Security risk, reliability and performance problems for new users


#1

If you installed Kee in Firefox in the past couple of days, you have been given an old version of the extension by Mozilla (the makers of Firefox and managers of the Firefox add-ons marketplace / website).

Existing installations won’t be affected.

Check that you are running a recent version - 2.5 is the latest, but 2.4 is fine too (it just means that the automatic update to 2.5 hasn’t happened - it won’t be long so just check again in a few days if you want). If you are running a version older than 2.4, you should be automatically updated to a working version within a couple of days but I’d recommend asking Firefox to “check for updates” in the Add-ons manager tab to force this update to occur more quickly.

Mozilla are publishing version 2.5 right now - it usually takes less than an hour. Google Chrome users will be updated to v2.5 at least a few days later, just to keep the version numbers the same.

With over 100 “commits” (multiple related changes to the add-on code) over more than a year since the 2.0.0.25 version that Mozilla have distributed in recent days, there are clearly a large number of bugs, missing features and performance problems when compared to the latest version 2.4 released last month.

While there are no known security problems, installing out of date software is always a risk, especially so with security software like Kee. If someone had the inclination, developing an attack against a version over a year old is easier than doing so against the latest version.

It is concerning that this has happened and I have raised my concerns with Mozilla. I am unsure whether the discussion with them will continue and lead to any constructive future changes but I will give that a chance. In the mean time, I feel I need to be upfront with all Kee users about what has happened so that this can alleviate any concerns that would arise from the unusual recent activity.

The simplified facts of the matter are that:

  • Changes to Mozilla’s add-on review policies in the last year or so have meant that they may require modifications to the structure of an add-on’s source code.
  • Kee, unknown to me, was no longer in compliance with one of these changed policies that aims to help Mozilla to efficiently review the large amount of code in the large amount of addons for Firefox.
  • Mozilla notified me of this and I sought the policy clarifications required to allow me to develop the changes they requested in a timely manner.
  • Mozilla provided this clarification but only after they had already disabled all versions of the add-on since 2.0.0.25.
  • My requests for this to be reversed have so far received no response.
  • To ensure that new Kee users are not delivered a compromised experience, I have today issued an emergency update to version 2.5.

The changes in v2.5 are broadly insignificant to anyone other than a Mozilla reviewer so I am hopeful that bypassing the usual beta testing and language translation period will cause no problems. Do let me know if you find something that does break though.

I am confident that Mozilla and those working in the add-on review team are acting with all Firefox users’ best interests at the fore - it is scary to think of how many malicious add-ons they must come across every day and just one slip-up could lead to disastrous consequences for users and themselves.

In my opinion, this particular situation could have been handled in a way that showed a greater respect for the users of Kee and those that spend their spare time developing extensions to improve Firefox (e.g. me), and I am hopeful that some minor adjustments to the Mozilla review process will prevent this from happening to Kee or other Firefox add-ons in future.


#2

Thanks for the excellent communication and all the hard work you put into the project!


#3

Dear @luckyrat, thank you for your careful attention to detail, and for spelling out clearly the situation regarding Mozilla vs. Kee. Kee has saved me a lot of time in the last several years, and I appreciate that you continue improving it.

I currently have Kee 2.3.19.1 installed on FireFox 61.0.2, so am attempting to update it per your instructions. However, I regret to report that for some reason the “Check for Updates” link in Kee’s More details page is inoperative:image Clicking the link has no effect, whereas clicking this link from the details views of several other extensions caused FireFox to stage the updates. I just tried updating FireFox to 64.0.2 (64 bit) in case that was causing the problem, but find it makes no difference. Please advise.


#4

It looks like Mozilla hasn’t deployed the latest version yet. I don’t know why it’s taking so long this time but I suspect this unresponsive link is because Firefox can’t find the new version yet.

I’ll post an update to this thread once I notice that it is deployed and available, although I can’t be monitoring this 24/7 so someone else might notice and let us know first.


#5

Great work, and thanks for keeping Firefox users informed.

It is these arcane and poorly executed ‘improvements’ from Firefox/Mozilla that caused me to stop using it several years ago. I moved to Pale Moon, and never looked back.

You may want to reconsider your decisions not to support Pale Moon. I still use KeePass, but not Kee.

Harry


#6

@luckyrat Version 2.5.6beta is now available, Firefox automatically updated the plugin today.


#7

As usual very prompt and professional, sent a new donation, is not much but i hope helps. Thank you!


#8

Thanks for the explanation. On the up side of this situation, it reminded me of how vitally important Kee(fox) is and has been for my daily life on the internet, so I made a new donation, following hellcry’s great idea :slight_smile:

Thanks!


#9

Thanks for the support everyone.

Mozilla have now started rolling out the stable (non beta) version 2.5.6 to all users so the “check update” button will hopefully do it’s job now.


#10

The code is open source, so if you would like to support Pale Moon, you have the option to. :slight_smile:


#11

The code is open source, so if you would like to support Pale Moon, you have the option to.

If I had the technical skills, I certainly would. But I don’t, so I can’t.

Harry


#12

Awesome job with the addin. Really appreciate all the hard work you have put in and the great communication regarding this odd encounter with Mozilla.