Closed
Bug 965812
Opened 10 years ago
Closed 9 years ago
RFE an "About plugincheck" page, visible from plugincheck
Categories
(Websites :: plugins.mozilla.org, defect, P3)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1121456
People
(Reporter: dj.4bug, Assigned: espressive)
References
()
Details
Plugincheck is a wonderful service, I use it daily. https://www.mozilla.org/%LOCALE%/plugincheck/ The US version of 'plugincheck' is at https://www.mozilla.org/en-US/plugincheck/ RFE Please provide information about: A. The scope of the 'plugincheck service' (which browsers, which Operating Systems). B. A list of the 'actual plugins that are being assessed / tested'. In the 'new plugincheck service' there will be no "Unknown Plugins". This may lead to a false sense of security if users assume that 'all the plugins have been tested'. I suggest that there could be an "About plugincheck" page, visible from plugincheck, that would give this information (or links to it). Introduction At the moment the plugincheck website has Javascript that uses enumeration to discover the 'visiting browser's plugins'. These 'discovered plugins' are then checked against a database to see if they are up to date. If a 'discovered plugin' is 'not in the database' then it is listed under "Unknown Plugins". If it is out of date, warnings are given etc - all VERY useful. From Firefox 28+ enumeration will not be used. See "disallow enumeration of navigator.plugins" bug 757726 This is the code that cloaks plugins, see [1] below, in 28+. This breaks the 'plugincheck' web site. There are two bugs open to update the 'plugincheck service': "Fix plugincheck to not use plugin enumeration" bug 938885 This is the bug to 'do the plugincheck without using the enumeration', i.e. to 'fix plugincheck web site'. "Publish JSON list of all plugins for use on /plugincheck" bug 956905 This is the bug to 'get the database server to produce a list(s) of known plugins (with their versions)' for the 'plugincheck web site' to use. I envisage that there may be several lists: one for each OS & browser combination, e.g. Windows & IE, Mac & Firefox, Linux & Firefox etc. Instead of enumerating the 'visiting browser's plugins', the new 'plugincheck web site' will now 'go through the appropriate list (from the JSON)' of plugins, one by one, and see if it is installed and, if it is, if it is up to date. So, there will no longer be any "Unknown Plugins" - the service will be 'driven by the list'. Apparently there is human-readable list of the 'plugins that are tracked in the database', IIUC, available at: https://plugins.mozilla.org/en-us However, this requires a LDAP login (so I've not seen it). Scope see "Plugin Check for Everyone" by Johnathan Nightingale 11 May 2010 http://blog.mozilla.org/security/2010/05/11/plugin-check-for-everyone/ I also note, in passing, "... Our Plugin Directory will eventually become the main way we keep our data about plugins up-to-date. ..." The link to "Plugin Directory", https://plugins.mozilla.org/en-us also requires a LDAP login. Is this still the best scope? - has it widened (or narrowed) since May 2010? Which browsers are you able to assess at plugincheck? For example, is Opera in scope? See bug 875058 Which Operating Systems are you supporting? DJ-Leith PS, two examples: Example 1 - Scope Using Internet Explorer (on 30 January 2014) and http://www.mozilla.org/en-US/plugincheck/ I am told "... support for Internet Explorer is limited. ..." and that "Shockwave Flash 12.0.0.38" is "vulnerable" However, http://www.adobe.com/software/flash/about/ confirms that "12.0.0.38" is the best version for IE. The best version for Firefox (since 14 January 2014) has been "12.0.0.43". Example 2 - "Unknown Plugins" Using Firefox 26 and https://www.mozilla.org/en-US/plugincheck/ "Google Update" is "unknown" I have also seen, on another PC, a Plugin from a Canon Camera (a DLL) that is "unknown". Knowing that they 'have not been assessed' is useful. References: [1] Background "Cloaking plugin names to limit browser fingerprinting in Firefox" http://cpeterso.com/blog/02013/11/cloaking-plugins-to-limit-browser-fingerprinting/ By Chris Peterson A good introduction to this recent change. "Disable bug 757726 for Firefox 28 release (changes to plugin detection)" bug 952602 This bug is to allow more time for the 'new plugingcheck service' to be implemented.
Updated•10 years ago
|
Component: General → plugins.mozilla.org
Product: www.mozilla.org → Websites
QA Contact: cbook
Version: Production → unspecified
I know that there used to be a 'supported browser list' in http://www.mozilla.com/en-US/plugincheck/more_info.html This list got very out of date and, as part of the work done in mid 2013 for the new plugincheck, the "more_info" page was removed. See https://bugzilla.mozilla.org/show_bug.cgi?id=589067#c9 However, now that we are no longer going to find "Unknown" plugins I think we should specifically list the plugins that are being tracked and assessed in the 'new (28+) plugincheck service'. In https://bugzilla.mozilla.org/show_bug.cgi?id=956905#c75 there is a list of 37 plugins that are currently being tracked. I think we could use the JSON (from bug 956905) to produce data for the "About plugincheck" page. Two bugs that illustrate why I think this would be useful. A. "Plugincheck doesn't show any results for the Unknown Plugins" bug 973352 Here the user was expecting to find "Unknown" plugins and, in Firefox beta version 28.0b2, none were found. They were found in 27.0.1. B. "mozilla.org plugincheck says latest flash update is vulnarable and tells me t..." bug 978505 Here the user has the Extended Support Release of Adobe Flash and this ESR version is up to date. Plugincheck, which I think is only assessing the more popular version of Flash is not able to correctly test this version and "... shows vulnerable on the status section". DJ-Leith
The feature to display "Unknown" plugins has been 'part of the plugincheck service' since August 2010. See bug 573553 "Display 'unknown plugin' message for plugins not in db" which was "Verified FIXED." on 2010-08-02. In this comment I am going to link to screenshots posted in other bugs. These were originally posted to show 'errors': in this comment please assume 'what you can see in the screenshot' is accurate. These pictures illustrate what 'we have been enjoying' and 'what we are about to lose' if *this* bug is not actioned. So a potential regression to the 'plugincheck service'. First, Internet Explorer. See https://bug1017483.bugzilla.mozilla.org/attachment.cgi?id=8436396 Here you can see the text > Plugin Check *support for Internet Explorer is limited.* Also use Tools > Manage Addons This is helpful. Indeed, on the the computer where this screenshot was taken there was an 'unreported' plugin (which you can NOT see in the screenshot): (from bug 1010132 comment # 17) > Also, FYI > "TrueSuite Website Log On" by AuthenticTec, Inc was 'pre-installed at the factory'. > It is NOT detected by the plugincheck web site. So, unlike the 'plugincheck for Firefox which uses enumeration', and which will find "Unknown" plugins, the User is warned that the service is limited. 1. Plugincheck with enumeration https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426510 Here you can see: One "vulnerable" Two "Unknown" - very useful to know Two "Up to Date" 2. Plugincheck without enumeration (using Aurora and the JSON list) https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426513 Here you can only see One "vulnerable" Two "Up to Date" This was the same computer at the same time as 1. 3. Plugincheck with enumeration (after updating plugins) https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426517 Here you can see: Two "Unknown" - very useful to know Three "Up to Date" 1, 2 and 3 were the same computer. Please consider some text, on the plugincheck web site, that has some guidance. Can I suggest, to start the discussion: The plugincheck service will no longer detect "Unknown" plugins. The plugincheck service used to use enumeration[1] to detect plugins This was [will be] removed in Firefox 31[2] to reduce fingerprinting[3]. Plugincheck now uses a list of plugins, see here[4]. If your plugins are not on this list they will not be assessed by the plugincheck service. You can see all your Installed plugins if you type "about:plugins", without the quotes, in the Location Bar (address bar [Awesome Bar]) [5]. [1] http://cpeterso.com/blog/02013/11/cloaking-plugins-to-limit-browser-fingerprinting/ Or a better page. Perhaps one written to explain the changes in the plugincheck service. [2] I am assuming that the new plugincheck service will be ready for Fx 31. [3] https://wiki.mozilla.org/Fingerprinting Or a better page. [4] I think you can produce a human readable list, in a new Tab, from the JSON list as the browser visits the plugincheck web site: e.g. https://www.mozilla.org/en-US/plugincheck/ [5] http://kb.mozillazine.org/Testing_plugins Or a better page. Possibly http://kb.mozillazine.org/About:plugins Please add this bug, as a blocker, to the Tracker bug 990856 "Tracker for The New PluginCheck for Firefox 29+" Thanks, DJ-Leith
Flags: needinfo?(schalk.neethling.bugs)
Assignee | ||
Comment 3•10 years ago
|
||
Thanks for the comment and additional info DJ. I am going to mark this as a blocker and also addd it to my todo list. As part of the work done on the 'new' plugincheck, it was decided not to report on unknown plugins any longer. I do believe we loose some useful information by removing this and we need a way to remedy this. I will read over all the comments on this bug and consider everything mentioned. I will also update this bug as soon as progress on this has been made.
Flags: needinfo?(schalk.neethling.bugs)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → schalk.neethling.bugs
Priority: -- → P3
(In reply to Schalk Neethling [:espressive] from comment #3) > I am going to mark this as a blocker and also addd it to my todo list. Thank you Schalk. I saw your comment, on 9th June, but I have not yet seen the blocker > I am going to mark this as a blocker I also saw, on 2014-06-12, bug 1024625 "Improve plugincheck layout to include outdated and unknown plugins" and agree that it would be good to deal with the situataion that was seen in bug 1023835 "Plugin Check reports Java 7 Update 55 plugin as up-to-date when Java 7 Update 60 is the latest version" in a clearer way. One small point: (In reply to DJ-Leith from comment #2) > You can see all your Installed plugins if you type "about:plugins", without > the quotes, in the Location Bar (address bar [Awesome Bar]) [5]. There is, below the fold, already information about 'how to find ALL the plugins installed in your Firefox'. https://github.com/mozilla/bedrock/blob/master/bedrock/mozorg/templates/mozorg/plugincheck.html#L157 has a section called > 119 <section class="billboard pluginfaq-container"> > 120 <h2>{{_('Frequently Asked Questions')}}</h2> (In reply to Schalk Neethling [:espressive] from comment #3) > I do believe we loose some useful information by removing this and we need a > way to remedy this. I will read over all the comments on this bug and consider > everything mentioned. > > I will also update this bug as soon as progress on this has been made. So, I've not commented again until now. MAIN POINT I *still* think that there will be *no* "Unknown" plugins in the 'new plugincheck service that does not use enumeration'. Indeed, as already documented above, it is the 'possibly unnoticed lack of "Unknown" plugins' that is going to be the most difficult message to convey (in many languages). Also, have you seen A. the summary (with links to other bugs), after Fx 30 was released, I put in bug 1020133 comment # 4? B. bug 1023718 comment # 10 for links to duplicates - where there are many good points? C. bug 1027175 (where another wording change to plugincheck is being considered)? DJ-Leith
Assignee | ||
Comment 5•9 years ago
|
||
This is going to be done as part of bug 1121456
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•