Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox To Mandate Extension Signing

Posted by samzenpus on from the changing-things-up dept.

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

9 of 196 comments (clear)

  1. Start of th End by JMJimmy · · Score: 4, Interesting

    For me this signals the start of the end for Firefox. Before you know it you'll see legal requests to block extensions like Adblock Plus from being signed and with more hurdles to jump through the ecosystem will shrink. What does remain will be spread out as fewer developers bother with AMO and try to drive traffic/revenue to their sites.

  2. This is a good thing overall... by mlts · · Score: 5, Interesting

    One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

    So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

    [1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

    1. Re:This is a good thing overall... by aardvarkjoe · · Score: 4, Insightful

      The problem in my eyes is not the default requirement that only signed extensions are allowed; the problem is that they don't even allow users to override it.

      Even if you're only concerned about development of extensions, it's a terrible idea to say that, essentially, developers can't test and develop with release versions of Firefox.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  3. Drama queen by Anonymous Coward · · Score: 4, Insightful

    Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?

    1. Re:Drama queen by Sir_Substance · · Score: 5, Insightful

      I'd like to express my personal dislike to you as a developer for any process where I must acquire your approval in any fashion to develop for your platform.

      I'm doing you a favor mate, the least you can do is not make doing that favor harder than it need be.

    2. Re:Drama queen by HBI · · Score: 4, Insightful

      They won't have many users at all if they piss off the extension developers sufficiently. The whole reason FF got the uptake it did was because of the very evangelizing users who care about extensions. I know of dozens of people who would not have ever had Firefox but for me.

      The fact that this isn't even realized is sad, but understandable. The reason FF is losing users now can be traced to many things, but any road to recovery is being hindered by pissing off the precise people that got them to where they were.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    3. Re:Drama queen by JMJimmy · · Score: 4, Informative

      Extensions are what got me to switch away from IE way back in the day. There's a core half dozen of them that are invaluable.

  4. This won't end well. by Bryan+Bytehead · · Score: 4, Insightful

    I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.

    Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.

    Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.

    --
    Bryan
  5. This is needed by ericlondaits · · Score: 4, Interesting

    This is needed because people don't realize how much exposure to malware extensions give them. Three examples:

    1) "Trustworthy" extensions that get sold (with no clue to users) to shady third parties which then update the extension with adware, malware, etc. taking advantage of the userbase. Which extensions can you trust not to do this?

    2) I live in Argentina, where a LOT of people use extensions to avoid regional locks of websites (Hulu, BBC) or to access the american version of sites like Netflix, which feature different shows. These extensions, AFAIK, intercept connections to certain sites and route them transparently to a proxy. This is a BIG deal, because it willingly exposes you to MiM attacks. This is something no user should opt-in into. Also, some of these extensions are funded by injecting ads into sites you access, which opens you up to vulnerabilities and exploits.

    3) Some years ago there was a crazy popular site here in Argentina called Cuevana, which was a sort of free Netflix. They had a big movie and tv series database hooked to a video player that played videos stored in file lockers. This site required a browser extension to run. The extension was not installed through the Firefox / Chrome site, but rather directly from the site... still this didn't discourage anyone. I downloaded the extension and checked its source code to see what it did... it was a single include of a javascript file stored in Cuevana's web server... basically a blank check to run whatever code was there in the privileged context that extensions run in: absolute craziness.

    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.