

Firefox to get a “walled garden” for extensions, Mozilla to be sole arbiter - timw6n
https://nakedsecurity.sophos.com/2015/02/17/firefox-to-get-a-walled-garden-for-browser-extensions-mozilla-to-be-sole-arbiter/

======
onli
The problem here is not the signing.

It is a perfectly valid reasoning: Addons can be like malware, and that is
something Mozilla should protect its users from. Reviewing and then signing
extensions is an ok way to do that. But the focus here is not the signing, it
is the reviewing.

The problem is not the reviewing either. That may take time and is unpleasant,
but it offers something good in return. The problem is the "we will do it this
way and make it not configurable". There is no need for that. Users don't
change defaults, it would be perfectly valid to go the android route: Disallow
the installation of unreviewed addons by default, but add an option in the
settings to override this behaviour for users who know what they are doing.

That way, you still protect users in general, and you don't anger the other
users who want to install addons from github or whatever. It was completely
unnecessary to make it this controversial by forcing it on all users, by
taking freedom away.

~~~
sonnyp
true but if Malware.exe ships with an addon, it could tweak Firefox user
profile to allow the addon install

~~~
tokenizerrr
It could also patch firefox.exe to allow it. Or, just run in the background in
its own process because malware.exe is already running. Once you have
malicious binaries running on the user's computer all bets are off.

~~~
acdha
This is partially true – code-signing defeats it on modern operating systems –
but don't forget that much of the problem isn't outright malware but rather
ad-ware like the ask.com toolbar where the companies try to claim that users
chose to enable it to avoid prosecution or lawsuits.

This is a relatively minor change but the automated checks prevent some of the
more blatant abuse and, more importantly, the fact that you can't just
anonymously upload code forces shady companies to leave more of a paper-trail.

~~~
tokenizerrr
My windows box will still happily run unsigned binaries, so I don't see how
code-signing would help it there. Unless you were not referring to regular
windows/linux as modern. I'm not sure if there's anything special with regards
to replacing signed binaries with unsigned ones, but if so you could just put
the binary elsewhere and replace the shortcuts.

With regard to the ad-ware like toolbars, is that really reason enough to lock
everyone into a walled garden? I'd rather deal with the occasional toolbar
than only being allowed run blessed extensions.

~~~
acdha
> My windows box will still happily run unsigned binaries, so I don't see how
> code-signing would help it there. Unless you were not referring to regular
> windows/linux as modern

Close: it's not the OS flavor so much as the security configuration. All of
the major operating systems can be configured to restrict execution – whether
that's mandatory code-signing, only running code from white-listed restricted
directories, etc. this can be used by a security-aware admin to prevent whole
classes of attacks or escalation for successful attacks.

That's the default on OS X but can also be enabled if you're willing to break
with tradition on most other operating systems. That certainly has a
compatibility cost but much of that cost is born by users who don't benefit
from it.

> With regard to the ad-ware like toolbars, is that really reason enough to
> lock everyone into a walled garden?

First, the nakedesecurity writer used a click-bait headline to troll for
clicks but that hinges on a redefinition for the accepted meaning of “walled
garden”. It's highly misleading since Mozilla isn't charging for signatures or
deciding which companies are allowed to publish add-ons.

Second, millions of people are affected by dishonest software. I'm not
terribly enthusiastic about needing to sign things now but I'm not cavalier
enough to dismiss the argument that a minor inconvenience for a few developers
is worth more than improving the average user’s experience. Any time I look at
my front-end JavaScript logs, I'm reminded of just how many people are
browsing the web with untrustworthy code injected into every page.

------
evilpie
As one of the biggest Firefox contributors, I am actually annoyed by how bad
this decision is from a technical point of view as well.

We have already seen malware that just replaces the Chrome binary to avoid
add-on checks, but somehow this isn't seen as a big problem?

> That is possible, but I don’t expect the majority of malware developers to
> go through such trouble. [1]

I can totally understand where this idea is coming from, but trying to somehow
secure Firefox on a system that is already busted is futile.

[1] [https://blog.mozilla.org/addons/2015/02/10/extension-
signing...](https://blog.mozilla.org/addons/2015/02/10/extension-signing-
safer-experience/comment-page-2/#comment-212726)

------
userbinator
It's funny to read this and the previous articles about the loss of freedom in
Firefox, then see the description on its download page
([https://www.mozilla.org/en-US/firefox/new/](https://www.mozilla.org/en-
US/firefox/new/)):

"Download Mozilla Firefox, a free Web browser. Firefox is created by a global
non-profit dedicated to _putting individuals in control_ online."

I find the "appeal to security" argument that's being increasingly popular
these days as nothing more than an excuse to restrict general-purpose
computing and control the users, and I am not happy about it at all. "Malware
is the new terrorism." The idea that we should take away freedom just because
someone could possibly make a wrong decision is personally quite horribly
disturbing. On the other hand, from the perspective of wanting to exert
control, it makes perfect sense: by decreasing the amount of decisions users
have to do, it induces atrophy of their critical thinking skills, and makes
them more inclined to accept things without questioning...

"Freedom is not worth having if it does not include the freedom to make
mistakes."

~~~
nailer
It seems like you haven't read the article. Users are still allowed to install
any extension from outside the garden they want.

~~~
userbinator
_Users are still allowed to install any extension from outside the garden they
want._

It's yet another hoop to jump through, one that further splits "developers"
and "users" and makes it harder to be a "casual developer" \- one who just
wants to make an extension and share it among a small group.

~~~
nailer
> one who just wants to make an extension and share it among a small group.

That's a fair point, but I don't think it's that bad. I do this all the time
with Chrome, which already has walled garden:

"Hey guys, I made a Chrome Extension that inlines all the images in our shitty
issue tracking app rather than having to download them all. Extract the zip,
visit chrome://extensions, enable developer mode, and load that folder."

~~~
scottjad
Except in this new scenario it's install a different version of Firefox
(Firefox Developer). Good luck with that on many work machines. My dad is
unable to install any applications on his work machine but he was able to
install Adblock for Chrome the other day. So had he wanted to install this
hypothetical extension for Firefox he would have been unable to.

~~~
nailer
Does your Dad want to run unsigned Firefox extensions?

For a Jira-fixer extension, we'd be running FF Developer, but yes, if I did
want to distribute it wider, then signing would be reasonable.

------
Mahn
My startup, that shall go nameless, provides a service used mainly by the tech
illiterate. Early in our first beta we determined we needed to log client side
errors since there is quite a lot going on in there, so we quickly implemented
a system that phones homes for every uncaught exception and error. Since we
didn't filter the source, immediately after we were getting flooded with third
party javascript errors. But not the innocuous facebook like button or google
analytics kind of errors, mind you, but errors coming from javascript sources
we had never added, that is, _injected_ javascript.

Upon further inspection at the source code of these scripts and some googling,
we found out that it was ad injecting malware in the form of Chrome
extensions. Basically and long story short, some 40-50% of our customer base
browses the web with ad injecting malware installed, and that's only counting
malware that caused errors client side, which is obviously not all.

This was naturally disheartening for us, because you pour your heart and soul
into building the best product you can deliver only to hear a very large
amount of your customers will never experience anything other than a very
subpar version of it...

Browser malware is a very real problem, and I don't know if Mozilla's approach
is the best way to tackle it, but there definitively needs to be more people
thinking about it, and in particular the Google Chrome team.

~~~
lmm
If only the system were just about malware.

I remember when Chrome kicked any youtube-downloading extensions out of the
chrome store. What happened? A few people downloaded non-chrome store
extensions, but most of them downloaded the ones that were left in the store -
_the malware extensions that promised to download youtube but didn 't_. Huge
spike in malware on Chrome installs that I saw.

------
byuu
With each passing day, Mozilla tries harder and harder to get me to stop using
their browser. If not for Chrome being the only viable alternative, they would
have long since succeeded.

Wreck the address bar algorithm? Ugh. Move the tabs on top? Ugh. Force me to
keep download history? Ugh. Bury all the configuration options (like JS
features) into about:config? Ugh. Turn the UI into a poor Chrome imitation?
Ugh. Turn the new tab page into adware? Ugh. Promote a bigot to the CEO
position? Ugh. And now turn extensions into a walled garden? ... I can't even
muster up the energy to feign surprise anymore. I basically expect a new
disappointment every time I hear Mozilla in the news.

~~~
tokyo1000
It's too bad to see that your comment is getting downvoted. I think it hits on
some important issues.

From what I can tell, Mozilla's own Firefox feedback stats support what you're
saying.

[https://input.mozilla.org/en-
US/?product=Firefox](https://input.mozilla.org/en-US/?product=Firefox)

It's currently showing 77% of the reports about Firefox as being 'sad', while
only 23% are 'happy'. It gets even worse if Firefox OS and Firefox for Android
are included, too. In that case, 86% of the reports are 'sad', and only 14%
are 'happy'.

I expect disappointed users to be more likely to say something, but that's
still an awfully large difference between the proportion of users who are
'happy' and those who are 'sad'. When I used Firefox for Android, I'm pretty
sure it sometimes prompted me to give feedback, so it's not like only
disappointed users looking to complain are being sampled.

I don't know how things work at Mozilla, but at any other software product
company I've ever worked at, feedback results so out of whack would've raised
a lot of eyebrows, and gotten a lot of attention. Much effort would have been
put toward finding out what's wrong, and what can be done to fix it,
especially if the results were consistently bad for weeks or months on end.

~~~
nine_k
I never knew about that page to this day. I left a 'happy' piece of feedback.
Should I have a serious issue, I'd probably look for a feedback page to report
my problems, and would find it.

So I think the feedback there is _seriously_ skewed towards "unhappy".

~~~
TheLoneWolfling
And this is why feedback forms are useless. They just reinforce people's
intrinsic biases.

Someone thinks that the current version is good, but the feedback is bad
overall? Must just be that the feedback is skewed. Someone thinks that the
current version is bad but the feedback is good overall? Must just be that the
feedback is skewed.

------
maxerickson
The mozilla blag this links says this:

 _For extensions that will never be publicly distributed and will never leave
an internal network, there will be a third option. We’ll have more details
available on this in the near future._

That sounds like admin installed certificates in the browser to verify the
local signatures.

------
yc1010
Instead of a walled garden approach, why cant they do a "Verified by Mozilla"
badge for each plugin, with warnings if one doesn't have it BUT still giving
the user control and choice of whether to use a plugin.

I a made a quick and dirty plugin for chrome a month ago only to find out i
need to undergo an anal exam and give over credit card information to Google,
fuck that! is that where Mozilla want to endup?

~~~
Ygg2
Well, they have featured plugins, but it doesn't seem to be helping.

------
StevePerkins
I know that people love to reflexively bash anything that Mozilla does (and
I'm critical more often than not myself), but this seems positive overall. As
a savvy user, I can always manually install a plugin just as I can side-load
an Android app that isn't on Google Play. However, my mom and other casual
users who probably shouldn't be installing plugins at all have a somewhat more
curated experience.

I'm a bit skeptical of an automated security scan and approval process, but at
least it provides a means to revoke a malicious plugin when complaints come in
after the fact.

~~~
smhenderson
According to the article you won't be able to do that; although not all
extensions have to go through addons.mozilla.org they _do_ all have to be
digitally signed.

There are exceptions - something about "in house, corporate" (whatever that
means), developer editions of Firefox and nightly builds. But if I read
correctly users of the current, stock Firefox will not be able to suppress the
signature check when installing addons.

~~~
chimeracoder
To be honest, I don't think people who aren't capable of or interested in
downloading a developer edition should be installing unsigned extensions. If
there's an unsigned extension you really can't live without, just download
Iceweasel - problem solved.

It's not like this will be that hard to get around for people who know what
they're doing, so I'm not too worried about this change.

~~~
smhenderson
I don't completely disagree, and I know computer users have always been
treated as separate groups based on skills. That said it's unsettling to me to
see a group like Mozilla officially treating users this way.

Software freedom is for everyone and, IMHO, treating one group differently
than another with regards to this freedom just legitimises the walled garden
concept further.

As the article said, it's hard to call them a community or foundation when
they turn around and announce a very company-like policy such as this...

~~~
blueskin_
Mozilla took the power user out around the back with the shotgun long, long
ago, unfortunately; just the latest sacrifice in their futile war to copy
everything chrome does (and yet the PHBs making these decisions still wonder
why they are haemorrhaging market share). Time to move to Pale Moon.

------
eklavya
I can totally see why such a thing would be required. I have always wanted to
have add-ons vetted by someone I can trust. This will be really effective at
least on windows where softwares randomly install shitty add ons and hijack
the browser. And mozilla not likely to give in to unreasonable requests from
governments because if they are not then add ons should be the least of our
worries.

~~~
kbart
"I have always wanted to have add-ons vetted by someone I can trust."

That's fine, but what about those, who want to homebrew their own plug-ins,
experiment with something from GitHub etc? Mozilla could make signed plug-ins
a default choice, but not prevent others. A good model, imho, is implemented
on Android -- your (only) default choice is Google Play, but if you know what
you are doing, you can install any app from anywhere. This way users, that
need a hand holding, are protected, but more tech savvy ones will not have
their _freedom_ denied.

~~~
eklavya
That is allowed, only the android browser is restricted, there too you can run
anything on the beta version.

------
pjc50
Malicious extensions are apparently the driver for this. So we're back to the
problem that any sufficiently flexible platform is a vector for malware. The
platform authority then institutes code signing as a checkpoint against this.
Thus raising a big barrier to entry for non-malicious extensions.

It's hard to see how to get back into this particular Eden.

~~~
peri
Sorry for the rude question here, but is this speculation on your part or
based on stuff said by folks at Mozilla (the corp, not just
contributors/clients)? Some clearer sources would be helpful this early in the
morning.

~~~
tzs
From the Mozilla add-ons blog, which is linked to in the article:

    
    
        Extensions that change the homepage and search
        settings without user consent have become very
        common, just like extensions that inject
        advertisements into Web pages or even inject
        malicious scripts into social media sites. To combat
        this, we created a set of add-on guidelines all
        add-on makers must follow, and we have been
        enforcing them via blocklisting (remote disabling of
        misbehaving extensions). However, extensions that
        violate these guidelines are distributed almost
        exclusively outside of AMO and tracking them all
        down has become increasingly impractical.
        Furthermore, malicious developers have devised ways
        to make their extensions harder to discover and
        harder to blocklist, making our jobs more difficult.
    
        We’re responsible for our add-ons ecosystem and we
        can’t sit idle as our users suffer due to bad
        add-ons. An easy solution would be to force all
        developers to distribute their extensions through
        AMO, like what Google does for Chrome extensions.
        However, we believe that forcing all installs
        through our distribution channel is an unnecessary
        constraint. To keep this balance, we have come up
        with extension signing, which will give us better
        oversight on the add-ons ecosystem while not forcing
        AMO to be the only add-on distribution channel.

~~~
peri
Thanks, was in a hurry to catch my train.

------
wodenokoto
"This, of course, raises the question, "Will the unbranded or the Developer
builds be sufficiently similar to the Release versions out in the real world
that developers can stand by their testing results?""

Yes. It's the same code with different logo.

~~~
hobarrera
Different theme as well, and some other things (like the preferences dialog).

Testing proper integration on those aspects will get _pretty hard_.

------
scottjad
And what about other xulrunner applications, such as Conkeror? Do their
extensions need to be signed by Mozilla?

So if I use a xulrunner based app, and I want to run a Firefox extension (like
ABP, mozrepl, etc), right now all I have to do is edit it's install.rdf and
whitelist my application, and if there's a signature (META-INF folder), delete
that. In this scheme, as I understand it, that would not work, unless I was
running the Firefox Developer edition or had an app popular enough to get
developers to include it in their whitelist before signing, and even then
there would be plenty of exceptions.

So now no one can run my xulrunner based app (with extensions) with the normal
firefox installed on their system (or likely available in their distro package
repository).

Please tell me this won't apply to apps launched via xulrunner or firefox -app
(with the normal firefox).

~~~
Ded7xSEoPKYNsDd
The initial announcement said, that there are no immediate plans to enable
this for Thunderbird. I'd guess it's just a compile-time flag in .mozconfig.
In that case it would affect firefox -app. (But I didn't bother to actually
look at the source!)

------
thinkcontext
This is similar to what Safari does for their extensions, as a policy it
sounds reasonable. However, the part about the possibility of manual review if
automated checks fail is alarming.

I self distribute my extension because I found the AMO process to be
infuriating. The extension would pass review then not pass and require
changes. Each step in the process requires a multi-week wait in a queue.
Unanswered requests for clarification, lost communications, etc, etc. After
months of trying I gave up, I know I am not alone in this. The possibility of
having to go back into that Kafka-esque maze is extremely disconcerting.

The manual review possibility should also be a concern of all current AMO
users, as it has the potential to lengthen current queue wait times.

------
mschuster91
Normally, I dislike "walled garden" approaches.

The problem with browser extensions is that there are too many bad players on
the field, preying on the non-technical people. The situation is not as bad as
in the IE heydays where I regularly cleaned up 10+ (!) toolbars from
customers' computers, but it's still a problem.

And I, unfortunately, don't see any way to avoid a walled garden approach - as
long as there is a sideload option like on Android, I'm fine with it.

edit: downvotes? Care to explain how else to solve the bundled crapware
toolbar plague?

~~~
mikegerwitz
[https://wiki.debian.org/DebianMaintainer](https://wiki.debian.org/DebianMaintainer)

~~~
acdha
That doesn't really explain anything

------
mcovey
I'm not sure how this will bode for my own extension, which I maintain for my
own private use to do whatever comes to mind, like redirecting certain pages,
applying userscripts and css files, and some other customization. Also I
wouldn't have tried out all the spiffy new ES6 features that Firefox supports
except that I can freely use them because it can only run in Firefox anyway.

One thing I did realize in learning how to make these extensions is that,
unlike with Chrome, Firefox extensions can do anything any other executable
file on your computer can do, or at least, they can move, delete, edit, and
rename any file anywhere on the hard drive, spawn any process, download
anything and save it, so effectively all a malware author has to do is make
the extension's install hook download their payload and execute it. It's a one
liner to wipe out your $HOME (I have no idea if it will work I'm not going to
try it!):

    
    
        require("sdk/system/child_process").spawn("/bin/rm", ["-rf", "~/*"])
    

I'm expecting/hopeful that there will be some kind of about:config flag to
disable enforcing signed packages, it just seems typical of Mozilla to include
such a feature for power users.

~~~
blueskin_
If you read the blog, there won't be. Mozilla ditched any pretence of caring
about people with an IQ over 75 long ago.

------
daw___
From the announcement:

 _For developers hosting their add-ons on AMO, this means that they will have
to

either test on Developer Edition, Nightly, or one of the unbranded builds._

Does this mean that developers won't be able to test the add-ons on official
stable binaries end users will consume their add-ons on? Good luck with that.

~~~
hobarrera
I find this unbelieveable too. Developers being _unable_ to test the addons in
the same browser that end-users use is stupid.

That aside, I honestly can't see the value of the developer edition at all.

~~~
daw___
Me neither. Maintaining a set of features that will be unused by most users is
definitely more convenient than maintaining a whole separate build that will
be used by a small subset of users.

------
hobarrera
I'm wondering how the EFF feels about this, amogst others.

HTTPS Everywhere is currently only available via their website because it's
actually securer than though AMO. If mozilla wall-gardens firefox in the
interest of security, I guess they've got some serious issues to settle.

I also wonder bit what happens to developers who need a small userbase to
tests their alphas/betas before publishing, as well as custom-built
extensions.

~~~
acdha
The Mozilla blog post answered all of these questions but the sophos click-
bait had to leave them out to support their narrative:

[https://blog.mozilla.org/addons/2015/02/10/extension-
signing...](https://blog.mozilla.org/addons/2015/02/10/extension-signing-
safer-experience/)

The short answer is that you can still have AMO sign an extension even if you
distribute elsewhere (e.g. the way password managers like to ship one
installer for everything) and the nightly / developer builds will allow
unsigned extensions for obvious reasons. They are planning a private-app
signing process but the details aren't public yet.

------
tommi
"That makes it vaguely more egalitarian than a complex and bureaucratic
mechanism that tends to favour bigger, more established software makers, who
themselves have the staff and bureaucracy to match."

This is FUD. Even Apple's App Store doesn't require huge amount of bureaucracy
let alone what they seem to be talking about.

~~~
peri
Agreed. Cryptographic signing of extensions in this context doesn't seem to me
to be significantly different from the signing done by your other package
management systems.

One of my professors said "the browser is the new OS" about a decade ago. This
seems like more proof of that to me — if we want fast, low power JavaScript in
browsers, we have to have a reasonable chain of trust imo.

~~~
Trombone41
I tried renaming some files with "the new OS", but all I got was a 404. I had
to use the one the browser was running in instead.

------
Supermighty
I wonder if a side effect--or conspiratorially the intended consequence--will
be a culling of older, poorly implemented poorly supported, plugins.

------
blueskin_
Mozilla get scummier every year. Might be time to move to Pale Moon, I think.

~~~
TheLoneWolfling
Already have, and as time goes on it's looking like I made a better and better
choice.

At least PM actually follows through with the concept of user freedom.

~~~
blueskin_
I'm moving over as soon as this steaming turd mozilla are dropping on us hits
ESR.

------
amyjess
Well, looks like I'm switching to Iceweasel.

------
bpodgursky
IMO the rise of aggressive ad-blocking extensions has spoiled a good thing for
everyone.

I don't believe that Mozilla has any innate desire to lock-down users and
prevent them from customizing their browsers, but making a browser is now an
expensive and complicated project, and both Firefox and Chrome are bankrolled
by companies which make their revenue primarily via advertising (Google +
Yahoo, Google).

It's clear that Google will never make the same mistake with mobile Chrome --
it will never be extensible, because they have no desire to sacrifice that
advertising revenue. I doubt it will be more than a year or two before the
Mozilla app store is purged of ad-blocking extensions, if they ever make it
in.

I don't want to get in some flamewar about "oh but ads are so bad, I can't
help but install adblock". They suck, and I'm not accusing anyone of acting in
anything other than their personal best interests, but I think everyone should
acknowledge that this is the natural end-game.

~~~
jacquesm
There is now a different prong on this fork: adblocking software can help in
filtering out drive-by-malware served up through advertising infrastructure.
By removing ads you get rid of one possible source of trouble.

So besides the speed and the nuisance factors there is now also a security
factor involved in ad-blocking.

------
mangecoeur
Well thats a totally click-bait and misleading title. The essence of a walled
garden is that it's hard to get in, and if you're not let in then you lose
out. Mozilla only require signing by them or by someone else, which given the
proliferation of malware is hard to see as a bad thing, especially given the
privileged access granted to addons.

If you're too stubborn to let Mozilla sign it AND too lazy to do it yourself
then that's your problem - you have no inalienable right to demand that people
run your code if you can't be bother to secure it. However you are never
locked out of providing mozilla addons, you can still supply whatever you
like.

Also, Why did this piece bother to quote the random verbal vomit of some
internet commenters? What is that supposed to show? That some people online
are rude and ignorant? Frankly there's quite a bit of FUD in this thing, like
asking if devs can trust that moving from Dev versions to production will
break their code - pretty much the whole point of Mozilla's development model
in iterating and providing developer editions is to ensure that doesn't
happen.

~~~
blackoil
Some people will see walled garden as one with few gates and a sentry
controlling who can enter, e.g. Ios app store is not very difficult to enter
in as a million apps have entered, but if apple does not agree, you cannot
publish the app.

