Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox To Mandate Extension Signing

Posted by samzenpus on from the changing-things-up dept.

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

20 of 196 comments (clear)

  1. If only by Anonymous Coward · · Score: 3, Funny

    Now if only conception required signing we'd solve all the worlds problems.

  2. Start of th End by JMJimmy · · Score: 4, Interesting

    For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.

    1. Re:Start of th End by Anonymous+Brave+Guy · · Score: 3, Informative

      The beauty of open source is that you can go in, disable the signing requirement, and compile your own binary.

      You can, but 99.999% of Firefox users won't, and probably 99.99% couldn't do it even if they wanted to. Even the geeks who could mostly won't have the time to learn a major OSS code base like Firefox's in order to actually do it.

      I've looked at contributing to this sort of project a few times to see if I could help out. I've then given up when I realised it would take me longer just to set up the development environment and be able to build it than it would take me to write from scratch and give away entire useful software packages of my own, or to chip in a significant amount of extra help to some existing small but useful project on someone's GitHub that they are otherwise trying to maintain alone or with just a couple of regular contributors.

      In practice, that lack of user base then has a direct effect on some add-on developers, and if those developers stop producing or maintaining their add-ons then even users who have compiled their own unlocked version of Firefox won't be able to enjoy them. Killing off part of an ecosystem affects everyone.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:Start of th End by Zontar+The+Mindless · · Score: 3, Insightful

      I'm still pissed about them moving the tab bar to the top of the UI, thereby throwing the tab paradigm right out the window, and forcing me to go find a hack to get back what was perfectly sensible and should never have been changed like that in the first place.

      I'm forced to hack extensions almost weekly because the default for each new release is simply to declare all existing extensions "outdated/incompatible" when this is obviously not true in the vast majority of cases.

      It's almost as if someone said, "Now that we've lured in all these users, let's see how much abuse they'll take before they leave again."

      --
      Il n'y a pas de Planet B.
  3. This is a good thing overall... by mlts · · Score: 5, Interesting

    One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

    So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

    [1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

    1. Re:This is a good thing overall... by aardvarkjoe · · Score: 4, Insightful

      The problem in my eyes is not the default requirement that only signed extensions are allowed; the problem is that they don't even allow users to override it.

      Even if you're only concerned about development of extensions, it's a terrible idea to say that, essentially, developers can't test and develop with release versions of Firefox.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    2. Re:This is a good thing overall... by aardvarkjoe · · Score: 3, Insightful

      Re-read that sentence, specifically the word "special." If it's a special developer build, then it's not the same thing that your users are using.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    3. Re:This is a good thing overall... by aardvarkjoe · · Score: 3, Informative

      A security feature that can be easily overridden is not a security feature.

      That's just stupid. So passwords are not a security feature if you can disable them? Disabling telnet access by default to a computer is not a security feature? Blocking Flash or Javascript in a browser is not a security feature if you can turn them back on? HTTPS access to a web site is not a security feature if you can access it via HTTP?

      The default should be the one that is right for most people, but that's no reason to cripple your software for those that have other needs.

      Chrome did the same thing months(Maybe even more than a year?) ago.

      Chrome allows the user to re-enable installation of unsigned extensions.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    4. Re:This is a good thing overall... by Anonymous Coward · · Score: 3, Insightful

      "what extensions do you use on any regular basis that are not off the mozilla extension archives"

      oh just a few that interface with our CMS, a few that Mozilla will never see (unless they come work for us), because our extensions are none of their fucking business

  4. Drama queen by Anonymous Coward · · Score: 4, Insightful

    Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?

    1. Re:Drama queen by Sir_Substance · · Score: 5, Insightful

      I'd like to express my personal dislike to you as a developer for any process where I must acquire your approval in any fashion to develop for your platform.

      I'm doing you a favor mate, the least you can do is not make doing that favor harder than it need be.

    2. Re:Drama queen by sumdumass · · Score: 3, Insightful

      Well, that is until someone accuses mozilla of aiding copyright distribution by signing and allowing the youtube downloader and they eith stop signing them to avoid legal threats or a lawsuit orders it.

      Then it will be 0.

      BTW, concievably, add block can be blocked similarly. Al it would take is someone to claim it alters their copyrighted presentation and removes artistic value like when those fundies were bleeping language and cutting r rated scenes from movies. Even if there is no chance in hell of it winning in court, its questionable if mozilla would spend the money to fight it verses just stop signing the blocking software.

    3. Re:Drama queen by HBI · · Score: 4, Insightful

      They won't have many users at all if they piss off the extension developers sufficiently. The whole reason FF got the uptake it did was because of the very evangelizing users who care about extensions. I know of dozens of people who would not have ever had Firefox but for me.

      The fact that this isn't even realized is sad, but understandable. The reason FF is losing users now can be traced to many things, but any road to recovery is being hindered by pissing off the precise people that got them to where they were.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    4. Re:Drama queen by JMJimmy · · Score: 4, Informative

      Extensions are what got me to switch away from IE way back in the day. There's a core half dozen of them that are invaluable.

    5. Re:Drama queen by AmiMoJo · · Score: 3, Insightful

      You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

      Firefox downloads arbitrary data and code from the internet and renders/executes it. That's pretty dangerous, and despite attempts to sandbox and limit the damage it still leads to severe security vulnerabilities. Even worse, some of the people developing add-ons are malicious.

      Mozilla's actions seem quite reasonable. Require code to be signed after automatic review. Allow a way for in-house and development apps to run, the same way that Chrome does and the same way that Microsoft supports in-house ActiveX arbitrary code execution in the browser process. For 99.999% of users its a massive security win and for 99.999% of developers it won't make the slightest bit of difference.

      The only real danger, and it's way too early to know if it is a real danger or not, is if someone tries to use the courts to stop them signing something like AdBlock or YouTubeDownloader. Attempts have already been made and yet they still host both apps on AMO, so it seems unlikely that merely having to sign the code will change anything. They already have to approve every add-on they most with an automated code review.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. This won't end well. by Bryan+Bytehead · · Score: 4, Insightful

    I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.

    Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.

    Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.

    --
    Bryan
  6. How about sandboxing and processes per tab? by Billly+Gates · · Score: 3, Informative

    This is not 2008 anymore.

    Even IE 8 no really IE 8 has sandboxing and processes per tab starting with Windows 7 back in 2009??!

    Until then Firefox is too insecure for me and can't scale my hyperthreaded i7 like IE or Chrome can.

    Mozilla adding signing really does help but only those who are dumb and put in any extension without reviewing it at first.

    --
    http://saveie6.com/
  7. From the post... by yuhong · · Score: 3, Informative

    "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult."

  8. This is needed by ericlondaits · · Score: 4, Interesting

    This is needed because people don't realize how much exposure to malware extensions give them. Three examples:

    1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

    2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.

    3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.

    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
  9. When you have control, you have liability by mlwmohawk · · Score: 3, Interesting

    Just saying, "anyone can write code, be careful" gets you out of a lot of trouble. Saying "We've checked these and they are good" buys you a lot of headaches. That's the first problem. Who's going to test the extensions? Who's going to be liable when a "tested" extension is malware? It WILL happen, you know it. Who is going to maintain the cert?

    No user work-around? That's pure insanity. What happens when a vendor says "This is too much trouble, we can afford to support firefox anymore," their customers will have to switch browsers.

    Lastly, having any group of people dictating what others can do is against the whole notion of free and open source software. I have absolutely no problem popping up a dialog that says, "This extension has not been tested by the Mozilla Organization, Proceed at your own risk," but not even having that option is totally and completely bogus.

    Time to fork.