Firefox To Mandate Extension Signing

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

If only

[Anonymous Coward]

Now if only conception required signing we'd solve all the worlds problems.

Start of th End

[JMJimmy]

For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.

Drama queen

[Anonymous Coward]

Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?

Re:

[JMJimmy]

Lets say Adblock gets blocked. Do you really think they're going to continue to develop for a non-mainstream audience?

Re:

[jorgevillalobos]

Signing doesn't change in any way whether AdBlock Plus can be blocked or not. We get complaints about it on occasion and it's still hosted on the official add-ons site.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[bazorg]

Developers! Developers! Developers! are obviously very important, but end users are also a stakeholder in this conversation. If today there are closed app markets and signatures it is in part because there are enough developers out there capable of producing malware that looks and behaves like something any buyer would download unless warned not to do so. It's an arms race of sorts, and if you're a developer who prefers to remain anonymous and unaccountable, then it's something that users should be warned o

Re:Drama queen

[AmiMoJo]

You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

Firefox downloads arbitrary data and code from the internet and renders/executes it. That's pretty dangerous, and despite attempts to sandbox and limit the damage it still leads to severe security vulnerabilities. Even worse, some of the people developing add-ons are malicious.

Mozilla's actions seem quite reasonable. Require code to be signed after automatic review. Allow a way for in-house and development apps to run, the same way that Chrome does and the same way that Microsoft supports in-house ActiveX arbitrary code execution in the browser process. For 99.999% of users its a massive security win and for 99.999% of developers it won't make the slightest bit of difference.

The only real danger, and it's way too early to know if it is a real danger or not, is if someone tries to use the courts to stop them signing something like AdBlock or YouTubeDownloader. Attempts have already been made and yet they still host both apps on AMO, so it seems unlikely that merely having to sign the code will change anything. They already have to approve every add-on they most with an automated code review.

Re:

[Meneth]

All modern operating systems put restrictions on what software can run on them and what it can do.

No, they don't. Windows, Linux, the BSDs, OSX, none of those have any mandatory filters. Windows and OSX have some "anti-malware" crap, but those can be disabled.

Even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it.

If an app wants root access, it'll pop up a password prompt. If you want it, it can poke anything. :)

Re:

[mrchaotica]

You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

And you are falsely equating user-imposed restrictions with third-party-imposed restri

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Drama queen

[JMJimmy]

Extensions are what got me to switch away from IE way back in the day. There's a core half dozen of them that are invaluable.

what would fail?

[gl4ss]

well _someone_ is pushing for this..
so what addons would _fail_ the extension signing?

who lobbied for this, the devs for the top 10 extensions?

Re:

[JMJimmy]

Signing doesn't change in any way whether AdBlock Plus can be blocked or not. We get complaints about it on occasion and it's still hosted on the official add-ons site.

If you don't sign an extension it's effectively blocked - that's the entire point of signing. The malware douches will find a way around it easily while the rest of the community suffers the consequences. It's a game of whackamole you know you can't win.

Re:

[jorgevillalobos]

Read the blog post. Developers will still be able to distribute their add-ons outside of the official add-ons site. And we've always had the capability of blocking add-ons that are not on the official site.

Re:

[ne0n]

You'd have a massive revolt if Adblock were to be pulled or disabled. Not gonna happen. Hopefully this move will increase the snr among competitive categories like Youtube downloaders (about 54000 fake pieces of crap and 3 good working addons) etc.

Re:Drama queen

[sumdumass]

Well, that is until someone accuses mozilla of aiding copyright distribution by signing and allowing the youtube downloader and they eith stop signing them to avoid legal threats or a lawsuit orders it.

Then it will be 0.

BTW, concievably, add block can be blocked similarly. Al it would take is someone to claim it alters their copyrighted presentation and removes artistic value like when those fundies were bleeping language and cutting r rated scenes from movies. Even if there is no chance in hell of it winning in court, its questionable if mozilla would spend the money to fight it verses just stop signing the blocking software.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sumdumass]

Right now its not a target but neither was napster for the first couple years. Cleanflicks was in budinedd for a couple years before suing to determine legality (which it lost) because just a threat posted on another site was made.

Just because now does not mean never. Without sighning, even if mozilla stoppdd hosting, you coild still fine and install. Fire sheep was that way- mozilla stopped hosting but you could still grab it and show pointy headed bosses why https was a good idea. With signing, its just w

Re:

[AmiMoJo]

There have already been attempts to get these add-ons removed from AMO. Mozilla already does an automatic code review and automated tests of add-ons on their site. Adding a code signing step does nothing to alter the legal situation. If this were a possible avenue of attack it would have been exploited already.

Better signal/noise good, but zero tolerance?

[Anonymous Brave Guy]

Better signal-to-noise ratios in widely used package manager/app store systems is often helpful. As you say, we don't need thousands of copies of the same trivial tool, and we certainly don't need many of them to be substandard implementations or outright malware.

However, you can achieve that through some sort of endorsement or prioritisation process, without adopting a zero tolerance attitude. The words "without any possible user override" should make anyone nervous about the future of a software ecosystem

Re:

[Luckyo]

To be fair we had several massive revolts so far, with no effect, especially one that came after they gutted FF's UI. A lot of people just left for alternatives.

None of it had any impact on Mozilla. They just don't give a toss about their userbase.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[yuhong]

You can disable UEFI secure boot on most BIOSes.

Re:

[wbo]

However, Microsoft requires removing the "press F1 to enter setup" delay, making it rather hard to get in to UEFI setup to disable secure boot. As far as I can Google, the only sanctioned way to disable secure boot is to buy a Windows 8 license, and then select "restart and enter setup" somewhere in control panel. And if you need to pay for Windows 8 anyway, what's the point of disabling secure boot?

While on most UEFI boards there isn't a prompt or delay that waits for you to press a key, every UEFI boar

Re:

[Luckyo]

At this point, Adblock's development is largely irrelevant. As long as adblocking lists are maintained, you as end user are fine. And ablock+ itself has been forked enough times to ensure that someone will keep on developing anyway.

This is what happened when adblock+ stopped working on Pale Moon for example and adblock+'s creators refused to fix the problem.

Re:

[JMJimmy]

Adblock is an example addon. Insert the name of any addon.

Another [i]example[/i] that came to mind almost immediately was FireNES. Never been on AMO due to the content but now will be effectively locked out of the mainstream release of Firefox.

Re:

[wolrahnaes]

No it won't. It only needs to be signed, not distributed on AMO. RTFA.

Extension files that aren’t hosted on AMO will have to be submitted to AMO for signing. Developers will need to create accounts and a listing for their extension, which will not be public. These files will go through an automated review process and sent back signed if all checks pass. If an add-on doesn’t pass the automated tests, the developer will have the option to request the add-on to be manually checked by our review team. A full review option will also be available for non-AMO add-ons, explained further ahead.

Re:

[JMJimmy]

I RTFA. If addons require signing they have to be submitted for review by Mozilla. Mozilla becomes a gatekeeper meaning they can in theory be legally forced or simply themselves choose to not sign specific addons. That would effectively block them from being used by mainstream Firefox users who don't know about various builds/etc.

Re:

[tgv]

You are really the kind of idiot that brings open source software down. "It's open source, fix it if you don't like it." How many people can do that? Anonymous Coward indeed.

Re:

[Dracos]

Did you post this comment from 2010?

Re:

[Zontar The Mindless]

Dracos does not have a particularly low UID, and you seem not to have much of anything resembling manners.

Re:

[aaron4801]

Remember when Firefox was born as the stripped-down next-generation of the Mozilla Suite? When it was all about getting the code base to the bare minimum and letting the user decide which functions and features they wanted, and let them have those via extensions?
Yeah, me neither. Must have been a dream.

Re:

[luvirini]

Not really.

Firefox has been on the road to nowhere a while. This is just a part of the strategy to piss off people who actually try to do things.

My personal big problem is the certificate handling where firefox does not allow me to say "yes I know that is a bullshit cert but I do not care" as a surprising number of cheap routers ship with bad certificates and thus cannot be administered with firefox.

Re:

[yuhong]

What bad certificates are you talking about?

Re:

[luvirini]

No, it includes a lot of modern small business routers too,

I did not blame mozilla, I just stopped using it and switched to chrome as that is clearly what mozilla wanted by not allowing me so say "Yes it is a crappy certificate, but the traffic is on a local network so who gives a flying leap" that chrome allows.

So as said I do not blame mozilla, they just do not want people to use their product so I am not.

Re:

[UltraZelda64]

Meh... Firefox has been on an increasingly-sharp decline to shittiness ever since version 3, which rapidly accelerated with 4 and the rapid-release bullshit schedule as well as all the changes for no good reason. Too bad no one ever forked the last good version (aka. Firefox 2.x), and now we're all stuck with either Chrome or a Chrome rip-off, whether we want Chrome or not. I sure as hell do not, and therefore I am fucked. Hopefully the new browser by the guy who co-founded Opera actually turns out to be go

Re:

[gweihir]

I agree. Making required signing a strongly advised default is fine, but the user _must_ have a fine-grained way to override it. I guess we will just see more FF forks that fix stupidity like this. There are already quite a few that fix the broken user interface.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[wbo]

If it's bypassable, legally, then there's no issue. My objection to the Apple iWalledgarden (as an example) has always been that it's not bypassable via any legal means, with Apple always scrambling to prevent users from exploiting the latest method to unlock their devices to allow their own apps to run.

This is not strictly true. Pretty much anyone can pay the $99 fee to get a developer certificate and then sign any app that they like and install it on up to 100 iOS devices via sideloading - fully supporte

Re:

[SCHecklerX]

I migrated to chrome when firefox started to perform really poorly on Linux. I don't know what they did or why they never fixed it, but it's damned near unusable to me.

Re:

[marxmarv]

They jumped the shark when they fired the technical soul of the company because the Other Right Wing had a problem with his lifestyle.

Re:

[epine]

then they jumped ship to deal with Yahoo instead for some ungodly reason

Considering that Firefox had the power to compel Google to throw giant sums of money at them indefinitely and for all time as per the DOJ's premonic Google anti-trust settlement, it is truly inexplicable that they would turn to a pittance from Yahoo instead.

Re:Start of th End

[Anonymous Brave Guy]

The beauty of open source is that you can go in, disable the signing requirement, and compile your own binary.

You can, but 99.999% of Firefox users won't, and probably 99.99% couldn't do it even if they wanted to. Even the geeks who could mostly won't have the time to learn a major OSS code base like Firefox's in order to actually do it.

I've looked at contributing to this sort of project a few times to see if I could help out. I've then given up when I realised it would take me longer just to set up the development environment and be able to build it than it would take me to write from scratch and give away entire useful software packages of my own, or to chip in a significant amount of extra help to some existing small but useful project on someone's GitHub that they are otherwise trying to maintain alone or with just a couple of regular contributors.

In practice, that lack of user base then has a direct effect on some add-on developers, and if those developers stop producing or maintaining their add-ons then even users who have compiled their own unlocked version of Firefox won't be able to enjoy them. Killing off part of an ecosystem affects everyone.

Re:

[bill_mcgonigle]

It looks to me like this is a move to protect regular users from malicious plugins. If you want to use plugins that aren't Mozilla approved, you just have to have a bit of a clue.

A "bit of a clue" is setting an about:config variable. I'd be totally fine with that (I depend on at least one extension AMO won't host).

Build-your-own means I won't be getting security updates from Fedora, and hundreds of thousands of people doing the same thing is silly. Sure, somebody will set up a repo, but it's clearly not *

Re:

[Zontar The Mindless]

Have you ever actually tried to build FF from source? It's horrid.

When it's as easy to build FF from source as it is, say, MySQL, you can get back to me.

Re:

[JMJimmy]

Mozilla has been digging their own grave for years. This is more like another nail in the coffin.

I agree with that entirely. Addons have been its saving grace - every screwup Mozilla made there's been an addon to fix it... or at least manage it. This move is going to gradually erode that imo. Not right away but within a few years I'd wager.

Re:Start of th End

[Zontar The Mindless]

I'm still pissed about them moving the tab bar to the top of the UI, thereby throwing the tab paradigm right out the window, and forcing me to go find a hack to get back what was perfectly sensible and should never have been changed like that in the first place.

I'm forced to hack extensions almost weekly because the default for each new release is simply to declare all existing extensions "outdated/incompatible" when this is obviously not true in the vast majority of cases.

It's almost as if someone said, "Now that we've lured in all these users, let's see how much abuse they'll take before they leave again."

Re:

[JMJimmy]

Tabs on top does have some logical sense but following that logic the bookmarks toolbar is out of place, the search bar behaves in a global manner instead of a tab based manner, etc. They just did too many "me too" things without thinking them through fully.

Most recently they removed the ability to place UI elements in the file bar - I used to keep search there (since it's global) and the address bar below the tabs. It worked really well but of course they want the file bar gone so they have to make sure

Re:

[k8to]

Your point stands, but are you aware of Classic Theme Restorer extension? It undoes most of the australis idiocy.

Re:

[qvatch]

At this point I'm pretty much running an entire emulated version of old-sane firefox as extensions to current firefox. Lightweight!

This is a good thing overall...

[mlts]

One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

[1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

Re:This is a good thing overall...

[aardvarkjoe]

The problem in my eyes is not the default requirement that only signed extensions are allowed; the problem is that they don't even allow users to override it.

Even if you're only concerned about development of extensions, it's a terrible idea to say that, essentially, developers can't test and develop with release versions of Firefox.

Re:

[wbr1]

If you allow user override, then it is a bit that can be flipped by someone or a process other than the user. If you are trying to block malware, allowing a rouge download to override the setting renders it useless. That would be the reason for not allowing users to chose. And, users with knowledge can still choose. Use a nightly or other than stable release.

Re:

[aardvarkjoe]

If you allow user override, then it is a bit that can be flipped by someone or a process other than the user.

Only if your software or system is already otherwise either compromised or hopelessly mis-designed. Given that this is Firefox, the latter might be possible, I guess. But overall, the notion that an already-compromised system could be compromised again is not a particularly strong reason to cripple your software.

Use a nightly or other than stable release.

This is not a good solution for developers who need to test against the stable release builds.

Re:

[Zontar The Mindless]

This is not a good solution for developers who need to test against the stable release builds.

I would have said, simply, "This is not a solution."

Re:

[Zontar The Mindless]

...the problem is that they don't even allow users to override it.

This, this, and again fucking THIS.

Re:

[gweihir]

I fully agree on the first, and the second is a real problem, especially security-wise. Now developers will probably patch and build FF themselves, and how many are willing and capable to do this?

Re:This is a good thing overall...

[aardvarkjoe]

Re-read that sentence, specifically the word "special." If it's a special developer build, then it's not the same thing that your users are using.

Re:

[Zontar The Mindless]

We sure as hell don't use "special developer builds" for testing/QA where I work. We build from exactly the same sources and in exactly the same way as for what we ship.

Re:

[Zontar The Mindless]

My point being that this shouldn't be a requirement, hello?

Re:This is a good thing overall...

[aardvarkjoe]

A security feature that can be easily overridden is not a security feature.

That's just stupid. So passwords are not a security feature if you can disable them? Disabling telnet access by default to a computer is not a security feature? Blocking Flash or Javascript in a browser is not a security feature if you can turn them back on? HTTPS access to a web site is not a security feature if you can access it via HTTP?

The default should be the one that is right for most people, but that's no reason to cripple your software for those that have other needs.

Chrome did the same thing months(Maybe even more than a year?) ago.

Chrome allows the user to re-enable installation of unsigned extensions.

Re:

[aardvarkjoe]

Nope. I have extensions that are no longer in the official app store, or which can't be accessed due to Google's fancy when you try from "outdated" (banned) versions of Chrome and derivatives.
There's a big fat message on every single startup when you've side-loaded an extension and clicking is required. The message cannot be turned off and you need to run a developer release.

This is not true in the stable release for Debian. (Source: using it right now, with extensions that aren't from the Chrome web store.) My understanding is that you have to use a command-line switch to enable it in the Windows version, but it is still there.

Re:

[aardvarkjoe]

I think the crux of the issue on this point is that if the user can override it, the software that just installed a browser extension can likely override it too.

If you're installing malware that installs a browser extension, the malware can probably just replace your browser. Or patch it so that it doesn't flag a disallowed extension even without the override turned on. Or any other number of nasty tricks.

Re:

[Anonymous Brave Guy]

A security feature that can be easily overridden is not a security feature.

And a system so "secure" that the user can no longer use it for its original purpose is a failure. My house would be more secure against intruders if I concreted over all the windows and doors, but it wouldn't be a very useful house any more.

Re:

[Lehk228]

what extensions do you use on any regular basis that are not off the mozilla extension archives?

Re:

[Anonymous Coward]

"what extensions do you use on any regular basis that are not off the mozilla extension archives"

oh just a few that interface with our CMS, a few that Mozilla will never see (unless they come work for us), because our extensions are none of their fucking business

Re:

[rastos1]

Ditto.

Re:

[Anonymous Brave Guy]

I'm late to the party, but since it was me you asked, my answer would have been exactly what the other two responders said: early updates that fix glitches (ask anyone who uses Reddit how long it takes to get RES updates on Firefox these days) and occasionally something proprietary for my/my business's own purposes.

More generally, I'm getting awfully bored with browsers and plug-ins throwing constant warnings and sometimes outright blocked functionality in the way of doing the work I need to do every day, a

Well, win64 already required nightly

[k8to]

I guess I'm happy this won't affect me as their failure to ship a win64 binary has me on nightlies already on windows, and on Linux I end up building my own half the time and can turn this shit off.

That said, I'm starting to tire of firefox's bad decisions of the month.

Depends on whether the extensions I use get signed

[Mike Van Pelt]

I don't go nuts with extensions, but there are some I really need to use -- LastPass, Tree Style Tab, Certificate Patrol, NoScript. The "big ones", of course, will get signed, but some of these (like Tree Style Tab) seem to be an "individual working in his garage" type plugin. Will it get signed? If not... that's a problem.

This won't end well.

[Bryan Bytehead]

I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.

Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.

Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.

Re:

[NormAtHome]

I've seen that and agree there's a problem. Like some people here have said, I don't go crazy with extensions but for me the Noia theme is an absolute must as the default theme is god awful. So far as I know, two developers have quit developing it and the last one stated the exact reason that you mention i.e. that fixing the breakage in every new release is just too much.

Re:

[Zontar The Mindless]

Having used both of the weather-related extensions and having given up on them, I can confirm both that I am not a script and that M Bytehead is spot-on.

And don't get me started about the nauseating and broken default UI and the fact that every time I find a theme that takes care of most of these issues, it's usually just a few weeks before the next FF release declares it "obsolete".

If I wanted to use Chrome, I'd use Chrome... Opera is no longer distinctive in any meaningful way... Gee, I never thought I'd

How about sandboxing and processes per tab?

[Billly Gates]

This is not 2008 anymore.

Even IE 8 no really IE 8 has sandboxing and processes per tab starting with Windows 7 back in 2009??!

Until then Firefox is too insecure for me and can't scale my hyperthreaded i7 like IE or Chrome can.

Mozilla adding signing really does help but only those who are dumb and put in any extension without reviewing it at first.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Blaskowicz]

That must be why sometimes gets firefox to use 107%, perhaps up to 112% CPU. That's the good old model of one thread does everything, many little threads spend their time doing nothing or take care of a few crumbles.

From the post...

[yuhong]

"Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult."

Re:

[sumdumass]

Then just build in a malwarebytes button and let the people who do that for a living do it for you.

You don't need to reinvent the wheel or lock everybody out.

Re:

[yuhong]

I don't think Mozilla is that bad.

Re:

[sumdumass]

Yes, people would want to trust a company they already trust verses having their options taken away in the name of protecting them.

This is especially true given their insistance on other changes the people do not like and ignoring the user's input so many times for reasons that do not appear legitimate to most. The trust in mozzila has been dropping for a long time now. It dropped really fast for me when they persecuted someone for political speech and when they dropped google while initially making it difi

This is needed

[ericlondaits]

This is needed because people don't realize how much exposure to malware extensions give them. Three examples:

1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.

3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.

Re:

[iggymanz]

Plenty of "legitimate" software has done such things over the years too. The solution is NOT to dictate to me what I run on my machine and NOT to put my blind faith and trust in Mozilla's vendor vetting processes.

Re:

[ericlondaits]

It's not blind faith since there's at least a process. You can distrust the process and that's acceptable as well... ... but web browsing security is based on a number of sandboxing and scripting restrictions which extensions can bypass. If you can't trust your browser not to perform MiM, key logging and other forms of data stealing you shouldn't use it for anything important either. Trusting the web browser is as vital as trusting the OS... Pages can be adversarial so you depend on the security brought by

Re:

[bluegutang]

1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

How would signing prevent this? The shady third party would buy the certificate as well as the extension.

Re:

[ericlondaits]

The extensions are signed by Mozilla after passing a review, you don't sign them yourself. If a shady third party modifies the extension and submits a new malware version it won't pass review when submitted.

Re:

[ericlondaits]

Javascript COULD have vulnerabilities that a site exploits allowing it to do some bad stuff... but extensions CAN do bad stuff even if there are no vulnerabilities. It's like a buffer overflow exploit vs running a program as root.

Lol

[The MAZZTer]

This reminds me of the time Chrome did this, and a bunch of Chrome users threatened to switch to Firefox... I almost feel bad for them now.

This absolutely sucks

[Emiliano Heyns]

I maintain a plugin which I don't host on AMO, because the review process is *glacial*. This nice security measure is going to make sure it will take weeks to get a ten-minute fix to my users.

Re:

[Emiliano Heyns]

Ah never mind, it's only signing, not AMO-enforcement. Still a major PITA; I had my release process automated.

No developer mode in "stable" build, really?

[kav2k]

[...] they will have to either test on Developer Edition, Nightly, or one of the unbranded builds [...]

Yes, there was much outcry when Chrome killed non-signed extensions installs, but at least it allows to load a development ("unpacked") version of any extension in the stable version. This is essential for testing, after all, to ensure it works and you can debug it on the platform most users actually run.

If FF does not allow it, well, nuts.

Could be a good move

[blackpaw]

You place a lot of trust in extensions. This won't exactly stop malcious code, but it will provide a level of accountability.

And it does not seem all that different from the requirement to sign packages for distro repositores, and we all accept that.

Someone should write an extension...

[rHBa]

...to disable extension signature checking. I'm only half joking

I understand the reasons for doing this, it's too easy for (l)users to be tricked into installing dodgy addons, but if there is a single SIGNED extension that disables this feature then you at least know the user has seen all the warning messages and (presumable) knows what they are doing.

Having said that, I don't understand why they couldn't have a user setting similar to what you get when you edit about:config...

My top extensions are former Firefox features

[Flexagon]

The top extensions that I use are for features that used to be directly in the Firefox UI or even about:config but aren't now. So from my point of view, they've brought this bad situation on themselves.

Re:

[Anonymous Coward]

They present you this glorified vision of how you will use Firefox. How dare you go install extensions to ruin their vision?

How do you not see that people like you are the real reason for this change? You will use Firefox as the developers intended, or you will move to Chrome*, where you will get exactly the same bare bones experience.

If not for people like you, they wouldn't need to be able to block such shady extensions as Classic Theme Restorer and Tabs On Bottom.

* Which just happens to be written by the

AMO...

[wonkey_monkey]

...is addons.mozilla.org, in case you were wondering.

Should have happened YEARS ago

[DrXym]

Extension signing should be the way it is in Android - roll a key, register the key and then continue to sign the extension with that key. It means that when a new version of the extension is uploaded the signature can be verified to ensure the extension is a) not tampered with, b) reasonably likely from the same origin.

That's lunacy.

[AbRASiON]

I use several addons which are old as heck and not updated, which (god knows how) continue to work in newer versions, example "Tabs menu" for firefox fixes an incredibly stupid omission (like many) in the Firefox UI.

Hopefully this decision is reversed.

When you have control, you have liability

[mlwmohawk]

Just saying, "anyone can write code, be careful" gets you out of a lot of trouble. Saying "We've checked these and they are good" buys you a lot of headaches. That's the first problem. Who's going to test the extensions? Who's going to be liable when a "tested" extension is malware? It WILL happen, you know it. Who is going to maintain the cert?

No user work-around? That's pure insanity. What happens when a vendor says "This is too much trouble, we can afford to support firefox anymore," their customers will have to switch browsers.

Lastly, having any group of people dictating what others can do is against the whole notion of free and open source software. I have absolutely no problem popping up a dialog that says, "This extension has not been tested by the Mozilla Organization, Proceed at your own risk," but not even having that option is totally and completely bogus.

Time to fork.

Re:

[Zontar The Mindless]

Just because you can't think of other use cases for extensions doesn't mean there aren't any.