This is one of those occurences where a technical solution is sought for a non-technical problem. I think Mozilla should rather complain to the EU Commission, especially given that Microsoft already had its fair share from the Commission on browser choice. Otherwise Microsoft will just change the mechanisms needed and Mozilla will have to reverse engineer it again.
This circumvents Microsoft’s anti-hijacking protections that the company built into Windows 10 to ensure malware couldn’t hijack default apps. Microsoft tells us this is not supported in Windows
Beware companies claiming they do something for the security of their users when it also affects their bottom line. Security, “anti-hijacking” and related terms are often used manipulatively (especially in EULAs!).
Restricting browser defaults choice is not an effective security feature for protecting user security or privacy:
Situation: viewing malware sites and suffering a drive-by-attack: I have no reason to believe Edge to be better (on average) than other major browsers.
Situation: malware addons: I have no reason to believe Edge to be better (on average) than other major browsers, all addon sites have reports of malware addons or addon authors turning bad (eg selling control of their successful addon).
Situation: malware already running on your computer, wants to change your default browser: by this point it’s too late, making ‘changing the default browser’ more obscure is not an effective defence of a user’s security or privacy.
Making it harder for users to change browser (and directly suggesting they do not do it with a little info box when they try, as Win10 does) is an effective method of enforcing market security. That’s not user security.
Like all modern browsers, Microsoft Edge lets you collect and store specific data on your device, like cookies, and lets you send information to us, like browsing history, to make the experience as rich, fast, and personal as possible.
That’s straight out false. Not “all modern browsers” send information like “browsing history” to their makers. Notice how they have designed this sentence to make it feel normal and acceptable.
Whenever we collect data, we want to make sure it’s the right choice for you.
Uhuh. Is that the only reason you share data? Somehow you must be making money off this, otherwise you wouldn’t be doing it, right?
For example, we share your content with third parties when you tell us to do so, such as when you send an email to a friend, share photos and documents on OneDrive, or link accounts with another service.
Manipulative writing by business’ like this makes me ill. In a different content (eg flyers in your letterbox) this style of writing would be considered scam material.
Mozilla has been trying to convince Microsoft to improve its default browser settings in Windows since its open letter to Microsoft in 2015. Nothing has changed, and Windows 11 is now making it even harder to switch default browsers.
Microsoft and anti-competitive practises go hand in hand, nothing to be surprised about.
Yep. I’m in a slightly weird position here: I think Microsoft is right to lock down that API; I just think they’re wrong for unlocking it for Edge. So I’d prefer neither Mozilla nor Edge could pull this stunt.
Theoretically the mechanism could check that the software performing the bypass comes from microsoft (via cryptographic signature) and is therefore “safe”. It is possible for microsoft to allow Edge to bypass it and nothing else.
I’m actually sort of surprised they didn’t, but I guess doing it properly would have taken more work.
Nothing, of course, which isn’t too surprising, as this is pretty unlikely to have ever been about malware in the first place. If it had been, we’d have seen a real, secure API exposed to developers, whereas this is barely security by obscurity.
What a stupid thing to need to do. Good on mozilla for getting it done though.
Here are the commits where this feature was added:
This is one of those occurences where a technical solution is sought for a non-technical problem. I think Mozilla should rather complain to the EU Commission, especially given that Microsoft already had its fair share from the Commission on browser choice. Otherwise Microsoft will just change the mechanisms needed and Mozilla will have to reverse engineer it again.
Wouldn’t be surprised if Mozilla also did this. Having this workaround in place (and then disarmed by Microsoft) helps build the case.
It reminds me of Epic’s case with Apple. Mozilla may be doing this to force Microsoft’s hand into a scenario they can more easily challenge legally.
Uhhh…
Beware companies claiming they do something for the security of their users when it also affects their bottom line. Security, “anti-hijacking” and related terms are often used manipulatively (especially in EULAs!).
Restricting browser defaults choice is not an effective security feature for protecting user security or privacy:
Making it harder for users to change browser (and directly suggesting they do not do it with a little info box when they try, as Win10 does) is an effective method of enforcing market security. That’s not user security.
You start to get a sense of manipulation when you read Microsoft’s statements about edge and privacy::
That’s straight out false. Not “all modern browsers” send information like “browsing history” to their makers. Notice how they have designed this sentence to make it feel normal and acceptable.
Uhuh. Is that the only reason you share data? Somehow you must be making money off this, otherwise you wouldn’t be doing it, right?
https://privacy.microsoft.com/en-ca/privacystatement
Manipulative writing by business’ like this makes me ill. In a different content (eg flyers in your letterbox) this style of writing would be considered scam material.
Microsoft and anti-competitive practises go hand in hand, nothing to be surprised about.
Was more concerned about the obvious security implications! If ff can do it, what is stopping malware from doing it?
Likewise if Edge can bypass the mechanisms in the background, what’s stopping malware from doing it? Or apparently Firefox 😆😭
Yep. I’m in a slightly weird position here: I think Microsoft is right to lock down that API; I just think they’re wrong for unlocking it for Edge. So I’d prefer neither Mozilla nor Edge could pull this stunt.
Theoretically the mechanism could check that the software performing the bypass comes from microsoft (via cryptographic signature) and is therefore “safe”. It is possible for microsoft to allow Edge to bypass it and nothing else.
I’m actually sort of surprised they didn’t, but I guess doing it properly would have taken more work.
Or perhaps it was a silent protest by the engineers involved to allow firefox to do this.
Nothing, of course, which isn’t too surprising, as this is pretty unlikely to have ever been about malware in the first place. If it had been, we’d have seen a real, secure API exposed to developers, whereas this is barely security by obscurity.
Nothing is stopping malware engineers from adding associations; SetUserFTA has been available for years.
Well this will work only temporarily.