Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox To Mandate Extension Signing

Posted by samzenpus on from the changing-things-up dept.

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

43 of 196 comments (clear)

  1. If only by Anonymous Coward · · Score: 3, Funny

    Now if only conception required signing we'd solve all the worlds problems.

  2. Start of th End by JMJimmy · · Score: 4, Interesting

    For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.

    1. Re:Start of th End by Anonymous+Brave+Guy · · Score: 3, Informative

      The beauty of open source is that you can go in, disable the signing requirement, and compile your own binary.

      You can, but 99.999% of Firefox users won't, and probably 99.99% couldn't do it even if they wanted to. Even the geeks who could mostly won't have the time to learn a major OSS code base like Firefox's in order to actually do it.

      I've looked at contributing to this sort of project a few times to see if I could help out. I've then given up when I realised it would take me longer just to set up the development environment and be able to build it than it would take me to write from scratch and give away entire useful software packages of my own, or to chip in a significant amount of extra help to some existing small but useful project on someone's GitHub that they are otherwise trying to maintain alone or with just a couple of regular contributors.

      In practice, that lack of user base then has a direct effect on some add-on developers, and if those developers stop producing or maintaining their add-ons then even users who have compiled their own unlocked version of Firefox won't be able to enjoy them. Killing off part of an ecosystem affects everyone.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:Start of th End by Zontar+The+Mindless · · Score: 3, Insightful

      I'm still pissed about them moving the tab bar to the top of the UI, thereby throwing the tab paradigm right out the window, and forcing me to go find a hack to get back what was perfectly sensible and should never have been changed like that in the first place.

      I'm forced to hack extensions almost weekly because the default for each new release is simply to declare all existing extensions "outdated/incompatible" when this is obviously not true in the vast majority of cases.

      It's almost as if someone said, "Now that we've lured in all these users, let's see how much abuse they'll take before they leave again."

      --
      Il n'y a pas de Planet B.
    3. Re:Start of th End by gweihir · · Score: 2

      I agree. Making required signing a strongly advised default is fine, but the user _must_ have a fine-grained way to override it. I guess we will just see more FF forks that fix stupidity like this. There are already quite a few that fix the broken user interface.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Start of th End by marxmarv · · Score: 2

      They jumped the shark when they fired the technical soul of the company because the Other Right Wing had a problem with his lifestyle.

      --
      /. -- the Free Republic of technology.
  3. This is a good thing overall... by mlts · · Score: 5, Interesting

    One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

    So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

    [1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

    1. Re:This is a good thing overall... by aardvarkjoe · · Score: 4, Insightful

      The problem in my eyes is not the default requirement that only signed extensions are allowed; the problem is that they don't even allow users to override it.

      Even if you're only concerned about development of extensions, it's a terrible idea to say that, essentially, developers can't test and develop with release versions of Firefox.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    2. Re:This is a good thing overall... by aardvarkjoe · · Score: 3, Insightful

      Re-read that sentence, specifically the word "special." If it's a special developer build, then it's not the same thing that your users are using.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    3. Re:This is a good thing overall... by aardvarkjoe · · Score: 3, Informative

      A security feature that can be easily overridden is not a security feature.

      That's just stupid. So passwords are not a security feature if you can disable them? Disabling telnet access by default to a computer is not a security feature? Blocking Flash or Javascript in a browser is not a security feature if you can turn them back on? HTTPS access to a web site is not a security feature if you can access it via HTTP?

      The default should be the one that is right for most people, but that's no reason to cripple your software for those that have other needs.

      Chrome did the same thing months(Maybe even more than a year?) ago.

      Chrome allows the user to re-enable installation of unsigned extensions.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    4. Re:This is a good thing overall... by Anonymous+Brave+Guy · · Score: 2

      A security feature that can be easily overridden is not a security feature.

      And a system so "secure" that the user can no longer use it for its original purpose is a failure. My house would be more secure against intruders if I concreted over all the windows and doors, but it wouldn't be a very useful house any more.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    5. Re:This is a good thing overall... by Anonymous Coward · · Score: 3, Insightful

      "what extensions do you use on any regular basis that are not off the mozilla extension archives"

      oh just a few that interface with our CMS, a few that Mozilla will never see (unless they come work for us), because our extensions are none of their fucking business

    6. Re:This is a good thing overall... by aardvarkjoe · · Score: 2

      If you allow user override, then it is a bit that can be flipped by someone or a process other than the user.

      Only if your software or system is already otherwise either compromised or hopelessly mis-designed. Given that this is Firefox, the latter might be possible, I guess. But overall, the notion that an already-compromised system could be compromised again is not a particularly strong reason to cripple your software.

      Use a nightly or other than stable release.

      This is not a good solution for developers who need to test against the stable release builds.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  4. Drama queen by Anonymous Coward · · Score: 4, Insightful

    Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?

    1. Re:Drama queen by Sir_Substance · · Score: 5, Insightful

      I'd like to express my personal dislike to you as a developer for any process where I must acquire your approval in any fashion to develop for your platform.

      I'm doing you a favor mate, the least you can do is not make doing that favor harder than it need be.

    2. Re:Drama queen by sumdumass · · Score: 3, Insightful

      Well, that is until someone accuses mozilla of aiding copyright distribution by signing and allowing the youtube downloader and they eith stop signing them to avoid legal threats or a lawsuit orders it.

      Then it will be 0.

      BTW, concievably, add block can be blocked similarly. Al it would take is someone to claim it alters their copyrighted presentation and removes artistic value like when those fundies were bleeping language and cutting r rated scenes from movies. Even if there is no chance in hell of it winning in court, its questionable if mozilla would spend the money to fight it verses just stop signing the blocking software.

    3. Re:Drama queen by HBI · · Score: 4, Insightful

      They won't have many users at all if they piss off the extension developers sufficiently. The whole reason FF got the uptake it did was because of the very evangelizing users who care about extensions. I know of dozens of people who would not have ever had Firefox but for me.

      The fact that this isn't even realized is sad, but understandable. The reason FF is losing users now can be traced to many things, but any road to recovery is being hindered by pissing off the precise people that got them to where they were.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    4. Re:Drama queen by JMJimmy · · Score: 4, Informative

      Extensions are what got me to switch away from IE way back in the day. There's a core half dozen of them that are invaluable.

    5. Re:Drama queen by JMJimmy · · Score: 2

      Adblock is an example addon. Insert the name of any addon.

      Another [i]example[/i] that came to mind almost immediately was FireNES. Never been on AMO due to the content but now will be effectively locked out of the mainstream release of Firefox.

    6. Re:Drama queen by bazorg · · Score: 2

      Developers! Developers! Developers! are obviously very important, but end users are also a stakeholder in this conversation. If today there are closed app markets and signatures it is in part because there are enough developers out there capable of producing malware that looks and behaves like something any buyer would download unless warned not to do so. It's an arms race of sorts, and if you're a developer who prefers to remain anonymous and unaccountable, then it's something that users should be warned of when they come across your applications/extensions.

    7. Re:Drama queen by AmiMoJo · · Score: 3, Insightful

      You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

      Firefox downloads arbitrary data and code from the internet and renders/executes it. That's pretty dangerous, and despite attempts to sandbox and limit the damage it still leads to severe security vulnerabilities. Even worse, some of the people developing add-ons are malicious.

      Mozilla's actions seem quite reasonable. Require code to be signed after automatic review. Allow a way for in-house and development apps to run, the same way that Chrome does and the same way that Microsoft supports in-house ActiveX arbitrary code execution in the browser process. For 99.999% of users its a massive security win and for 99.999% of developers it won't make the slightest bit of difference.

      The only real danger, and it's way too early to know if it is a real danger or not, is if someone tries to use the courts to stop them signing something like AdBlock or YouTubeDownloader. Attempts have already been made and yet they still host both apps on AMO, so it seems unlikely that merely having to sign the code will change anything. They already have to approve every add-on they most with an automated code review.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Drama queen by wbo · · Score: 2

      However, Microsoft requires removing the "press F1 to enter setup" delay, making it rather hard to get in to UEFI setup to disable secure boot. As far as I can Google, the only sanctioned way to disable secure boot is to buy a Windows 8 license, and then select "restart and enter setup" somewhere in control panel. And if you need to pay for Windows 8 anyway, what's the point of disabling secure boot?

      While on most UEFI boards there isn't a prompt or delay that waits for you to press a key, every UEFI board that I have encountered so far has had a way to inter UEFI setup without an OS installed.

      In the boards I have worked with you simply hold down a key while powering on the system (usually either delete or F10). The UEFI firmware picks up the keypress and enteres the setup menu. It really isn't any harder than traditional BIOS-based systems - especially BIOS-based systems that support Fast Boot.

      If you don't have a copy of the manual for the particular motherboard in a system it may require some experimentation to figure out which key is used to enter the UEFI setup but Delete and F10 appear to be the most common so far (although on the Surface Pro tablets you have to hold Volume Down but then again they don't have a built-in keyboard).

    9. Re:Drama queen by Meneth · · Score: 2

      All modern operating systems put restrictions on what software can run on them and what it can do.

      No, they don't. Windows, Linux, the BSDs, OSX, none of those have any mandatory filters. Windows and OSX have some "anti-malware" crap, but those can be disabled.

      Even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it.

      If an app wants root access, it'll pop up a password prompt. If you want it, it can poke anything. :)

    10. Re:Drama queen by mrchaotica · · Score: 2

      You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

      And you are falsely equating user-imposed restrictions with third-party-imposed restrictions, which makes all the difference in the world.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    11. Re:Drama queen by JMJimmy · · Score: 2

      I RTFA. If addons require signing they have to be submitted for review by Mozilla. Mozilla becomes a gatekeeper meaning they can in theory be legally forced or simply themselves choose to not sign specific addons. That would effectively block them from being used by mainstream Firefox users who don't know about various builds/etc.

    12. Re:Drama queen by Sir_Substance · · Score: 2

      All modern operating systems put restrictions on what software can run on them and what it can do.

      No, they don't.

      For the following platforms, I can write a hello world, compile it and distribute it and it will Just Work:
      Windows 7
      Windows 8.1
      OSX
      POSIX
      Android (with non-market apps ticked)

      For the following platforms, I have to contact the platform owner and get permission before distributing my hello world:
      iOS
      Windows Phone

      Here's the deal: Your platform, without my software, is worthless. I, the developer, expect to be enticed to your platform, in order to add value to it.

      iOS did this successfully back in the day. Windows phone did not. Witness the difference.

      So no, I'm not being unreasonable. Mozilla needs me. I will not beg them for permission to make their platform better. If there is a security problem with their addon system, that I damn well expect them to fix that issue without making it my problem.

      If they make it my problem, I'll develop for Chromium, and leave Mozilla to develop their own damn plugins. See if I give a shit, it's not like I'm selling the thing.

  5. Well, win64 already required nightly by k8to · · Score: 2

    I guess I'm happy this won't affect me as their failure to ship a win64 binary has me on nightlies already on windows, and on Linux I end up building my own half the time and can turn this shit off.

    That said, I'm starting to tire of firefox's bad decisions of the month.

    --
    -josh
  6. This won't end well. by Bryan+Bytehead · · Score: 4, Insightful

    I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.

    Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.

    Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.

    --
    Bryan
    1. Re:This won't end well. by NormAtHome · · Score: 2

      I've seen that and agree there's a problem. Like some people here have said, I don't go crazy with extensions but for me the Noia theme is an absolute must as the default theme is god awful. So far as I know, two developers have quit developing it and the last one stated the exact reason that you mention i.e. that fixing the breakage in every new release is just too much.

    2. Re:This won't end well. by Zontar+The+Mindless · · Score: 2

      Having used both of the weather-related extensions and having given up on them, I can confirm both that I am not a script and that M Bytehead is spot-on.

      And don't get me started about the nauseating and broken default UI and the fact that every time I find a theme that takes care of most of these issues, it's usually just a few weeks before the next FF release declares it "obsolete".

      If I wanted to use Chrome, I'd use Chrome... Opera is no longer distinctive in any meaningful way... Gee, I never thought I'd see the day when I started wishing that Microsoft would port IE to Linux, but I'm starting to think I might start doing so sometime soon.

      --
      Il n'y a pas de Planet B.
  7. How about sandboxing and processes per tab? by Billly+Gates · · Score: 3, Informative

    This is not 2008 anymore.

    Even IE 8 no really IE 8 has sandboxing and processes per tab starting with Windows 7 back in 2009??!

    Until then Firefox is too insecure for me and can't scale my hyperthreaded i7 like IE or Chrome can.

    Mozilla adding signing really does help but only those who are dumb and put in any extension without reviewing it at first.

    --
    http://saveie6.com/
  8. From the post... by yuhong · · Score: 3, Informative

    "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult."

    1. Re:From the post... by sumdumass · · Score: 2

      Yes, people would want to trust a company they already trust verses having their options taken away in the name of protecting them.

      This is especially true given their insistance on other changes the people do not like and ignoring the user's input so many times for reasons that do not appear legitimate to most. The trust in mozzila has been dropping for a long time now. It dropped really fast for me when they persecuted someone for political speech and when they dropped google while initially making it dificult to switch back.

  9. This is needed by ericlondaits · · Score: 4, Interesting

    This is needed because people don't realize how much exposure to malware extensions give them. Three examples:

    1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

    2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.

    3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.

    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
  10. This absolutely sucks by emiliano.heyns · · Score: 2

    I maintain a plugin which I don't host on AMO, because the review process is *glacial*. This nice security measure is going to make sure it will take weeks to get a ten-minute fix to my users.

    1. Re:This absolutely sucks by emiliano.heyns · · Score: 2

      Ah never mind, it's only signing, not AMO-enforcement. Still a major PITA; I had my release process automated.

  11. No developer mode in "stable" build, really? by kav2k · · Score: 2

    [...] they will have to either test on Developer Edition, Nightly, or one of the unbranded builds [...]

    Yes, there was much outcry when Chrome killed non-signed extensions installs, but at least it allows to load a development ("unpacked") version of any extension in the stable version. This is essential for testing, after all, to ensure it works and you can debug it on the platform most users actually run.

    If FF does not allow it, well, nuts.

  12. Someone should write an extension... by rHBa · · Score: 2

    ...to disable extension signature checking. I'm only half joking

    I understand the reasons for doing this, it's too easy for (l)users to be tricked into installing dodgy addons, but if there is a single SIGNED extension that disables this feature then you at least know the user has seen all the warning messages and (presumable) knows what they are doing.

    Having said that, I don't understand why they couldn't have a user setting similar to what you get when you edit about:config...

  13. My top extensions are former Firefox features by Flexagon · · Score: 2

    The top extensions that I use are for features that used to be directly in the Firefox UI or even about:config but aren't now. So from my point of view, they've brought this bad situation on themselves.

    1. Re:My top extensions are former Firefox features by Anonymous Coward · · Score: 2, Interesting

      They present you this glorified vision of how you will use Firefox. How dare you go install extensions to ruin their vision?

      How do you not see that people like you are the real reason for this change? You will use Firefox as the developers intended, or you will move to Chrome*, where you will get exactly the same bare bones experience.

      If not for people like you, they wouldn't need to be able to block such shady extensions as Classic Theme Restorer and Tabs On Bottom.

      * Which just happens to be written by the same company that paid for most of the implementation of this vision).

  14. Re:Extensions are a dumb idea anyway by Zontar+The+Mindless · · Score: 2

    Just because you can't think of other use cases for extensions doesn't mean there aren't any.

    --
    Il n'y a pas de Planet B.
  15. AMO... by wonkey_monkey · · Score: 2

    ...is addons.mozilla.org, in case you were wondering.

    --
    systemd is Roko's Basilisk.
  16. When you have control, you have liability by mlwmohawk · · Score: 3, Interesting

    Just saying, "anyone can write code, be careful" gets you out of a lot of trouble. Saying "We've checked these and they are good" buys you a lot of headaches. That's the first problem. Who's going to test the extensions? Who's going to be liable when a "tested" extension is malware? It WILL happen, you know it. Who is going to maintain the cert?

    No user work-around? That's pure insanity. What happens when a vendor says "This is too much trouble, we can afford to support firefox anymore," their customers will have to switch browsers.

    Lastly, having any group of people dictating what others can do is against the whole notion of free and open source software. I have absolutely no problem popping up a dialog that says, "This extension has not been tested by the Mozilla Organization, Proceed at your own risk," but not even having that option is totally and completely bogus.

    Time to fork.