All Tabs Helper 的评价
All Tabs Helper 作者: Kevin Jones
nttsound 的评价
评分 1 / 5
来自 nttsound,4 年前Everything was fine until we read that message today. I concur to the other reviews.
To the developer and who ever may agree with their rant:
You have zero understanding of security unfortunately. Forcing 2FA is not meant to force *YOU* into being more secure. It is in order to guarantee the safety of your *USERS* and by proxy Firefox's users. If your account gets hijacked, your addon can be used to hijack user's browsers.
2FA makes sure that YOU are the only one updating an addon. And also it removes any "plausible deniability" in case an addon has been found to do something questionable. An author can't claim "my account was hacked hence I didn't add that to the code".
It is in EVERYONE's best interest to enforce 2FA and you have no right to refuse security to millions of users with such a moronic excuse that has no merit at all. Enabling 2FA on your account, all it needs is a SINGLE email address. No other information AT ALL.
So we can safely conclude that the author addon specifically does not want to enable 2FA on his account for malicious reasons or he's a complete idiot who did not bother to even check what the process entails and also has zero understanding of security concepts. In any case an audit of the addon's code is in order and we should look for alternatives anyhow as after his statement we have exactly 0 trust in the author.
EDIT: This is a reply to the developer's reply. The world has ALWAYS been wicked. From its inception. It is exactly for this reason that security is required. You may be fed up with the state of the world, I am as well, but this has nothing to do with this particular case. If anything, enforcing 2FA on addon uploads helps REDUCE the effects of the wickedness you're talking about and your stance is literally opposing this. Intuition means nothing in this particular case because it's as simple as 1+1=2 and that's non-negotiable fact. It's not something that your intuition may later on prove you correct or anything of the sort. The facts are these:
1) Addons, through their legitimately required for functioning permissions, provide an attack vector for mallicious users.
2) If someone gets access to your account, ALL your userbase is made vulnerable to the attacker.
3) By enabling 2FA on your account you make fact number 2, extremely more difficult to occur.
4) By enforcing 2FA on all addon authors you literally protect millions of users using addons.
It is that simple. So it all boils down to:
A) Do you want millions of users in increased danger because you don't want to provide a single email address (that you may even just use for this reason alone and nothing else) just because your "intuition" tells you otherwise, defying all laws of logic and reason?
B) Do you actually want to help the web and millions of users' devices be safer and more private by making an effort to understand why and support this change by doing something as simple as adding 2FA to your account?
The choice is yours. Make no mistake, this is exactly what you're being called to choose. There are no buts or gray areas. It's either A or B.
To the developer and who ever may agree with their rant:
You have zero understanding of security unfortunately. Forcing 2FA is not meant to force *YOU* into being more secure. It is in order to guarantee the safety of your *USERS* and by proxy Firefox's users. If your account gets hijacked, your addon can be used to hijack user's browsers.
2FA makes sure that YOU are the only one updating an addon. And also it removes any "plausible deniability" in case an addon has been found to do something questionable. An author can't claim "my account was hacked hence I didn't add that to the code".
It is in EVERYONE's best interest to enforce 2FA and you have no right to refuse security to millions of users with such a moronic excuse that has no merit at all. Enabling 2FA on your account, all it needs is a SINGLE email address. No other information AT ALL.
So we can safely conclude that the author addon specifically does not want to enable 2FA on his account for malicious reasons or he's a complete idiot who did not bother to even check what the process entails and also has zero understanding of security concepts. In any case an audit of the addon's code is in order and we should look for alternatives anyhow as after his statement we have exactly 0 trust in the author.
EDIT: This is a reply to the developer's reply. The world has ALWAYS been wicked. From its inception. It is exactly for this reason that security is required. You may be fed up with the state of the world, I am as well, but this has nothing to do with this particular case. If anything, enforcing 2FA on addon uploads helps REDUCE the effects of the wickedness you're talking about and your stance is literally opposing this. Intuition means nothing in this particular case because it's as simple as 1+1=2 and that's non-negotiable fact. It's not something that your intuition may later on prove you correct or anything of the sort. The facts are these:
1) Addons, through their legitimately required for functioning permissions, provide an attack vector for mallicious users.
2) If someone gets access to your account, ALL your userbase is made vulnerable to the attacker.
3) By enabling 2FA on your account you make fact number 2, extremely more difficult to occur.
4) By enforcing 2FA on all addon authors you literally protect millions of users using addons.
It is that simple. So it all boils down to:
A) Do you want millions of users in increased danger because you don't want to provide a single email address (that you may even just use for this reason alone and nothing else) just because your "intuition" tells you otherwise, defying all laws of logic and reason?
B) Do you actually want to help the web and millions of users' devices be safer and more private by making an effort to understand why and support this change by doing something as simple as adding 2FA to your account?
The choice is yours. Make no mistake, this is exactly what you're being called to choose. There are no buts or gray areas. It's either A or B.
开发者回应
发布于 4 年前Clearly I revealed some ignorance on my part of how 2FA works, but really, the details weren't the important thing. The point was, I was coming up to yet one more thing that makes this world confusing, stressful and a drag. I am 63 years old and grew up in a much more simple time. But more importantly, this was one more thing which is but another poignant symptom of an insanely wicked and declining world, and it would be a constant reminder of it. I then thought, "Okay, I'm done. This isn't fun for me anymore, and I don't need it." I am one who behaves largely out of intuition and I have found that whenever I've been true to that, I later could look back and see how it was the right choice, even though at the time it didn't sound logical or reasonable to some.
I've received about 25 emails now which have all been positive, ranging from extremely supportive, to folks kindly making efforts (successfully) to inform my thinking on 2FA, to folks just expressing their sadness to see I'm quitting. To those folks I am very thankful. They were a sweet contrast to the vitriolic messages that have been published here.
I have always felt that the gifts given to me are not mine to profit from, and have enjoyed sharing them freely with others. There is a pleasant side-effect to living this way and that is I am always free and not beholding to anyone. My public contribution of ATH was for a season, and now it looks like the season has changed.
Regarding the current state of ATH, remember, it is still a working app, still available on AMO, and probably will run for a long time before some Firefox update introduces a bug. I've had maybe one or two bugs introduced from FF updates in 4 years, which have been minor ones. ATH is open source and maybe at some point someone will fork it and continue to update it. The source code is in the addon itself; the .xpi file is just a zipped file. Unzip it and you have the source.
Again here is a link to the last version (in case it disappears from AMO due to lack of updates,) as well as a link to it with a .zip extension (so Firefox doesn't try to install it.):
kevinallasso.org/alltabshelper/all_tabs_helper-1.2.43-fx.xpi
kevinallasso.org/alltabshelper/all_tabs_helper-1.2.43-fx-source.zip
I've received about 25 emails now which have all been positive, ranging from extremely supportive, to folks kindly making efforts (successfully) to inform my thinking on 2FA, to folks just expressing their sadness to see I'm quitting. To those folks I am very thankful. They were a sweet contrast to the vitriolic messages that have been published here.
I have always felt that the gifts given to me are not mine to profit from, and have enjoyed sharing them freely with others. There is a pleasant side-effect to living this way and that is I am always free and not beholding to anyone. My public contribution of ATH was for a season, and now it looks like the season has changed.
Regarding the current state of ATH, remember, it is still a working app, still available on AMO, and probably will run for a long time before some Firefox update introduces a bug. I've had maybe one or two bugs introduced from FF updates in 4 years, which have been minor ones. ATH is open source and maybe at some point someone will fork it and continue to update it. The source code is in the addon itself; the .xpi file is just a zipped file. Unzip it and you have the source.
Again here is a link to the last version (in case it disappears from AMO due to lack of updates,) as well as a link to it with a .zip extension (so Firefox doesn't try to install it.):
kevinallasso.org/alltabshelper/all_tabs_helper-1.2.43-fx.xpi
kevinallasso.org/alltabshelper/all_tabs_helper-1.2.43-fx-source.zip