Firefox To Mandate Extension Signing

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

Start of th End

[JMJimmy]

For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.

Re:Start of th End

The beauty of open source is that you can go in, disable the signing requirement, and compile your own binary.

It looks to me like this is a move to protect regular users from malicious plugins. If you want to use plugins that aren't Mozilla approved, you just have to have a bit of a clue.

This is a good thing overall...

[mlts]

One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

[1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

This is needed

[ericlondaits]

This is needed because people don't realize how much exposure to malware extensions give them. Three examples:

1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.

3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.

Re:My top extensions are former Firefox features

They present you this glorified vision of how you will use Firefox. How dare you go install extensions to ruin their vision?

How do you not see that people like you are the real reason for this change? You will use Firefox as the developers intended, or you will move to Chrome*, where you will get exactly the same bare bones experience.

If not for people like you, they wouldn't need to be able to block such shady extensions as Classic Theme Restorer and Tabs On Bottom.

* Which just happens to be written by the same company that paid for most of the implementation of this vision).

When you have control, you have liability

[mlwmohawk]

Just saying, "anyone can write code, be careful" gets you out of a lot of trouble. Saying "We've checked these and they are good" buys you a lot of headaches. That's the first problem. Who's going to test the extensions? Who's going to be liable when a "tested" extension is malware? It WILL happen, you know it. Who is going to maintain the cert?

No user work-around? That's pure insanity. What happens when a vendor says "This is too much trouble, we can afford to support firefox anymore," their customers will have to switch browsers.

Lastly, having any group of people dictating what others can do is against the whole notion of free and open source software. I have absolutely no problem popping up a dialog that says, "This extension has not been tested by the Mozilla Organization, Proceed at your own risk," but not even having that option is totally and completely bogus.

Time to fork.