December 19, 2008

The annoyances of proprietary Firefox extensions

Author: Bruce Byfield

As a regular browser of the Firefox Add-ons site, I'm troubled by the apparent proliferation of proprietary extensions in the last year. Maybe I've simply exhausted the free-licensed extensions that interest me, but recently every interesting-looking extension seems to be a proprietary one -- especially in the recommended list. Nothing, of course, in the Mozilla privacy or legal notice prohibits proprietary extensions simply because they are proprietary, but I find them not only contrary to the spirit of free and open source software (FOSS), but, often, annoying attempts to entangle me in some impossible startup.

I took a while to notice the proprietary extensions. Because Mozilla is FOSS and the first extensions I added were as well, I got careless about reading the license notices. At first, I only glanced to see that the references were to the GNU General Public License or Lesser General Public License, and so many were that I became careless.

When I first noticed that proprietary extensions had become commonplace, I was peeved, even outraged. I use Firefox, as I do GNU/Linux, out of a wish to have a free system, so how dare the writers of these extensions try to slip proprietary software on me unaware?

Captive audiences

What annoys me about many of the proprietary extensions is that they are not just extra pieces of functionality for me to pick and choose, but efforts to enlist me as a customer for a new startup. Take, for example, Interclue. In theory, Interclue is a useful add-on that allows you to view a link in a popup window before you actually move to it. However, its developers want to monetize it, so the extension includes several features asking for donations. I have rarely seen a clearer case of a good idea being ruined by nagware, and what Interclue will be like if the developers make good their threat to add special offers from their business partners to the functionality, I shudder to imagine. My only comfort is that, while Interclue might temporarily become attractive to businesses as a way around Adblocker, the basic idea seems far too slender to build a lasting business upon.

A still more annoying extension is Sxipper. While described on Firefox Add-ons as a password manager, Sxipper is actually an identity manager that also controls the information given to forms and allows you to create different profiles or collections of personal information that you can give out as you choose.

Left to your local hard drive, this functionality might be useful, if in advance of most users' needs. However, Sxipper also includes options to send usage statistics and profiles of forms to the company behind the extension. Because the form profiles enhance the extension, users might be tempted to share this personal information. While I have no reason to mistrust Sxipper (in fact, I know several people who work there, or have done so), the concept of trusting some of your security to someone else is simply irreconcilable with basic security principles.

Sxipper is not so much an extension as a hostile takeover of your copy of Firefox, intruding into almost all your Web activities. By displaying the Sxipper logo on every form on every Web page, the extension's default settings transform Firefox into an extended ad for the company.

I could give other examples, such as Jeteye and Wot, where the story is much the same. Such things are not what I sign up for when I install an extension. I don't wear corporate T-shirts, I don't want to be press-ganged into somebody else's entrepreneurial dream, and I definitely don't want a corporately branded Web browser.

In contrast to these underhanded efforts, I have more respect for Sun Microsystems, which, after a period of releasing OpenOffice.org extensions under proprietary licenses, finally had the sense to release them under free licenses -- and with only "Sun" in the name and the occasional logo to remind you of their origins.

Let the downloader beware

Mozilla does warn that it has a policy of taking no responsibility for what you download. Its Legal Notice page clearly warns that:

Mozilla has not reviewed, and cannot review, all of the material, including computer software, available on or by means of Mozilla's websites, and cannot therefore be responsible for that material's content, use or effects. By operating its websites, Mozilla does not represent or imply that it endorses the material there available, or that it believes such material to be accurate, useful or non harmful.

It also tries to bind the developers of extensions by suggesting that, by uploading to the Firefox Add-on site, they are promising that their work is not malicious.

But I can't help wondering how many people read such pages, or remember them for very long. And, while the examples here are annoying rather than harmful, you don't need to extend them very far to see why Firefox extensions are such a concern to security experts.

Admittedly, all I need to do to avoid proprietary extensions is to exercise a little caution and read the licenses, but I became careless because I thought I was in a safe place. In my calmer moments, I tell myself that Mozilla has every right to open the possibility of extensions to any possible license -- and it does warn me, even if I have to hunt for the warning.

I can even rationalize Mozilla's policy as catering to as wide a variety of personal preferences as possible, just as the Debian distribution does by including both free and non-free software. But where Debian makes the difference in licenses clear by putting free and non-free software in different repositories, Mozilla lumps them altogether. So, deep down, it still feels like I'm been misled, my trust betrayed, and my time wasted.

Categories:

  • Internet & WWW
  • Commentary
Click Here!