Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Mozilla Firefox

Firefox To Mandate Extension Signing 196

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."
This discussion has been archived. No new comments can be posted.

Firefox To Mandate Extension Signing

Comments Filter:
  • If only (Score:3, Funny)

    by Anonymous Coward on Wednesday February 11, 2015 @05:37PM (#49033585)

    Now if only conception required signing we'd solve all the worlds problems.

  • Start of th End (Score:5, Interesting)

    by JMJimmy ( 2036122 ) on Wednesday February 11, 2015 @05:40PM (#49033603)

    For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.

    • Drama queen (Score:4, Insightful)

      by Anonymous Coward on Wednesday February 11, 2015 @05:46PM (#49033649)

      Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?

      • Lets say Adblock gets blocked. Do you really think they're going to continue to develop for a non-mainstream audience?

        • Signing doesn't change in any way whether AdBlock Plus can be blocked or not. We get complaints about it on occasion and it's still hosted on the official add-ons site.
          • Comment removed (Score:5, Insightful)

            by account_deleted ( 4530225 ) on Wednesday February 11, 2015 @06:33PM (#49033887)
            Comment removed based on user account deletion
            • by bazorg ( 911295 )

              Developers! Developers! Developers! are obviously very important, but end users are also a stakeholder in this conversation. If today there are closed app markets and signatures it is in part because there are enough developers out there capable of producing malware that looks and behaves like something any buyer would download unless warned not to do so. It's an arms race of sorts, and if you're a developer who prefers to remain anonymous and unaccountable, then it's something that users should be warned o

            • Re:Drama queen (Score:4, Insightful)

              by AmiMoJo ( 196126 ) * on Thursday February 12, 2015 @07:43AM (#49037187) Homepage Journal

              You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

              Firefox downloads arbitrary data and code from the internet and renders/executes it. That's pretty dangerous, and despite attempts to sandbox and limit the damage it still leads to severe security vulnerabilities. Even worse, some of the people developing add-ons are malicious.

              Mozilla's actions seem quite reasonable. Require code to be signed after automatic review. Allow a way for in-house and development apps to run, the same way that Chrome does and the same way that Microsoft supports in-house ActiveX arbitrary code execution in the browser process. For 99.999% of users its a massive security win and for 99.999% of developers it won't make the slightest bit of difference.

              The only real danger, and it's way too early to know if it is a real danger or not, is if someone tries to use the courts to stop them signing something like AdBlock or YouTubeDownloader. Attempts have already been made and yet they still host both apps on AMO, so it seems unlikely that merely having to sign the code will change anything. They already have to approve every add-on they most with an automated code review.

              • by Meneth ( 872868 )

                All modern operating systems put restrictions on what software can run on them and what it can do.

                No, they don't. Windows, Linux, the BSDs, OSX, none of those have any mandatory filters. Windows and OSX have some "anti-malware" crap, but those can be disabled.

                Even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it.

                If an app wants root access, it'll pop up a password prompt. If you want it, it can poke anything. :)

              • You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

                And you are falsely equating user-imposed restrictions with third-party-imposed restri

          • Signing doesn't change in any way whether AdBlock Plus can be blocked or not. We get complaints about it on occasion and it's still hosted on the official add-ons site.

            If you don't sign an extension it's effectively blocked - that's the entire point of signing. The malware douches will find a way around it easily while the rest of the community suffers the consequences. It's a game of whackamole you know you can't win.

        • by ne0n ( 884282 )
          You'd have a massive revolt if Adblock were to be pulled or disabled. Not gonna happen. Hopefully this move will increase the snr among competitive categories like Youtube downloaders (about 54000 fake pieces of crap and 3 good working addons) etc.
          • Re:Drama queen (Score:4, Insightful)

            by sumdumass ( 711423 ) on Wednesday February 11, 2015 @07:04PM (#49034083) Journal

            Well, that is until someone accuses mozilla of aiding copyright distribution by signing and allowing the youtube downloader and they eith stop signing them to avoid legal threats or a lawsuit orders it.

            Then it will be 0.

            BTW, concievably, add block can be blocked similarly. Al it would take is someone to claim it alters their copyrighted presentation and removes artistic value like when those fundies were bleeping language and cutting r rated scenes from movies. Even if there is no chance in hell of it winning in court, its questionable if mozilla would spend the money to fight it verses just stop signing the blocking software.

            • Comment removed based on user account deletion
              • Right now its not a target but neither was napster for the first couple years. Cleanflicks was in budinedd for a couple years before suing to determine legality (which it lost) because just a threat posted on another site was made.

                Just because now does not mean never. Without sighning, even if mozilla stoppdd hosting, you coild still fine and install. Fire sheep was that way- mozilla stopped hosting but you could still grab it and show pointy headed bosses why https was a good idea. With signing, its just w

            • by AmiMoJo ( 196126 ) *

              There have already been attempts to get these add-ons removed from AMO. Mozilla already does an automatic code review and automated tests of add-ons on their site. Adding a code signing step does nothing to alter the legal situation. If this were a possible avenue of attack it would have been exploited already.

          • Better signal-to-noise ratios in widely used package manager/app store systems is often helpful. As you say, we don't need thousands of copies of the same trivial tool, and we certainly don't need many of them to be substandard implementations or outright malware.

            However, you can achieve that through some sort of endorsement or prioritisation process, without adopting a zero tolerance attitude. The words "without any possible user override" should make anyone nervous about the future of a software ecosystem

          • by Luckyo ( 1726890 )

            To be fair we had several massive revolts so far, with no effect, especially one that came after they gutted FF's UI. A lot of people just left for alternatives.

            None of it had any impact on Mozilla. They just don't give a toss about their userbase.

        • by Luckyo ( 1726890 )

          At this point, Adblock's development is largely irrelevant. As long as adblocking lists are maintained, you as end user are fine. And ablock+ itself has been forked enough times to ensure that someone will keep on developing anyway.

          This is what happened when adblock+ stopped working on Pale Moon for example and adblock+'s creators refused to fix the problem.

          • Adblock is an example addon. Insert the name of any addon.

            Another [i]example[/i] that came to mind almost immediately was FireNES. Never been on AMO due to the content but now will be effectively locked out of the mainstream release of Firefox.

            • No it won't. It only needs to be signed, not distributed on AMO. RTFA.

              Extension files that aren’t hosted on AMO will have to be submitted to AMO for signing. Developers will need to create accounts and a listing for their extension, which will not be public. These files will go through an automated review process and sent back signed if all checks pass. If an add-on doesn’t pass the automated tests, the developer will have the option to request the add-on to be manually checked by our review team. A full review option will also be available for non-AMO add-ons, explained further ahead.

              • I RTFA. If addons require signing they have to be submitted for review by Mozilla. Mozilla becomes a gatekeeper meaning they can in theory be legally forced or simply themselves choose to not sign specific addons. That would effectively block them from being used by mainstream Firefox users who don't know about various builds/etc.

      • by tgv ( 254536 )

        You are really the kind of idiot that brings open source software down. "It's open source, fix it if you don't like it." How many people can do that? Anonymous Coward indeed.

    • by Dracos ( 107777 )

      Did you post this comment from 2010?

    • Remember when Firefox was born as the stripped-down next-generation of the Mozilla Suite? When it was all about getting the code base to the bare minimum and letting the user decide which functions and features they wanted, and let them have those via extensions?
      Yeah, me neither. Must have been a dream.
    • Not really.

      Firefox has been on the road to nowhere a while. This is just a part of the strategy to piss off people who actually try to do things.

      My personal big problem is the certificate handling where firefox does not allow me to say "yes I know that is a bullshit cert but I do not care" as a surprising number of cheap routers ship with bad certificates and thus cannot be administered with firefox.

      • by yuhong ( 1378501 )

        What bad certificates are you talking about?

    • Meh... Firefox has been on an increasingly-sharp decline to shittiness ever since version 3, which rapidly accelerated with 4 and the rapid-release bullshit schedule as well as all the changes for no good reason. Too bad no one ever forked the last good version (aka. Firefox 2.x), and now we're all stuck with either Chrome or a Chrome rip-off, whether we want Chrome or not. I sure as hell do not, and therefore I am fucked. Hopefully the new browser by the guy who co-founded Opera actually turns out to be go

    • by gweihir ( 88907 )

      I agree. Making required signing a strongly advised default is fine, but the user _must_ have a fine-grained way to override it. I guess we will just see more FF forks that fix stupidity like this. There are already quite a few that fix the broken user interface.

    • Comment removed based on user account deletion
      • by wbo ( 1172247 )

        If it's bypassable, legally, then there's no issue. My objection to the Apple iWalledgarden (as an example) has always been that it's not bypassable via any legal means, with Apple always scrambling to prevent users from exploiting the latest method to unlock their devices to allow their own apps to run.

        This is not strictly true. Pretty much anyone can pay the $99 fee to get a developer certificate and then sign any app that they like and install it on up to 100 iOS devices via sideloading - fully supporte

    • I migrated to chrome when firefox started to perform really poorly on Linux. I don't know what they did or why they never fixed it, but it's damned near unusable to me.

    • by marxmarv ( 30295 )

      They jumped the shark when they fired the technical soul of the company because the Other Right Wing had a problem with his lifestyle.

  • by mlts ( 1038732 ) on Wednesday February 11, 2015 @05:42PM (#49033613)

    One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

    So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

    [1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

    • by aardvarkjoe ( 156801 ) on Wednesday February 11, 2015 @06:00PM (#49033727)

      The problem in my eyes is not the default requirement that only signed extensions are allowed; the problem is that they don't even allow users to override it.

      Even if you're only concerned about development of extensions, it's a terrible idea to say that, essentially, developers can't test and develop with release versions of Firefox.

      • by wbr1 ( 2538558 )
        If you allow user override, then it is a bit that can be flipped by someone or a process other than the user. If you are trying to block malware, allowing a rouge download to override the setting renders it useless. That would be the reason for not allowing users to chose. And, users with knowledge can still choose. Use a nightly or other than stable release.
        • If you allow user override, then it is a bit that can be flipped by someone or a process other than the user.

          Only if your software or system is already otherwise either compromised or hopelessly mis-designed. Given that this is Firefox, the latter might be possible, I guess. But overall, the notion that an already-compromised system could be compromised again is not a particularly strong reason to cripple your software.

          Use a nightly or other than stable release.

          This is not a good solution for developers who need to test against the stable release builds.

          • This is not a good solution for developers who need to test against the stable release builds.

            I would have said, simply, "This is not a solution."

      • ...the problem is that they don't even allow users to override it.

        This, this, and again fucking THIS.

      • by gweihir ( 88907 )

        I fully agree on the first, and the second is a real problem, especially security-wise. Now developers will probably patch and build FF themselves, and how many are willing and capable to do this?

  • by k8to ( 9046 ) on Wednesday February 11, 2015 @05:54PM (#49033693) Homepage

    I guess I'm happy this won't affect me as their failure to ship a win64 binary has me on nightlies already on windows, and on Linux I end up building my own half the time and can turn this shit off.

    That said, I'm starting to tire of firefox's bad decisions of the month.

  • I don't go nuts with extensions, but there are some I really need to use -- LastPass, Tree Style Tab, Certificate Patrol, NoScript. The "big ones", of course, will get signed, but some of these (like Tree Style Tab) seem to be an "individual working in his garage" type plugin. Will it get signed? If not... that's a problem.
  • by Bryan Bytehead ( 9631 ) <meNO@SPAMbryanlprice.com> on Wednesday February 11, 2015 @06:07PM (#49033763) Homepage

    I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.

    Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.

    Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.

    • I've seen that and agree there's a problem. Like some people here have said, I don't go crazy with extensions but for me the Noia theme is an absolute must as the default theme is god awful. So far as I know, two developers have quit developing it and the last one stated the exact reason that you mention i.e. that fixing the breakage in every new release is just too much.

    • Having used both of the weather-related extensions and having given up on them, I can confirm both that I am not a script and that M Bytehead is spot-on.

      And don't get me started about the nauseating and broken default UI and the fact that every time I find a theme that takes care of most of these issues, it's usually just a few weeks before the next FF release declares it "obsolete".

      If I wanted to use Chrome, I'd use Chrome... Opera is no longer distinctive in any meaningful way... Gee, I never thought I'd

  • by Billly Gates ( 198444 ) on Wednesday February 11, 2015 @06:24PM (#49033847) Journal

    This is not 2008 anymore.

    Even IE 8 no really IE 8 has sandboxing and processes per tab starting with Windows 7 back in 2009??!

    Until then Firefox is too insecure for me and can't scale my hyperthreaded i7 like IE or Chrome can.

    Mozilla adding signing really does help but only those who are dumb and put in any extension without reviewing it at first.

    • Comment removed based on user account deletion
  • From the post... (Score:4, Informative)

    by yuhong ( 1378501 ) <yuhongbao_386@@@hotmail...com> on Wednesday February 11, 2015 @06:32PM (#49033885) Homepage

    "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult."

    • Then just build in a malwarebytes button and let the people who do that for a living do it for you.

      You don't need to reinvent the wheel or lock everybody out.

  • This is needed (Score:5, Interesting)

    by ericlondaits ( 32714 ) on Wednesday February 11, 2015 @06:34PM (#49033895) Homepage

    This is needed because people don't realize how much exposure to malware extensions give them. Three examples:

    1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

    2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.

    3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.

    • Plenty of "legitimate" software has done such things over the years too. The solution is NOT to dictate to me what I run on my machine and NOT to put my blind faith and trust in Mozilla's vendor vetting processes.

      • It's not blind faith since there's at least a process. You can distrust the process and that's acceptable as well... ... but web browsing security is based on a number of sandboxing and scripting restrictions which extensions can bypass. If you can't trust your browser not to perform MiM, key logging and other forms of data stealing you shouldn't use it for anything important either. Trusting the web browser is as vital as trusting the OS... Pages can be adversarial so you depend on the security brought by

    • 1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

      How would signing prevent this? The shady third party would buy the certificate as well as the extension.

      • The extensions are signed by Mozilla after passing a review, you don't sign them yourself. If a shady third party modifies the extension and submits a new malware version it won't pass review when submitted.

  • This reminds me of the time Chrome did this, and a bunch of Chrome users threatened to switch to Firefox... I almost feel bad for them now.
  • I maintain a plugin which I don't host on AMO, because the review process is *glacial*. This nice security measure is going to make sure it will take weeks to get a ten-minute fix to my users.
  • by kav2k ( 1545689 ) on Wednesday February 11, 2015 @07:13PM (#49034145)

    [...] they will have to either test on Developer Edition, Nightly, or one of the unbranded builds [...]

    Yes, there was much outcry when Chrome killed non-signed extensions installs, but at least it allows to load a development ("unpacked") version of any extension in the stable version. This is essential for testing, after all, to ensure it works and you can debug it on the platform most users actually run.

    If FF does not allow it, well, nuts.

  • You place a lot of trust in extensions. This won't exactly stop malcious code, but it will provide a level of accountability.

    And it does not seem all that different from the requirement to sign packages for distro repositores, and we all accept that.

  • by rHBa ( 976986 ) on Wednesday February 11, 2015 @10:12PM (#49035401)
    ...to disable extension signature checking. I'm only half joking

    I understand the reasons for doing this, it's too easy for (l)users to be tricked into installing dodgy addons, but if there is a single SIGNED extension that disables this feature then you at least know the user has seen all the warning messages and (presumable) knows what they are doing.

    Having said that, I don't understand why they couldn't have a user setting similar to what you get when you edit about:config...
  • by Flexagon ( 740643 ) on Thursday February 12, 2015 @12:44AM (#49035973)
    The top extensions that I use are for features that used to be directly in the Firefox UI or even about:config but aren't now. So from my point of view, they've brought this bad situation on themselves.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      They present you this glorified vision of how you will use Firefox. How dare you go install extensions to ruin their vision?

      How do you not see that people like you are the real reason for this change? You will use Firefox as the developers intended, or you will move to Chrome*, where you will get exactly the same bare bones experience.

      If not for people like you, they wouldn't need to be able to block such shady extensions as Classic Theme Restorer and Tabs On Bottom.

      * Which just happens to be written by the

  • by wonkey_monkey ( 2592601 ) on Thursday February 12, 2015 @03:22AM (#49036409) Homepage

    ...is addons.mozilla.org, in case you were wondering.

  • Extension signing should be the way it is in Android - roll a key, register the key and then continue to sign the extension with that key. It means that when a new version of the extension is uploaded the signature can be verified to ensure the extension is a) not tampered with, b) reasonably likely from the same origin.
  • I use several addons which are old as heck and not updated, which (god knows how) continue to work in newer versions, example "Tabs menu" for firefox fixes an incredibly stupid omission (like many) in the Firefox UI.

    Hopefully this decision is reversed.

  • by mlwmohawk ( 801821 ) on Thursday February 12, 2015 @07:02AM (#49037045)

    Just saying, "anyone can write code, be careful" gets you out of a lot of trouble. Saying "We've checked these and they are good" buys you a lot of headaches. That's the first problem. Who's going to test the extensions? Who's going to be liable when a "tested" extension is malware? It WILL happen, you know it. Who is going to maintain the cert?

    No user work-around? That's pure insanity. What happens when a vendor says "This is too much trouble, we can afford to support firefox anymore," their customers will have to switch browsers.

    Lastly, having any group of people dictating what others can do is against the whole notion of free and open source software. I have absolutely no problem popping up a dialog that says, "This extension has not been tested by the Mozilla Organization, Proceed at your own risk," but not even having that option is totally and completely bogus.

    Time to fork.

No spitting on the Bus! Thank you, The Mgt.

Working...