Re: What a failure of Secure by Design looks like: Web Browsers

[Tom Ritter via Dailydave <dailydave () lists aitelfoundation org>]

On Mon, 3 Jun 2024 at 23:18, Dave Aitel via Dailydave <
dailydave () lists aitelfoundation org> wrote:

> It's always been weird that mobile browsers are not allowed to have ad
> blockers. Does anyone have depth on this issue they can actually share?

Speaking about (but not for - this is just how I interpreted it) Firefox -
mostly sausage making and org pains. Fennec (the old mobile architecture)
supported extensions, although I don't remember to what extent/how well. In
2016 it got WebExtension support - before that it was supporting extensions
in the old style of "Just let them do whatever they want in the browser,
I'm sure it will be fine.[0]" And in late 2017 we removed access to those
capabilities. Somewhere around 2019 we switched from the old browser
architecture (Fennec) to the new one (Fenix) - and 2019 was when we
launched, so we started the development quite some time earlier and kept
Fennec on life support during it.

Fenix - while not a total rewrite of the rendering or js engine - was a
rewrite of everything else, including the UI, accounts, sync, telemetry,
session storage, push, reader view, downloads, etc etc. [1] Getting a
consistent and reliable handle on the Android OS process management also
took time[2] - running extensions in the parent meant the parent got reaped
a lot; they needed to be moved to a separate process, and then we needed to
handle how to behave when _that_ process got reaped but others did not.
Fenix supported a curated list of extensions (including Ghostery, AdGuard,
and uBlock Origin) for a while, but in the past 6 months finally hit the
milestone where it opened up so anyone can publish, and anyone can install,
an extension on Android without jumping through hoops.

Add into all of this mix a couple rounds of layoffs including the big one
in 2020, which disrupted a lot of things. (And, you know, the pandemic.) I
don't know/remember if anyone directly working on Fenix was let go,
although I would wager yes, but I do know many *mobile* engineers in
non-Firefox products were let go and I have to assume the knowledge drain,
upheaval, and hurt when your colleagues are let go led to departures and
general delays in what people originally hoped to accomplish.

Anyway, I don't know if you wanted more technical nitty-gritty on it, but
from my perspective, that's what I can offer. I don't think there was any
specific de-prioritization of extensions from a philosophical standpoint
(we all know that extensions are what made Firefox what it is), just
juggling lots of work that resulted in a slower rollout than we hoped.

-tom

ref: https://blog.mozilla.org/addons/page/1/?s=android

[0] Narrator: It was not fine.
[1] Unsurprisingly we've been playing whack-a-mole with re-implementations
of the annoying 'yes it's a bug but no one exploits
address-bar-impersonation so =/' class of bugs.
[2] 'Takes time' is both engineering time and wall-time as you write code,
deploy it, run an experiment, and wait for results.

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org