/security/2010/05/11/plugin-check-for-everyone/

I also note, in passing,
"... Our Plugin Directory will eventually become the main way we keep our data about plugins up-to-date. ..."
The link to "Plugin Directory", https://plugins.mozilla.org/en-us
also requires a LDAP login.

Is this still the best scope? - has it widened (or narrowed) since May 2010?
Which browsers are you able to assess at plugincheck?
For example, is Opera in scope? See bug 875058
Which Operating Systems are you supporting?

DJ-Leith

PS, two examples:

Example 1 - Scope

Using Internet Explorer (on 30 January 2014) and
http://www.mozilla.org/en-US/plugincheck/

I am told "... support for Internet Explorer is limited. ..." and that

"Shockwave Flash 12.0.0.38" is "vulnerable"

However, 
http://www.adobe.com/software/flash/about/
confirms that "12.0.0.38" is the best version for IE.

The best version for Firefox (since 14 January 2014) has been "12.0.0.43".


Example 2 - "Unknown Plugins"

Using Firefox 26 and
https://www.mozilla.org/en-US/plugincheck/
"Google Update" is "unknown"

I have also seen, on another PC, a Plugin from a Canon Camera (a DLL) that is "unknown".
Knowing that they 'have not been assessed' is useful.


References:

[1] Background

"Cloaking plugin names to limit browser fingerprinting in Firefox"
http://cpeterso.com/blog/02013/11/cloaking-plugins-to-limit-browser-fingerprinting/
By 
Chris Peterson
A good introduction to this recent change.

"Disable bug 757726 for Firefox 28 release (changes to plugin detection)"
bug 952602
This bug is to allow more time for the 'new plugingcheck service' to be implemented.

Comment 1

[DJ-Leith]

I know that there used to be a 'supported browser list' in
http://www.mozilla.com/en-US/plugincheck/more_info.html

This list got very out of date and, as part of the work done in mid 2013 for the new plugincheck, the "more_info" page was removed.
See
https://bugzilla.mozilla.org/show_bug.cgi?id=589067#c9

However, now that we are no longer going to find "Unknown" plugins I think we should specifically list the plugins that are being tracked and assessed in the 'new (28+) plugincheck service'. 

In
https://bugzilla.mozilla.org/show_bug.cgi?id=956905#c75
there is a list of 37 plugins that are currently being tracked.

I think we could use the JSON (from bug 956905) to produce data for the "About plugincheck" page.

Two bugs that illustrate why I think this would be useful.

A. "Plugincheck doesn't show any results for the Unknown Plugins" bug 973352

Here the user was expecting to find "Unknown" plugins and, in Firefox beta version 28.0b2, none were found.
They were found in 27.0.1.

B. "mozilla.org plugincheck says latest flash update is vulnarable and tells me t..." bug 978505

Here the user has the Extended Support Release of Adobe Flash and this ESR version is up to date.
Plugincheck, which I think is only assessing the more popular version of Flash is not able to
correctly test this version and "... shows vulnerable on the status section".

DJ-Leith

Comment 2

[DJ-Leith]

The feature to display "Unknown" plugins has been 'part of the plugincheck service'
since August 2010.

See bug 573553 "Display 'unknown plugin' message for plugins not in db"
which was "Verified FIXED." on 2010-08-02.

In this comment I am going to link to screenshots posted in other bugs.
These were originally posted to show 'errors': in this comment please
assume 'what you can see in the screenshot' is accurate.

These pictures illustrate what 'we have been enjoying' and
'what we are about to lose' if *this* bug is not actioned.

So a potential regression to the 'plugincheck service'.


First, Internet Explorer.
See
https://bug1017483.bugzilla.mozilla.org/attachment.cgi?id=8436396

Here you can see the text
> Plugin Check *support for Internet Explorer is limited.* Also use Tools > Manage Addons

This is helpful.
Indeed, on the the computer where this screenshot was taken there
was an 'unreported' plugin (which you can NOT see in the screenshot):
(from bug 1010132 comment # 17)
> Also, FYI
> "TrueSuite Website Log On" by AuthenticTec, Inc was 'pre-installed at the factory'.
> It is NOT detected by the plugincheck web site.

So, unlike the 'plugincheck for Firefox which uses enumeration', and which
will find "Unknown" plugins, the User is warned that the service is limited.

1. Plugincheck with enumeration
https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426510
Here you can see:
One "vulnerable"
Two "Unknown" - very useful to know
Two "Up to Date"

2. Plugincheck without enumeration (using Aurora and the JSON list)
https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426513
Here you can only see
One "vulnerable"
Two "Up to Date"
This was the same computer at the same time as 1.

3. Plugincheck with enumeration (after updating plugins)
https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426517
Here you can see:
Two "Unknown" - very useful to know
Three "Up to Date"

1, 2 and 3 were the same computer.


Please consider some text, on the plugincheck web site,
that has some guidance.

Can I suggest, to start the discussion:

The plugincheck service will no longer detect "Unknown" plugins.
The plugincheck service used to use enumeration[1] to detect plugins
This was [will be] removed in Firefox 31[2] to reduce fingerprinting[3].
Plugincheck now uses a list of plugins, see here[4]. If your plugins are not
on this list they will not be assessed by the plugincheck service.

You can see all your Installed plugins if you type "about:plugins", without the quotes,
in the Location Bar (address bar [Awesome Bar]) [5].

[1] http://cpeterso.com/blog/02013/11/cloaking-plugins-to-limit-browser-fingerprinting/
Or a better page.  Perhaps one written to explain the changes in the plugincheck service.

[2] I am assuming that the new plugincheck service will be ready for Fx 31.

[3] https://wiki.mozilla.org/Fingerprinting
Or a better page.

[4] I think you can produce a human readable list, in a new Tab, from the JSON list as the
browser visits the plugincheck web site: e.g. https://www.mozilla.org/en-US/plugincheck/

[5] http://kb.mozillazine.org/Testing_plugins
Or a better page.
Possibly http://kb.mozillazine.org/About:plugins

Please add this bug, as a blocker, to the Tracker bug 990856 "Tracker for The New PluginCheck for Firefox 29+" 

Thanks,

DJ-Leith

Comment 3

[Schalk Neethling [:espressive]]

Thanks for the comment and additional info DJ. I am going to mark this as a blocker and also addd it to my todo list. As part of the work done on the 'new' plugincheck, it was decided not to report on unknown plugins any longer.

I do believe we loose some useful information by removing this and we need a way to remedy this. I will read over all the comments on this bug and consider everything mentioned.

I will also update this bug as soon as progress on this has been made.

Comment 4

[DJ-Leith]

(In reply to Schalk Neethling [:espressive] from comment #3)
> I am going to mark this as a blocker and also addd it to my todo list.

Thank you Schalk.

I saw your comment, on 9th June, but I have not yet seen the blocker
> I am going to mark this as a blocker

I also saw, on 2014-06-12,
bug 1024625 "Improve plugincheck layout to include outdated and unknown plugins"
and agree that it would be good to deal with the situataion that was seen in
bug 1023835 "Plugin Check reports Java 7 Update 55 plugin as up-to-date when
Java 7 Update 60 is the latest version" in a clearer way.

One small point:
(In reply to DJ-Leith from comment #2)
> You can see all your Installed plugins if you type "about:plugins", without
> the quotes, in the Location Bar (address bar [Awesome Bar]) [5].

There is, below the fold, already information about
'how to find ALL the plugins installed in your Firefox'.

https://github.com/mozilla/bedrock/blob/master/bedrock/mozorg/templates/mozorg/plugincheck.html#L157
has a section called

> 119 <section class="billboard pluginfaq-container">
> 120     <h2>{{_('Frequently Asked Questions')}}</h2>

(In reply to Schalk Neethling [:espressive] from comment #3)
> I do believe we loose some useful information by removing this and we need a
> way to remedy this. I will read over all the comments on this bug and consider
> everything mentioned.
> 
> I will also update this bug as soon as progress on this has been made.

So, I've not commented again until now.


MAIN POINT
I *still* think that there will be *no* "Unknown" plugins in the
'new plugincheck service that does not use enumeration'.

Indeed, as already documented above, it is the
'possibly unnoticed lack of "Unknown" plugins' that is going to be the most
difficult message to convey (in many languages).


Also, have you seen
A. the summary (with links to other bugs), after Fx 30 was released, I put in
bug 1020133 comment # 4?

B. bug 1023718 comment # 10 for links to duplicates - where there are many good points?

C. bug 1027175 (where another wording change to plugincheck is being considered)?

DJ-Leith

Comment 5

[Schalk Neethling [:espressive]]

This is going to be done as part of bug 1121456