Hacker News

iSoron said 8 months ago:

Looks like an interesting extension, but unfortunately I would never install it given that "this add-on can access data for all your websites". As far as I am aware, this means it can read and record all data in all websites I visit (including emails, banks, etc) and record everything I type anywhere (including usernames and passwords).

Even if the extension's source code is available on GitHub, there is no guarantee that the code hosted at addons.mozilla.org corresponds to the same one found on GitHub; and even if I (or someone else) could verify that the code is indeed the same, and that there is nothing malicious in it right now, there is no guarantee this will still be the case in future (silent) updates.

To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.

greenie_beans said 8 months ago:

I used to have this exact same fear and never downloaded any extensions bc of that, until I started making browser extensions. Pretty much any useful extension needs the access that prompts that generic message about accessing all the data.

Any extension that's listed on the web stores have to be reviewed for malicious code, and they must do what the listing say they do. So if your browser extension has your passwords, then that extension would be considered a password manager.

The extension probably listens to the IPs of well-known time wasting websites like HN or reddit, then adds a latency to the browsing. Same with an ad blocker -- they know every site you visit but only to compare them with their blacklist of advertising IP addresses.

Of course, you have to trust they aren't doing anything else with that info, which you can probably assume you're mostly safe if you don't need an account to use the extension.

skipants said 8 months ago:

I believe only "recommended extensions" for Firefox are tech reviewed, which this one is not.


pzmarzly said 8 months ago:

According to [0], Mozilla requires all extensions to have a source in human-readable format and runs a test suite on them. They mention "code review" there, but don't say whether it's manual or automatic. I'd love to hear about it from someone who has some experience with the process.

[0] https://extensionworkshop.com/documentation/publish/submitti...

Anon1096 said 8 months ago:

For my extension the review was automatic, and flags things like direct html editing. I only have a few hundred users though, so I'm not sure at what point they decide to do manual reviews.

chadlavi said 7 months ago:

There's a link to his github in the extension page. You can read his source code: https://github.com/OskarDamkjaer/FirefoxDelayWebpage

most of the relevant code is in https://github.com/OskarDamkjaer/FirefoxDelayWebpage/blob/ma...

wizzwizz4 said 7 months ago:

It actually matches a regular expression against the URL; I don't think it looks at the IP addresses.

Anon1096 said 8 months ago:

You are incorrect. You can inspect extensions that you download to compare the source code to the github release, or even audit the specific source you have have downloaded. Please don't spread FUD.

LinuxBender said 8 months ago:

Would it be feasible for browsers to have a console window that enumerates add-on's to display things like URL's contained in the code, what is stored in local storage, session storage, etc? Asking because this topic comes up a lot and might not if the browser had a way to show explicit detailed permissions and capabilities vs. high level abstract permissions. This would be for less than technical people that probably won't be viewing source code, but could click a shiny button in the add-on page and get some idea if the addon shows URL, http(s), number of times the addon has used GET or POST or other methods:

  URL: http://some.site.tld/    [ INSECURE GET:1 POST:2]
  URL: https://some.other.tld/  [ SECURE GET:3 POST:2 ]
Maybe in about:networking have a tab for logging / debugging all addons?
snthd said 8 months ago:

.xpis are just zip files.

You can literally just save them from addons.mozilla.org and look inside - it's js so it's not compiled, and obfuscated code is against Mozilla policy.

Automatic updates are optional too.

Microsoft Application Inspector might be handy for some superficial profiling - https://github.com/microsoft/ApplicationInspector

ReverseCold said 8 months ago:

> obfuscated code is against Mozilla policy

You can submit obfuscated code as long as you also upload non-obfuscated code to Mozilla. Not sure if that separate code upload is public or not...

dessant said 7 months ago:

Obfuscated code is not allowed on any of the browser extension stores. Mozilla requires the attachment of the original source code if you use a bundler such as webpack, or if the code is minified.

Only reviewers have access to the source code, unless you configure the listing to make the code public.

saber1 said 8 months ago:

This message is not accurate IMO.

Basically, if the addon wants to interact with any kind of urls, this message is unavoidable. Which means that even if the addon doesn't require to access any data of the websites, as long as it wants to be triggered for any websites, this message is not going to be avoidable.

https://extensionworkshop.com/documentation/develop/request-... has more information.

amenod said 8 months ago:

FTFY: To be clear, this is more a criticism of _every browser's_ security model,...

I do agree with you though. What is surprising is that technically, this should be fairly easy to solve:

- own the CI system (to make sure the sources match the built versions)

- make sources (the ones that went into build) clearly visible

- disable silent updates

seanwilson said 8 months ago:

The solution should surely involve more granular permissions?

I'm assuming this permission has no need to read the body of network responses, inject anything into the responses, read cookies etc.

However, it probably has no option than to request the "read and change all network data" permission because there is nothing weaker that will let it do what it needs to do.

Making sources available isn't a scalable option to help with this in my opinion. Who is going to be doing thorough security audits of every extension + every update?

iSoron said 8 months ago:

This is exactly the approach taken by F-Droid (for Android apps). All apps available on F-Droid have been automatically built from a publicly available repository, and you can either download the binary (APK) or the source tarball that they used to produce it. Updates are manual.

aswan said 7 months ago:

> To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.

It's a fair comment, but this extension works by injecting javascript into every page the browser loads. If this capability were removed or even changed, it would break a ton of existing extensions (and compatibility with the many extensions written for Chrome).

Given the nature of javascript and the web, once you can run a bit of javascript on a page, you can do just about anything, so the phrasing "can access data" sounds scary but it is accurate. Of course, "can" doesn't mean "does", hence all the other commenters suggesting auditing the code.

Speaking of auditing extension code, I like https://addons.mozilla.org/en-US/firefox/addon/crxviewer/

floatingatoll said 7 months ago:

The problem with trying to cure this security model is that once an extension can rewrite page HTML, it can inject transmission of your data to a third-party, and so any addon that affects pages (such as this one) is correctly labeled as "can access your data", because it absolutely can.

To make any headway on this, you would need to start considering how to prohibit JavaScript from transmitting page content to remote servers if it's been modified by an addon, but that would then break all JavaScript modified by adblockers, and so there's not any easy solution there either.

If you can think of a valid security model here that isn't vulnerable to today's arbitrary JavaScript execution issues, I think you'd find a willing audience. Chrome tried to solve this by nailing down what extensions can do, and the adblockers all flipped out because they won't be able to run arbitrary JavaScript in-page anymore. It remains unclear how this can ever be solved.

ao0193344 said 7 months ago:

> Looks like an interesting extension, but unfortunately I would never install it given that "this add-on can access data for all your websites". As far as I am aware, this means it can read and record all data in all websites I visit (including emails, banks, etc) and record everything I type anywhere (including usernames and passwords).

> Even if the extension's source code is available on GitHub, there is no guarantee that the code hosted at addons.mozilla.org corresponds to the same one found on GitHub; and even if I (or someone else) could verify that the code is indeed the same, and that there is nothing malicious in it right now, there is no guarantee this will still be the case in future (silent) updates.

> To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.

Uhhh... yeah

krilly said 8 months ago:

An alternative would be to throttle your network speed to like 2g with your dev tools, although this will obviously effect, say, YouTube more than HN

jfkebwjsbx said 8 months ago:

+1000 times this

Extensions should be built in Mozilla's servers.

azhenley said 8 months ago:

The relevant post from a day ago: I Add 3-25 Seconds of Latency to Every Site I Visit.


Ottolay said 7 months ago:

I read that post and wished that there was a Firefox extension but could not find out. Glad someone made one.

waterbadger said 8 months ago:

Something I started messing around with: add a global stylesheet with the rule

body { filter: grayscale(100%); }

(only gotcha is position: fixed; elements breaking in Firefox?)

It feels a lot easier to focus on what I'm reading and to not be sucked in or distracted by websites. I bet psychologically color activates reward systems that may not be as healthy for digital content.

I actually liked it so much that I used accessibility options to make my entire computer and phone grayscale. So far it's great! Also has better performance than a CSS filter for stuff like video.

waterbadger said 7 months ago:

Hammerspoon shortcut to toggle grayscale & color (applescript not mine, borrowed from https://github.com/shavidzet/osa-grayscale)

  hs.hotkey.bind({"cmd", "ctrl", "alt"}, "c", function()
  tell application "System Preferences"
    reveal anchor "Seeing_Display" of pane id "com.apple.preference.universalaccess"
  end tell
  tell application "System Events" to tell process "System Preferences"
    repeat while not (exists of checkbox "Use grayscale" of group 1 of window "Accessibility")
      delay 0.1
    end repeat
    set theCheckbox to checkbox "Use grayscale" of group 1 of window "Accessibility"
    tell theCheckbox
      # If the checkbox is not checked, check it to turn grayscale on
      if not (its value as boolean) then
        set checked to true
        click theCheckbox
      else # else turn grayscale off
        set checked to false
        click theCheckbox
      end if
    end tell
  end tell
  tell application "System Preferences"
  end tell
mavsman said 8 months ago:

Love this idea. It would be interesting to see what different ways (AI) you could predict that a site is distracting based on personal and wide-spread usage habits. Some advanced method that doesn't require a user generated whitelist would be the next level for this.

phantarch said 8 months ago:

This and the post yesterday about adding latency to websites reaffirms an idea I've been thinking about lately - adding friction back into digital processes helps break some of the addictive power they have.

Imagine if you had to use a printer to print out your facebook feed when you wanted to see it. Then, in order to interact, you had to write on that paper the comments, likes, etc. that you wanted to transmit and scan it back into the system. That mode of interaction seems "primitive" compared to the way we use things on our phones, but I think carries with it a lot of nice advantages like introducing time buffers for your mind to catch up to your impulses.

michalf6 said 8 months ago:

There is also Leechblock which contains the same functionality along with blocking and some in-depth config. But this may be a cool solution for someone who only cares about the latency part.

citizenkeen said 8 months ago:

I tried Leechblock, and found it unusable (on my Android phone). It broke my back bar, and often wouldn't follow through links (instead taking me to where I already was).

CJefferson said 8 months ago:

This is really nice!

It would be nice (from my experience) to make the delay variable - - this stops people "Learning" ways of avoiding the always fixed length delay.

derefr said 8 months ago:

See also:

• Chrome's "throttling" feature: https://helpdeskgeek.com/networking/simulate-slow-internet-c...

• Whole-computer "make my network stack worse" utilities:

• • macOS's Network Link Conditioner: https://nshipster.com/network-link-conditioner/

• • clumsy (for Windows): http://jagt.github.io/clumsy/index.html

• • dummynet (for Linux): http://info.iet.unipi.it/~luigi/dummynet/

• A naughty SOCKS5 proxy (multiplatform): https://github.com/Shopify/toxiproxy

andai said 7 months ago:

Chrome's throttling is great, I didn't know about that. But it doesn't look like it persists (across tabs, or sessions)?

Anaminus said 7 months ago:

This sort of thing has never worked for me. It's like the snooze button on an alarm clock; instead of hitting this relatively large button, even my half-asleep brain will precisely locate the off switch every single time.

I've found greater success in just observing my impulses. While I'm working, I might get a desire to type the "hn" keyword into my URL bar (guess where it goes). But because I've noticed this before it happened, I can choose to not do it. If I find myself "idling" on such distractions without realizing, then that means it's time to do something else. Get back to work. Take a break and relax. Get off the screen entirely. Anything else, just don't idle. This seems to get easier with practice.

EternalAugust said 7 months ago:

Another pro tip for managing distractions: use uBlock Origin to block distracting elements on web pages. Ever since I removed the comments section, the recommended videos, and the home button on YouTube I have felt much more in control of my browsing habits there.

superkuh said 8 months ago:

The best extension to do this is to run NoScript in temp whitelist only mode. Every time you visit a crappy website with lots of JS domains that load JS domains that load JS domains you'll have to spend 20 seconds load and reloading the page till you get it to work. If at all. It thoroughly discourages visiting these bad websites.

But good websites (ie, not web apps) will load instantly and unimpeaded. And as a side effect you're protected from most browser exploits since the vast majority require executing JS.

welly said 8 months ago:

Easily disabled if you find it annoying. And if you're self disciplined enough to not turn it off, surely you're self disciplined enough to curb your browsing habits?

isodude said 8 months ago:

Not really. This sort of thing is really helpful. It's not that I am not disciplined, but rather that I need a reminder to keep myself disciplined when I surf on the web.

A small reminder.. it's easy to end up in scrolling mode.

AceJohnny2 said 8 months ago:

StayFocusd had the nice feature that you couldn't change its settings for the current day. The only way to get around it was disabling/uninstalling the extension.

The behavior curve is interesting. It is for me now practically an autonomous unconscious behavior to open Reddit or HN. StayFocusd would figuratively provide the "slap" to make me consciously realize what I was doing, so going through the steps of disabling it was a conscious, deliberate decision, which was enough to prevent that from happening.

gbear605 said 8 months ago:

In my /etc/hosts file, I redirect distracting websites to to block them. There's nothing stopping me from enabling a website beyond the effort to type in sudo vim /etc/hosts, but yet I now spend a lot less time on those websites. Human psychology is funny that way.

pwdisswordfish2 said 7 months ago:

Aren't entries ignored in /etc/hosts?

gbear605 said 7 months ago:

Not on my computer, at least?

peterxpark said 7 months ago:

Big fan of adding friction to my electronic devices. I have a bunch of Firefox extensions to grey scale, automatically block images and videos, and add a 30 second delay timer for districting websites.

I use the poorly named extension Monastery for the delay timer.


smnplk said 8 months ago:

When I want to get stuff done, I just "block" sites in my hosts file, by pointing them to localhost. I even wrote a small bash utility [1] for that, so it's easy to undo changes in /etc/hosts

https://github.com/smnplk/hosta [1]

Nightshaxx said 8 months ago:

This is a great idea. I read the post on HN about the theory behind this and it's so good.

dreeves said 7 months ago:

Brilliant! As far as I know, this idea was first proposed by Randall Munroe in the hovertext of https://xkcd.com/862/ (2011-02-18):

"After years of trying various methods, I broke this habit by pitting my impatience against my laziness. I decoupled the action and the neurological reward by setting up a simple 30-second delay I had to wait through, in which I couldn't do anything else, before any new page or chat client would load (and only allowed one to run at once). The urge to check all those sites magically vanished -- and my 'productive' computer use was unaffected."

stevage said 7 months ago:

Would it be possible to make an extension that simply makes everything on a given domain load slowly? I would find that more effective, because I wouldn't be constantly reminded of the arbitrariness of the delay.

psychometry said 8 months ago:

https://selfcontrolapp.com/ on Mac just blocks sites outright. Supports black- and white-listing.

rk06 said 7 months ago:

Installed it. So far so good. Forcing to wait for even 7 secs is enough for me to start doing some work

kwhitefoot said 8 months ago:

It works. Not sure if I'll keep it though. It might be better to just exert a bit more self control.

isodude said 8 months ago:

Added, shared. Love from first sight.

mcstafford said 8 months ago:

Should have called it self-punishment, or something.