Firefox without extensions

[Alan Baxter]

Aargh! My Firefox has crashed 12 times in the last 24 hours, compared to two times in the previous seven months. It seemed to start with my update from NoScript 1.9.6.94 to 1.9.6.96, but further testing exonerated NoScript. In fact Firefox still crashed while all of my extensions were disabled. So, I've created a new profile and transferred all my settings to it except for the extensions. I'll run like this for a day. If no crashes occur, then I'll reinstall all 58 of my extensions.

I miss all of the usability, security, and aesthetic features my extensions provided, but Firefox does feel a little snappier now.

[Tom T.]

Careful, Alan, you might find yourself joining the Luddites.
Less complexity, fewer things to break, fewer things to conflict, lower resource load and faster performance -- you're halfway there already!

[Grumpy Old Lady]

:tap tap:
You still in there Alan Baxter?
Hope it's a successful fresh start for you :-)

[Alan Baxter]

Thank you both for the encouragement. So far so good. As you may have noticed, I reported the crashing occurred even if there were no extensions. I created a new profile and copied all of my settings and data into it. I did not copy over any of the other files, and I didn't copy over localstore.rdf or mimeTypes.rdf. I reconfigured my toolbars.

I browsed for a day like that with no problems. Interesting to browse so much without extensions, like my mom and older friend -- who live out of state -- do. I suppose it's heresy in this forum, but I don't recommend using extensions to non-technical users. By far the most prevalent internet-related computer security problems aren't addressed by any of them, including NoScript, and they tend to make Firefox less reliable. Mom and my friend find it perfectly usable without even changing any of the settings.

Yesterday I restored all 57 extensions by copying the extensions directory from my old profile and copying all the files and directories that contained their data. Firefox started up with everything just like it was before, except for the toolbars and the crashing. I reconfigured the toolbars. I haven't had any more crashes.

Just by process of elimination, I think some corruption in localstore.rdf may have been causing the crashes. In hindsight, I suppose it would have been easier to disable localstore.rdf by renaming it and reconfiguring the toolbars in the first place. I don't know, and I'm not going to bother experimenting on the old profile. It's attractive to have a profile which doesn't contain those old files from Fx 2 and 3.0 anymore.

[Grumpy Old Lady]

I don't recommend using extensions to non-technical users. By far the most prevalent internet-related computer security problems aren't addressed by any of them, including NoScript, and they tend to make Firefox less reliable. Mom and my friend find it perfectly usable without even changing any of the settings.

There's nothing unstable at all about a NS-only Fx in my experience.
Your assumption about the prevalence of JS net security problems could be influenced by the very careful don't tell policy of banks and government in general about individual account misappropriation and identity fraud. And by the situation that many novice net users end up with - ie a 'slow internets' that they put up with for their small amount of browsing and email, rather than paying for professional help; all the while they are online their machine is doing dutiful bot work.
A NS with 'allow globally' and the default system ABE LOCAL is really essential Fx for those who have no clue what to trust or what to navigate with.
I encourage all the novices I know to install NS; I can only remember one who had problems. They used yahoo for business.
On the other hand, I advise novices to choose file scanning applications that are fully supported, preferably with a phone help desk.

[Alan Baxter]

Hi, Lady. I was hoping you'd respond to the bait. Your previous postings have described helping many people use the Internet effectively. I don't really "support" anyone: my brother admins my Mom's system, and my out-of-state friend has a Mac. His system is administered by his son. Neither of them has had any security-related problems, let alone one that would have been prevented by NoScript or any other Firefox extension. Yeah, I know, two data points doesn't make a very good statistical population for generalizations.

I don't recommend using extensions to non-technical users. By far the most prevalent internet-related computer security problems aren't addressed by any of them, including NoScript, and they tend to make Firefox less reliable. Mom and my friend find it perfectly usable without even changing any of the settings.

There's nothing unstable at all about a NS-only Fx in my experience.

Nothing unstable? I agree. But it does make for "Firefox isn't working right" scenarios, and not just ones caused by extension conflicts. But as for extensions in general, well take a look at what's causing the majority of the user problems reported on Mozillazine and the Mozilla support site. Extensions! I continue to think a vanilla Firefox without extensions provides the most trouble-free experience.

Your assumption about the prevalence of JS net security problems could be influenced by the very careful don't tell policy of banks and government in general about individual account misappropriation and identity fraud. And by the situation that many novice net users end up with - ie a 'slow internets' that they put up with for their small amount of browsing and email, rather than paying for professional help; all the while they are online their machine is doing dutiful bot work.
A NS with 'allow globally' and the default system ABE LOCAL is really essential Fx for those who have no clue what to trust or what to navigate with.
I encourage all the novices I know to install NS; I can only remember one who had problems. They used yahoo for business.
On the other hand, I advise novices to choose file scanning applications that are fully supported, preferably with a phone help desk.

You're right, it is an assumption. My assumption is that the majority of systems are compromised by people downloading and installing malware on their systems, not by XSS attacks that exploit an unpatched system. I suppose they're often tricked into it. I suspect most problems are introduced through social engineering techniques, not by ones that NS can prevent. I have no data to support my opinion, just my observations of what kind of decisions people are prone to make while trying to get things done on the Internet. (I only say XSS attacks because we already have evidence that many users will just keep Allowing with NS until the page seems to work properly. Hence my opinion that "Temporarily Allow all on this page" is the most dangerous selection on the menu.)

On the other hand, as for actually helping other people in the flesh with Firefox, I defer to your experience. You have a better idea what works for your friends than I do. I'm curious. By "file scanning applications", do you mean blacklist-based malware scanners?

[Tom T.]

....Extensions! I continue to think a vanilla Firefox without extensions provides the most trouble-free experience....

Occam's Razor fits perfectly here, as it does in so much of life.

[Grumpy Old Lady]

helping many people

Our library self-help group is around 20 strong most of the time.

But it does make for "Firefox isn't working right" scenarios, and not just ones caused by extension conflicts.

No argument with that, but the assertion I did engage with was

makes Firefox less reliable

and I read that as less predictable; less workable. My choice of "unstable" was perhaps unfortunate.

I continue to think a vanilla Firefox without extensions provides the most trouble-free experience.

Certainly, but that's self-evident. I wouldn't have taken exception to that if you'd used "trouble-free" instead of "reliable".

Anyway, to the security part of things;

By far the most prevalent internet-related computer security problems aren't addressed by any of them, including NoScript

(just repeating it to keep me on the centre of our difference)
and

My assumption is that the majority of systems are compromised by people downloading and installing malware on their systems, not by XSS attacks that exploit an unpatched system. I suppose they're often tricked into it. I suspect most problems are introduced through social engineering techniques, not by ones that NS can prevent.

Multiple assumptions in there:
Downloaded stuff (however engineered - social or tech masked) doesn't involve scripting at any point.
Social engineering techniques don't include scripting at any stage of the compromise.
Unpatched systems not prevalent

Can't agree.
The exploits for active content exist and are used by the black web.
Unpatched machines are legion.
What future use will be made of them is unknown, but a ball-park prediction can be made by those who work in the area.
And you're right that neither of us know the actual figures.
Luntrus would have a much better idea.
I don't believe that security professionals really want it known just how many unpatched, unmaintained home systems are involved in the black net.
The computer maintenance shops I've had dealings with over around 15 years on the net overwhelmingly report mangled, infected, broadcasting, botted, choked hdds when the ma and pa machines are eventually brought to a halt by compromise. Very few of the broken machines have broken hardware. Most of those techs have no time (or background in web security) to do anything except format, install the latest blacklisting application and throw the user back out to the dogs.
Patching? Nice concept if the machine's not already infected.
The friends to whom I recommend NS aren't those who I know are aware technically and who do have support; the ones I recommend NS to are the ones who've already been shafted by this or that compromise and who are making a start with Fx. They, when NS is installed right from the get-go don't appear to have any difficulties adjusting to the allow-on-the-fly concept and otherwise NS/Fx just works.
My own anecdotal data set is about 30 friends (and friends of friends).
I used to participate in this tech forum on the Australian public broadcaster's website
http://www2b.abc.net.au/science/techtalk/
Its resident guru is a malware cleaning volunteer on some of the same forums as luntrus, and she pushes Safe Hex with Fx and NS in her education spiel. The forum is consequently a focus for Australian Fx users and you can pick up some useful anecdote/data about trouble-free Fx experience. Fx/NS is the basic recommendation there too.
Practising Safe Hex like many of us vet Fx users do is understood to be an approach to the net that obviates the use of most assisting applications and many do navigate using default Fx without infection, without protection from active content.
I just don't agree that Fx with NS is any less significantly trouble-free as you assert, and it is on the contrary much more secure for plain users when NS is installed - - even with Allow Globally :facehand: you get the rest of the deal.

Yes, I mean "anti-virus" apps with resident scanners. They work for many, and stuff around with many others. I hate trouble-shooting them.

/serious

[Alan Baxter]

the ones I recommend NS to are the ones who've already been shafted by this or that compromise and who are making a start with Fx.

Ah, these aren't users that don't see what all the fuss is about, like me; these are ones that been burned and are motivated to use NoScript.

Yes, I mean "anti-virus" apps with resident scanners. They work for many, and stuff around with many others. I hate trouble-shooting them.

What do you call a computer whose user relies on an "anti-virus" app with resident scanner for protection? Infected!

I'm afraid I've been a techie far too long to understand what it's like for a normal user. Thank you for sharing your insight.

[Grumpy Old Lady]

Oh well, if I'm baited intelligently I will at least try to dislodge the hook without too much bloodshed; couldn't let a NS-isn't-a security-help statement slip through now, could I :-)
Anyway, now the 1.9.6.x push is over, I'll leave the boards alone for a while. See you :-)

[Tom T.]

...I'm afraid I've been a techie far too long to understand what it's like for a normal user...

Being a more recent learner, and only partly along the path, I *do* understand and empathize with AU (average user), and have tried to use that to advantage, to represent the AU's point of view here. Have sometimes been met with resistance, which I would attribute to exactly that frank and honest admission, which most techies won't admit. I won't bore you or the board with analogous (or analogic; they're not digital) anecdotes from non-tech fields in which I've taught, where the "experts" (one with Olympic gold) couldn't identify with their nervous novices. Cheers.

[Alan Baxter]

Thank you for sharing yours too. Every insight is sacred.