Slashdot Mirror
Firefox To Mandate Extension Signing
First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."
Now if only conception required signing we'd solve all the worlds problems.
For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.
One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.
So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.
[1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.
Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?
Sorry, this is beyond nuisance.
I guess I'm happy this won't affect me as their failure to ship a win64 binary has me on nightlies already on windows, and on Linux I end up building my own half the time and can turn this shit off.
That said, I'm starting to tire of firefox's bad decisions of the month.
-josh
I don't go nuts with extensions, but there are some I really need to use -- LastPass, Tree Style Tab, Certificate Patrol, NoScript. The "big ones", of course, will get signed, but some of these (like Tree Style Tab) seem to be an "individual working in his garage" type plugin. Will it get signed? If not... that's a problem.
Based on the fact that they have an auto-signing mechanism, and any decent addon should be on AMO anyhow (thus getting signed as part of the review process), I think it's safe to say you're covered. The risk here is that if the auto-signing isn't good enough, we'll see even more addons languishing in the review queue.
I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.
Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.
Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.
Bryan
Fuck those those useless toolbars.
This is not 2008 anymore.
Even IE 8 no really IE 8 has sandboxing and processes per tab starting with Windows 7 back in 2009??!
Until then Firefox is too insecure for me and can't scale my hyperthreaded i7 like IE or Chrome can.
Mozilla adding signing really does help but only those who are dumb and put in any extension without reviewing it at first.
http://saveie6.com/
"Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult."
This is needed because people don't realize how much exposure to malware extensions give them. Three examples:
1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?
2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.
3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
Whenever talking about signing, it is ridiculous and irresponsible to not mention signed by who, even if it seems obvious to you. In this instance, they are talking about the extensions having to be signed by Mozilla.
And then once you make that explicit, then you realize: oh, it actually shouldn't have been obvious who the signer is at all, since there are lots of ways to approach this kind of problem.
So I guess what I'm saying, is shame on the submitter's summary. IMHO you left out the most important part.
This reminds me of the time Chrome did this, and a bunch of Chrome users threatened to switch to Firefox... I almost feel bad for them now.
Better signal-to-noise ratios in widely used package manager/app store systems is often helpful. As you say, we don't need thousands of copies of the same trivial tool, and we certainly don't need many of them to be substandard implementations or outright malware.
However, you can achieve that through some sort of endorsement or prioritisation process, without adopting a zero tolerance attitude. The words "without any possible user override" should make anyone nervous about the future of a software ecosystem, because the words "so anything the user wants to do is subject to approval by a gatekeeper with their own best interests at heart" implicitly follow.
The state of the browser world is not a happy one at the moment, at Google/Chrome is already almost established as the new Microsoft/IE from the first big browser wars, and now both Mozilla and Microsoft seem determined to chase Google instead of staying true to the different, distinctive, but still widely valued principles and policies they followed a few years ago. If Chrome want to go killing off useful but older technologies and adding bleeding edge features every few weeks, let them, some people will enjoy it. But let Microsoft continue to focus on things like stability, quality of implementation and large deployments over pushing bleeding edge developments, and let Mozilla continue to provide an independent competing browser and an open ecosystem with a solid basic product and the flexibility to install or even write plug-ins to enhance it as each user wanted.
There's plenty of room for everyone, and there's a certain hypocrisy in arguing for locking down the plug-in ecosystem to prevent the proliferation of substandard clones at a time when both the IE and Firefox teams seem obsessed with chasing Chrome instead of playing to their own strengths and innovating in other ways.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I maintain a plugin which I don't host on AMO, because the review process is *glacial*. This nice security measure is going to make sure it will take weeks to get a ten-minute fix to my users.
[...] they will have to either test on Developer Edition, Nightly, or one of the unbranded builds [...]
Yes, there was much outcry when Chrome killed non-signed extensions installs, but at least it allows to load a development ("unpacked") version of any extension in the stable version. This is essential for testing, after all, to ensure it works and you can debug it on the platform most users actually run.
If FF does not allow it, well, nuts.
You place a lot of trust in extensions. This won't exactly stop malcious code, but it will provide a level of accountability.
And it does not seem all that different from the requirement to sign packages for distro repositores, and we all accept that.
Does this mean that I will no longer be able to develop a Firefox extension and place it on my website for the public to download and install? Instead, I have to submit it to AMO, and pray to god that Mozilla approves of my extension and what it does? That they don't disagree with its purpose for some political or philosophical reason, and that Mozilla aren't pressured by a corporate sponsor into not signing my extension?
Suppose I've built an extension that cleans up the Yahoo Search interface, for example. Yahoo, from whom Firefox now gets funding, would never condone it. At present, anyone who wants my extension can get it from my website. Now it will simply be silenced? Sorry, bub, if your extension doesn't pass our official Corporate Muster, you're shit out of luck?
If so, to hell with that and to hell with Mozilla. Firefox was a great experiment while it lasted; thanks for a few years of fun.
...to disable extension signature checking. I'm only half joking
I understand the reasons for doing this, it's too easy for (l)users to be tricked into installing dodgy addons, but if there is a single SIGNED extension that disables this feature then you at least know the user has seen all the warning messages and (presumable) knows what they are doing.
Having said that, I don't understand why they couldn't have a user setting similar to what you get when you edit about:config...
Social coding turned open source into DeviantArt. When I started coding it felt like programmers shared work to sharpen each other's skills and inspire. Now it feels like everyone's just interested in feeding their own ego.
The top extensions that I use are for features that used to be directly in the Firefox UI or even about:config but aren't now. So from my point of view, they've brought this bad situation on themselves.
Been online since the start. Never used one. I just don't see the need. (except flash plugin, but will hopefully eventually die, and I have plugins set to click-to-play in my browser)
Adblock? A total of about 20 entries in my hosts file blocks 99% of ads (and works within network tv flash players). The majority of ads online come from google. About eight entries is all it takes to block those. Meanwhile Adblock is taking money to UNBLOCK ads. Nope. Do not want.
googlesyndication.com
pagead2.googlesyndication.com
tpc.googlesyndication.com
ad.doubleclick.net
googleads.g.doubleclick.net
cm.g.doubleclick.net
pubads.g.doubleclick.net
bid.g.doubleclick.net
c.casalemedia.com
l.betrad.com
c.betrad.com
openx.blindferret.com
blindferret.com
content.yieldmanager.edgesuite.net
cdnx.tribalfusion.com
cdn1.bnmla.com
^ these entries block almost all ads. Some are probably not needed. (slashdot wont let me put the 127.0.0.1 on each line...Grr)
For Qupzilla! :-P
well _someone_ is pushing for this..
so what addons would _fail_ the extension signing?
who lobbied for this, the devs for the top 10 extensions?
world was created 5 seconds before this post as it is.
...is addons.mozilla.org, in case you were wondering.
systemd is Roko's Basilisk.
"(...) they will have to either test on Developer Edition, Nightly, or one of the unbranded builds" ... and suddenly downloads of the Developer Edition jumped to millions. But I guess people on Debian using Iceweasel don't have to worry, right?
Extension signing should be the way it is in Android - roll a key, register the key and then continue to sign the extension with that key. It means that when a new version of the extension is uploaded the signature can be verified to ensure the extension is a) not tampered with, b) reasonably likely from the same origin.
I use several addons which are old as heck and not updated, which (god knows how) continue to work in newer versions, example "Tabs menu" for firefox fixes an incredibly stupid omission (like many) in the Firefox UI.
Hopefully this decision is reversed.
Just saying, "anyone can write code, be careful" gets you out of a lot of trouble. Saying "We've checked these and they are good" buys you a lot of headaches. That's the first problem. Who's going to test the extensions? Who's going to be liable when a "tested" extension is malware? It WILL happen, you know it. Who is going to maintain the cert?
No user work-around? That's pure insanity. What happens when a vendor says "This is too much trouble, we can afford to support firefox anymore," their customers will have to switch browsers.
Lastly, having any group of people dictating what others can do is against the whole notion of free and open source software. I have absolutely no problem popping up a dialog that says, "This extension has not been tested by the Mozilla Organization, Proceed at your own risk," but not even having that option is totally and completely bogus.
Time to fork.
“Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.”
Extension signing would do NOTHING to prevent this. Your stated reason for not allowing an about:config setting to disable the “feature” is that “malicious add-ons and applications can easily manipulate those settings” that means malicious applications can easily manipulate the homepage and search settings, too! In other words, the first two use cases you listed are moot.
Also, unless you plan to also require signing of all userscripts for extensions like Greasemonkey, a malicious application could simply install the (signed) Greasemonkey extension and then enable their own malicious userscript, allowing them to inject advertisements into Web pages and malicious scripts into social media sites, your second two use cases.
None of your use cases have been addressed. This is BS.
I have non-public personal extensions that I want to continue using. I don’t want to have to provide my code to Mozilla just so that I can continue using it.
Pretty much anyone can pay the $99 fee to get a developer certificate
Plus a $650 Mac on which to install it. Plus $99 for each additional year after it expires.
If "unbranded builds" are what I understand them to be, they are built from exactly the same sources in the same way, except for sources containing the Firefox name and logo.
before Mozilla and FDF combine in some way. They're made for each other.
Of course, the blame should be laid entirely at the feet of the SJWs who were willing to trade anyone else's community for the gracious permission of the elites to join white society and kick down as a married couple...
/. -- the Free Republic of technology.
It heppens that an extension does not install because the firefox version does not match.
The only thing not OK is the developer not having submitted a new file where the version is changed.
I usually unpack the extension, change the firefox version and repack it again.
And it works flawlessy.
Now, with signing, this will probably be impossible.
Pinning firefox in apt ...
Atari rules... ermm... ruled.