
Firefox 42 will not allow unsigned extensions - fernandotakai
https://wiki.mozilla.org/Addons/Extension_Signing
======
nathanb
It's the "no override" part that concerns me.

I created and maintain an extension that is used by visually-impaired people
around the world (it has been translated by volunteers into Dutch and Chinese,
for example).

Occasionally a Firefox update breaks this extension. OK, fine, that's the cost
of doing business. Of course, the automated compatibility report that Firefox
creates is utterly useless; it almost never catches the breakage. But that's a
side rant....

There can be a decent turnaround lag (sometimes on the order of a few days) to
get a new version of an extension reviewed by addons.mozilla.org. In the
meantime, I have made a habit of building a new version of the extension and
giving it to anyone who asks. Some people rely on it to use the web and can't
wait for Mozilla to do their thing (another side rant: I once stupidly forgot
to check in a key resource. I've since changed my development process to keep
this from happening again. But the non-functional extension that I pushed
passed Mozilla's review just fine. Makes me wonder how much value the review
process is really adding.)

If I want to be able to continue this process, I will need to sign the
extension myself (and who knows what histrionics Firefox will throw if a user
tries to replace an extension with one that has the same UUID but a different
signature!)

~~~
grincho
Hi, Mozilla developer here, speaking for only myself. I'm not sure why we
don't make this clearer on the wiki page, but I think the reason there's no
override is that any malware installation routine would simply activate it and
continue on its merry way. (Disclaimer: I didn't work on this feature and am
going by recollection and my own logic.)

We see many copies of Firefox infested with rogue add-ons the user didn't ask
for or isn't even aware of. Sometimes these add-ons even ship with big-name
software, with no opt out or with the opt out squirreled away in some dark
corner. Typically, they do one or more of the following: (1) spy on the user,
(2) add affiliate codes for money, (3) cause performance problems and crashes.

The network is a pretty hostile place these days. It's no longer 14-year-olds
playing around for fun; there are moneyed interests in the game. And the sorts
of people who don't frequent HN are pretty much helpless and clueless in the
perpetual tug of war between various companies and mafias. As a "user agent",
we have the opportunity defend users who lack the sophistication to root
around and remove invasive software they didn't ask for.

Of course, if you're reading this, you're in a different category. You have a
better idea which software to trust, and you know how to scour your machine if
something gets past you. That's why nightlies and the Developer Edition let
you do whatever you want: you aren't the ones who need hard-coded protections
to shield you from pref-twiddling installers.

I hope that provides some needed context. Safe surfing, all!

~~~
Arcsech
> We see many copies of Firefox infested with rogue add-ons the user didn't
> ask for or isn't even aware of.

Like Pocket or Hello?

~~~
piyush_soni
Why is this downvoted? These inbuilt add-ons might not be 'rogue', but are
definitely the ones which many users didn't ask for, or aren't even aware of.

------
kragen
This is deeply disappointing.

Two details: the extensions need to be signed _by Mozilla_ , and only US
English speakers will be allowed to disable this requirement.

The point of free software is that users, individually and collectively, are
free to modify it as they wish, without requiring approval from third parties.
(And of course to use, copy, and redistribute.) This is a sharp turn away from
the free-software ethos that made Firefox possible in the first place.

I understand the issue of users being tricked into downloading and installing
malicious extensions. If you let someone program, they will be able to paste
malicious code. I just don’t think that taking away users’ ability to modify
their own browsers is an acceptable solution to that.

If this disturbing move sticks, Mozilla will become an increasingly tempting
target for whatever group wants to control what software you can install on
your own computer — whether that’s Sony Pictures, the NSA, or Amazon.

The old free software movement has died. We need a new free software movement.

~~~
dtech
> only US English speakers will be allowed to disable this requirement

Do they assume that non-English speakers are just drooling baboons who cannot
decide this for themselves unlike English speakers?...

~~~
kragen
Perhaps they assume that to program enough to write an extension, you need to
learn English. I’ve met people here in Argentina who say that. My view is
that, even if that _is_ the status quo ante (and I’m not sure it really is)
it’s a status quo we must disrupt, not ossify.

~~~
kome
Wise words, kragen. With the excuse "you need english because" a new form of
imperialism is on the making. And what is worse, is that this attitude is
often self-imposed.

~~~
chronial
I think your are mixing “English, the lingua franca”, with “English, the
language spoken in the US”.

Why would using the lingua franca that everyone agrees on be imperialism?

~~~
kome
Because there is no such a thing like “English, the lingua franca”; changing
the name do not change the content.

We should stop self-deluding ourselves in believing that English exits in a
geopolitical void. English is the language of the anglosphere, and speaking
English is a huge favor to those economies, and that comes with a sense of
cultural inferiority as well, in many peoples.

~~~
Zancarius
There _is_ a such thing as "English, the lingua franca" no matter how much one
tries to will it away.

Aviation is a curious industry. English is commonly spoke between flight crews
and ground stations world wide (with few but notable exceptions).
Circumstances where the English meaning of a word wasn't well understood by
the flight crew or the _wrong words_ were spoken have, on occasion, lead to
disaster--Avianca Flight 52 [1] comes to mind, among others.

I simply cannot agree that mutual intelligibility is _bad_ simply on the merit
that it somehow creates a "sense of cultural inferiority."

[1]
[https://en.wikipedia.org/wiki/Avianca_Flight_52](https://en.wikipedia.org/wiki/Avianca_Flight_52)

~~~
kragen
It sounds like you're saying that using English as the _lingua franca_ of
aviation puts at risk the lives of flight crews for whom English is not a
native language, as well as their passengers. This seems like a good example
of how English-as-lingua-franca gives special worldwide advantages to native
English speakers.

~~~
Zancarius
Not at all.

What I'm suggesting is that having a _standard_ for communication is less
likely to put lives at risk. I can't help but wonder if you're invoking Poe's
Law by advocating from what is arguably an extremely fringe standpoint.

Otherwise, the alternative would be to require air traffic controllers to
learn a dozen languages, and then you wind up with an even _worse_ problem
than having everyone settle on a _single_ language with codified standards.

Didn't the Browser Wars teach you anything? :)

------
userbinator
Mozilla's hypocrisy is astounding:

[https://blog.mozilla.org/security/2013/01/29/putting-
users-i...](https://blog.mozilla.org/security/2013/01/29/putting-users-in-
control-of-plugins/)

"Users should have the choice of what software and plugins run on their
machine."

[https://blog.mozilla.org/theden/2014/12/15/introducing-a-
sma...](https://blog.mozilla.org/theden/2014/12/15/introducing-a-smarter-way-
to-search-with-firefox/)

"Firefox is dedicated to putting users in control of their online experience"

More recently:

[https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-
in...](https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in-control-
of-your-online-life/)

"Firefox Puts You in Control of Your Online Life".

The slogan, as found on [https://www.mozilla.org/en-
US/firefox/new/](https://www.mozilla.org/en-US/firefox/new/) , is now "Firefox
is created by a global non-profit dedicated to _putting individuals in control
online._ " I believe it used to be "users" \- see above - but was silently
changed. I suppose these "individuals" are the people at Mozilla...?

~~~
SkatAndRap
Firefox users see through this feel-good marketing nonsense from Mozilla.

They've seen Firefox's UI change for the worse in so many ways, even in the
face of wide opposition.

They've seen unwanted bloat, like Hello and Pocket, forced upon them, again in
the face of wide opposition.

They've seen their requests for bug fixes and performance improvements go
unheeded, sometimes for years.

The easy use of extensions has been the only thing keeping many of these
people using Firefox. They've been using many extensions to undo, as much as
is possible, the unwanted changes that Mozilla has made.

I use Firefox Nightly, and was recently surprised when, after an update, some
custom extensions I had written myself were not loading, and could not be
easily enabled. When I found out it was due to this, and I had to start
adjusting about:config settings, it was nearly the last straw for me.

I don't want to use another browser, but it's like Mozilla is doing everything
in its power to make using Firefox a bad experience for me. I know I'm not
alone. We've already seen Firefox' share of the browser market drop from well
over 30% to a level of around 10% today, if it isn't actually lower than that.

It's truly sad to see what's happening to what was once such a great browser.

~~~
rc4algorithm
You're being pretty grim. Hello is fucking awesome, and while I don't use
Pocket it isn't the end of the world. Firefox isn't Lynx, but even as a Unix
guy I enjoy and appreciate it. I also appreciate that they're trying to be
more attractive to the masses, which is societally beneficial.

~~~
anotherangrydev
As you do, I have a lot of programs and extensions installed on my machine.
How about you install them all on yours? Come on! Don't be grim! They are
fucking awesome and if you don't use them it's not like it is the end of the
world :^)

~~~
rc4algorithm
It's funny, one of the other top comments here is about how many features
Firefox is removing. Vital, core stuff, like setting being able to set custom
user agents for specific domains...

I think the real reason many people are angry is that their demographic isn't
catered to. I'm part of that demographic, and it does annoy me sometimes.
However, unlike Debian/systemd, I find the tradeoff definitely worthwhile.

------
scintill76
Ah, feels like they're following Chrome's example, which decreed that it
should be exceedingly difficult for Windows Chrome users to install extensions
from somewhere other than
[https://chrome.google.com/webstore/](https://chrome.google.com/webstore/) .
This basically killed an internal app we had at work (a fork of a "REST
client", with some added request-signing features specific to our internal
APIs.) There was no strong reason to keep it secret, but there had previously
been no need to put it in the store either, and there was a $5 charge to
publish in the Web Store, which I didn't feel like dealing with.

Anyway, they are both measures taken to stop malware, by taking an option away
from the user, that most users won't even notice, but many "power users" will
be inconvenienced to varying degrees. I'm guessing Firefox's won't be as bad,
since the "developer version" that will let you keep doing the old way
probably won't differ from the normal version as much as Chrome's does.

~~~
_yy
You can still install custom extensions in Chrome for Windows using - among
others - group policy:
[https://support.google.com/chrome/a/answer/188453](https://support.google.com/chrome/a/answer/188453)

------
soapdog
Folks,

There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS if you're so
inclined. You can use: Nightly, Dev Edition, Unbranded Stable and Unbranded
Beta. All of which have a switch that you can set to disable addons signing
requirement.

In contrast there are only two versions where this is a requirement, Stable
and Beta. If you doubt the usefulness of this you haven't seen a browser being
hijacked by malware overriding search results, inserting all types of toolbars
and more. This will prevent malware from sideloading extensions. And this is
good.

The signing process is not the same as the AMO review process. The process
takes only seconds and the signed addon is returned to the developer. They can
distribute as they see fit.

Now, lets face the fact: Simple signing process that takes only seconds and
will help prevent lots of malware, not the most nasty ones but a huge lot of
sideloaded crap. Four versions of the browser for those power users who want
to disable this.

Now, can someone explain to me without hate why this is a bad thing?

~~~
josteink
> There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS

While that may be true, requiring that you run a non-standard version of
Firefox to be able to use "random" extensions will probably have a chilling
effect on the Firefox extension ecosystem.

That, and it reeks of Chromeism.

~~~
soapdog
you will be able to run "random" extension if the developer care enough about
it and about the new security procedures to sign it. After all, it takes only
couple seconds for the signing to work.

The versions I quoted are not non-standard. They are all versions of Firefox
being worked on and with all the relevant teams. All those versions eventually
become Firefox Stable and after that becomes outdated and a new release is now
current. Versions goes from Nightly -> DevEdition -> Beta -> Stable. Each
version has some tweaks, for example DevEdition is where they seed and test
new devtools. Which means that for the developers, thats the best edition to
develop with (still test on the other versions).

~~~
josteink
They are non-standard in the sense that 99% of Firefox users are not using
them.

~~~
soapdog
Do you understand that the Unbranded Stable version and Firefox Stable version
have the same codebase? You can use that version for testing or if your users
don't want signing they can move to that version. They lose the cute icon and
branding but the code is the same.

~~~
josteink
I think you missed my very clear point: now it's not enough to just run
Firefox. You need to ask for users to run the "right" version if Firefox.

Telling people what browser to use is user hostile behaviour. Users will not
bother. Non-official extensions will get less interest. Authors will see a
smaller user base and have less interest in writing new extensions.

This will have a chilling effect all over.

------
tyho
How does this policy interact with greasemonkey, an extension that allows
running random JavaScript on sites with access to the extension API. You could
write your malware as a greasemonkey extension, convince a user to install a
signed greasemonkey release, and then convince them to install your malicious
extension.

~~~
paulryanrogers
Great point. Does anyone know what--if any--limits Grease Monkey puts in place
to prevent users from bring exploited?

------
GeorgeOrr
It's important to note that the Developers Editions (and the Nightlys) will
have a setting for disabling the requirement.

The assumption being that developers need to test as they develop. And are a
more informed user.

~~~
ethana
Did they say why beta wouldn't have this setting? If anything beta is closer
to release and developer would target that. Developer edition is still nightly
if I'm not correct?

~~~
mccr8
Generally, beta is supposed to be almost completely identical to the release
version, to ensure that what gets shipped to release users is tested. This
particular pref seems harmless, but you never know.

Developer edition is what used to be known as "Aurora", which is in between
Beta and Nightly.

------
sergimansilla
I recently made an update my own Firefox extension, called Tab Grenade. It
took them 4 months to review. 4 months. And that's for a (very) minor update.

Because of that, I was definitely considering to start releasing it on my own,
instead of through Mozilla's add-on website. It looks like I will be able to
do that, but I'll have to use the signed extension process.

I'll believe this system works when I see it. After my experience with add-on
reviewing, I am very skeptical.

~~~
soapdog
The review is mostly done by volunteers. Sorry for the delay, I feel your
pain. Will check here if we can try to get more people onboard to help review
stuff.

------
RexRollman
And slowly, freedom everywhere was destroyed in the name of security.

~~~
coldpie
Firefox is open source. Disabling the signature check will probably be a one-
line change. Yes, it's a much larger barrier to entry (building Firefox is not
trivial), but it's not like IE or Chrome where you have no choice in the
matter at all.

~~~
rockdoe
_building Firefox is not trivial_

./mach bootstrap

./mach build

~~~
rndgermandude
Yeah? You at the very least forgot to obtain the source code first somehow.
What about build-dependencies, because ./mach bootstrap does not fully handle
that?

Now please tell me how to do a Windows release-build with all release features
enabled (except for official branding), aka. a ton of configure switches, and
also please do it for my language using the official de locale, because
neither the source tar.bz2 nor the hg you'd normally clone contains that. I'm
starting from scratch of course. And suddenly it is less easy and trivial..

~~~
azakai
As the link mentions, you don't need to build from source. Binary builds are
provided that do not have this restriction, for those that want that.

------
dannysu
It's been one month and the new version of an extension I wrote is still
waiting to be reviewed. I've since stopped waiting and started using the new
version myself rather than download from AMO. I was already very disappointed
by the review process and now this.

Tweeted to Chris Beard: "Dear @cbeard, please give your users the choice and
control they deserve in @firefox. Allow extension signing to be disabled in
FF42."

You want to protect the user, then start making extensions more secure and
require permissions to do things. E.g. If an extension can access contents of
webpages, pop up a dialog and ask the first time. There are other ways to
protect users without going authoritarian on us.

------
mercurial
An important point is that the review process before signing takes seconds,
according to the article. Considering the frequency of FF updates, it's an
important point.

Now, let's just hope that the other side of the coin is a concern for API
backward compatibility, so that people don't need nightly versions of addons
and a developer edition to keep their addons in a usable state...

------
Sir_Cmpwn
I use several small add-ons I wrote myself. Why should I have to get Mozilla's
approval before I can install my own damn add-ons? One of them executes
processes and I'm 99% sure it'll fail the automated review.

EDIT: It passed the automated review, but my point stands. If I wrote the
code, then you can be damn sure I trust it.

~~~
atopal
> I use several small add-ons I wrote myself. Why should I have to get
> Mozilla's approval before I can install my own damn add-ons?

Mozilla has to balance the needs of several hundred million users, who are
being attacked by malware every day, with the needs of people who write their
own add-ons. Is it really that difficult to see it from that perspective? And
it's not like you have no options now. You can either use the developer
edition or the special release version where this feature is disabled.

~~~
Sir_Cmpwn
They've always catered to the hacker perspective, too. Why take out the
about:config flag? How about letting me trust my own certificate, instead of
just AMO's? What about running AMO alternatives?

~~~
atopal
Did you not read the blog post? You can use the dev edition or the special
release and beta version that don't have this limitation. Nobody is forcing
_you_ to live with this limitation. If this was done as an about:config flag
it could easily be changed by an add-on too.

~~~
Sir_Cmpwn
I did read the blog post. It says I have to use a less stable (beta) or less
customizable (dev edition) version of Firefox to avoid this burden.

~~~
atopal
From
[https://wiki.mozilla.org/Addons/Extension_Signing](https://wiki.mozilla.org/Addons/Extension_Signing)

"What are my options if I want to install unsigned extensions in Firefox?

The Developer Edition and Nightly versions of Firefox will have a setting to
disable signature checks. There will also be special unbranded versions of
Release and Beta that will have this setting, so that add-on developers can
work on their add-ons without having to sign every build."

~~~
Sir_Cmpwn
Ah, nice. Even so, I still have issues with this:

\- Special version of the software

\- Can't run my own version of AMO

~~~
reubenmorais
> \- Can't run my own version of AMO

You can, AMO is open source:
[https://github.com/mozilla/olympia](https://github.com/mozilla/olympia)

Run your own instance and make your own builds of Firefox that point to it and
you're good.

~~~
Sir_Cmpwn
>make your own builds of Firefox

Yeah, let me just get all of the potential users of my AMO alternative to
_compile a custom version of Firefox for it_

~~~
reubenmorais
If you want to run a custom AMO I'm assuming you're in a corporate environment
or something like that where you can control what browser gets installed on
people's machines.

[https://addons.mozilla.org](https://addons.mozilla.org) is an integral part
of Firefox, if you set it up with an alternative you're effectively making
your own fork.

~~~
Sir_Cmpwn
It's not an integral part of Firefox, though. You can install add-ons without
it by just clicking a link on any page that leads to an XPI, same as how AMO
behaves.

And no, I'm not in a corporate environment. I'm talking about
decentralization.

------
mveety
What is the point of this? Shouldn't users be allowed to make their own
decisions no matter how stupid or dangerous?

~~~
brighteyes
Users still can, they can download one of the provided builds that do not have
this restriction.

The issue is that most users don't understand software on a deep level, and
just click "yes" on dialog boxes, etc.

It does make sense to keep the defaults where it prevents most users from
harm.

~~~
mveety
Why don't we teach people the don't understand so they can make informed
choices instead of preventing it entirely?

~~~
gnaritas
They can't be taught, nor do they care to be. Education is not the solution to
the problem of users who don't want to know.

~~~
yoz-y
This. Most of the people do not care about this stuff and they do not wish to
learn it. Also, like with vaccines, it is important that sufficient number of
people are protected for the malware/viruses to not spread.

------
verusfossa
This is disappointing. Everything is becoming centralized, even Firefox
extensions. I wish there was an opt out like "unknown sources" in android, but
they keep saying we're not smart enough to make or own decisions. They won't
even put one in about:config. This change well undoubtedly upset developers
and other techy folk, exactly the kind of people you want working with your
software.

Fdroid is working on third party repositories, maybe that will catch on to
decentralize the mobile world a bit. Something like that for browser
extensions would be sweet. Take a look at Fennec Fdroid for a cleaner Firefox
mobile experience at least.

~~~
Someone1234
The point here is to stop junkware authors (who operate pretend-legally) from
trivially installing extensions into Firefox. Right now, this type of software
commonly injects javascript into all web-pages a user visits which do things
like add adverts or redirect searches.

If you allow a tick box to disable this, then how do you stop the junkware
authors from simply checking that box on behalf of the user? Because that's
what would happen, the user would click "next" on some random installer (which
the junkware authors argue grants them expressed permission to install), and
the junkware will claim they tick the unknown sources box to fix a "backwards
compatibility issue."

What they're trying to do is make the option to disable the check SO niche
that it really isn't a valid option for the junkware authors to use anyway
(since most consumers won't have it, only corp. networks which are a hard
target for junkware for other reasons).

------
legulere
I wonder how long it will take until adware producers patch out the
requirement for signed extensions in the binary when you install stuff from
them on your computer.

~~~
wsha
That route is getting harder with application signing becoming more prevalent
on Windows and OS X.

------
Taylor_OD
Isnt chrome already like this? I spent 45 minutes trying to find a way to
install a non extension store extension this weekend and gave up after being
blocked repeatedly.

~~~
mythealias
I don't think what chrome does is relevant in this discussion at least not in
the context of defining what is the the correct way for mozilla to go forward.

~~~
MiddleEndian
Unfortunately it's relevant in the discussion of what Mozilla can get away
with.

------
ekianjo
It should still possible to fork Firefox and remove this requirement, right ?

~~~
kragen
In theory, but that will be very difficult.

~~~
Dylan16807
Difficult how? Even though Mozilla is going to providing builds of just such a
fork themselves? Is it particularly hard to build firefox?

------
mindcrime
Well, at least they're paying lip-service to enterprise users who may have
internal extensions to deal with:

    
    
      What about private add-ons used in enterprise environments?
    
      We haven't announced our plan for this case yet. Stay tuned. 
      In the interim, ESR will not support signing at least until 
      version 45, which won't come out until 2016.

~~~
b101010
I have seen several suggestions along the following lines as far back as the
original blog post which announced the intention to require extension signing

Allow an extension signing certificate to be place in a directory/store which
requires elevated privileges to modify (ie /etc/ or similar).

Extensions in the user's profile signed by this certificate will load as if
they were signed with the Mozilla certificate.

If the user has enough privileges to add an extension signing certificate then
they also most likely have the ability to modify the Firefox itself, I think
this addresses any concerns that this method could be used to load malicious
extensions (if the user is willing to run unknown executables with elevated
privileges then extensions with apparently valid signatures are the least of
their worries).

This allows enterprises to sign and distribute their own extensions, with the
additional step of creating and distributing the signing certificate, and
could work also work for home users.

------
pwman
Mozilla used to be the best place in the world for extension developers -- it
was natural to have your best extension on Firefox because you could release
early and often. Active developers made the platform.

When Chrome came along they decided to go in a different direction entirely
slowly making it more and more painful to accomplish what used to be easy in
the name of security. The review process went from automatic if you were
trusted to weeks and then months and then more than a quarter year. They
started demanding source code. It became scary to release to
addons.mozilla.org because you never knew how long it would be before your
next release would be approved.

Mozilla needs to realize they're hastening their own demise - Chrome now
offers better features than when Mozilla was the leader including releasing to
a percentage of users and faster nearly invisible to the user updates. They
should go back to their roots and embrace developers again.

------
jsingleton
I wonder if this will mean that all the extension version numbers will stop
ending in -signed. I'm used to having any build number with -label in its name
denote it's a pre-release and isn't stable [0].

I was recently searching for user agent switcher add-ons as part of a blog
post [1] and almost all have -signed in the name. To some people it could look
like the un-signed ones are more stable and better.

[0] [http://semver.org](http://semver.org)

[1] [https://unop.uk/dev/how-to-watch-bbc-news-videos-on-a-
deskto...](https://unop.uk/dev/how-to-watch-bbc-news-videos-on-a-desktop-
without-flash-in-firefox)

~~~
wsha
The -signed label was a one time effect to update existing extensions to
signed versions (since AMO didn't want to arbitrarily bump the version numbers
of all its hosted extensions). Future updates do not have this label.

------
mukundmr
What happens to all of those extensions that are on they gray area of DMCA?
Who is this move benefiting? The users or the sponsors?

~~~
Buge
>>Is this a way for Mozilla to censor add-ons they don't like, enforce
copyright, government demands, etc.?

>No, the purpose of this is to protect users from malicious add-ons. We have
clear guidelines[1] for when it is appropriate to blocklist an add-on and have
refused multiple times to block for other reasons.

[1] [https://developer.mozilla.org/en-US/Add-ons/Add-
on_guideline...](https://developer.mozilla.org/en-US/Add-ons/Add-
on_guidelines)

Copyright, DMCA, and legal concerns are not listed. So I take that to mean
nothing will be rejected from signing for those reasons. Hosting on AMO has
stricter rules, so they could sign the extension for you to host, but refuse
to host it themselves.

~~~
michaelt
Today, Mozilla doesn't get demands to take down extensions because sending
demands would be pointless. If EvilCorp tried to force Mozilla to take down
uBlock and friends from addons.mozilla.org they would just get hosted
elsewhere and EvilCorp would look like assholes. It's all downside, no upside,
so EvilCorp don't even bother to ask.

If tomorrow Mozilla can shut down any extension, the calculus changes. Forcing
Mozilla to kill ad blockers still makes EvilCorp look like assholes, but it
might be successful. There's a big upside now, so much more reason to try and
force Mozilla's hand.

~~~
protomyth
I do wonder if some lawyer will argue that a take down notice for an extension
should include revocation of its signing?

------
alfapla
It's little more than a year ago that Brendan Eich was ousted from Mozilla by
an ugly orchestrated cabal. When I read Mitchell Baker's vapid blog post [1]
on the decision, filled with polite backstabbing and politically correct
buzzwordery I understood that Mozilla has been taken over by politicians and
that its decline is just a matter of time.

[1] [https://blog.mozilla.org/blog/2014/04/03/brendan-eich-
steps-...](https://blog.mozilla.org/blog/2014/04/03/brendan-eich-steps-down-
as-mozilla-ceo/)

~~~
SkatAndRap
I have been looking at
[https://input.mozilla.org/](https://input.mozilla.org/) now and then for a
long time, and I am still astounded at how it's typically around 90% unhappy,
10% happy.

I know that some Mozilla supporters will justify that huge difference by
saying, "but unhappy people will always complain and happy people won't say
anything", but I don't think that's necessarily the case. Here we have
Mozilla's own stats saying that a lot of their users are extremely unhappy
with Firefox.

Clearly something is very wrong for the disapproval rating to be so high, and
the satisfaction rating to be so low. In other situations, such a high
disapproval rating would be met with extreme concern, immediate retrospection,
and panic.

Even in the case of US presidents, where people don't have an immediate
alternative like they do with web browsers, and where people's emotions run
rampant, it's very rare to see an approval rating under 40%. The very worst
approval ratings still are around 25%.

So something is seriously wrong for Mozilla's products to consistently have an
approval rating of only 10%, or even 20% if we're being generous.

~~~
asadotzler
"I have been looking at
[https://input.mozilla.org/](https://input.mozilla.org/) now and then for a
long time, and I am still astounded at how it's typically around 90% unhappy,
10% happy."

I've been reading Mozilla's bug system for 17 years and the bug numbers keep
going up. That can't be a good sign.</sarcasm>

~~~
SkatAndRap
It's disappointing to see Mozilla's leadership respond with sarcasm and denial
when faced with the fact that 80% or more of their users are not happy with
recent versions of Firefox.

~~~
cpeterso
That should be 80% of the users who have some reason to be poking around in
Firefox's Help menu and are motivated enough to click "Submit Feedback". That
group does not include many people who have a perfectly good experience with
Firefox.

------
wtbob
You know, there was something beautiful about users being able to pick up a
tutorial and extend their browsers, if they wanted. There was something very
empowering about being able to write extensions even in a corporate
environment.

I've written Firefox extensions for personal and business use, and Mozilla are
preventing that from every happening again. Why? Cui bono?

I'll mention, again, that they completely broke the security of Firefox Sync:
it's no longer a trustworthy place to store passwords. Why? Cui bono?

~~~
stinkytaco
Didn't Chrome take this same approach? I suspect that if multiple major
browser vendors are pursuing it, it's probably to address some issue. It's not
like Mozilla just thought, "let's limit people more, that will make them
happy." This doesn't make it the right approach, but it does make it
understandable.

So I suspect it's to the benefit of the "average user" if that's what you are
asking.

I'm going to step outside of HN for a minute and say that in my work I work
with people who rely on the Internet, but have no concept, and I mean none,
how it works. They do not understand that when they create a Yahoo email
account that no one can help them when they forget their password. They do not
understand that if you type "yaho com" that you are not going to get anywhere
(until auto search came along, that is). I've come to realize that Internet
safety is not a simple set of rules, it's a complex understanding of the whole
ecosystem that can't be readily taught in the time I have with these users
(and never taught to some). I can't explain why I click on links in some
emails and not others, so I just say "don't click on links". I can't explain
why you shouldn't use the same password everywhere to someone who needs to
reset their password literally every time they log on, so I just tell them to
use the one their friend or child has written down for them. It's terrible,
but I get it when vendors draw a line in the sand and say "this is to protect
those users."

That said, as a user who _does_ understand, there's an element of frustration.
Hopefully they bury an override option somewhere, or maybe just add it to
their ESR but I doubt I would ever use it.

------
tenfingers
So much for beta-testing your extension prior to release. It's already hard to
get users involved, now they just can't.

Or using any other channel to get your extension.

!Thanks Mozilla, really.

~~~
wsha
If your extension has been fully reviewed by AMO, you can upload beta versions
that only have to pass the automated signing review to be posted to AMO.

~~~
tenfingers
Please don't assume all extensions have a reason to be on AMO. There are
plenty of extensions which are developed in-house for in-house use only.

Also, as a developer, I never cared to run the "nighties": I don't want an
unstable browser, and I don't want fancy new features. I always ran the stock
version, also to ensure compatibility with the user base, and never needed
anything else.

Maybe Mozilla should also remove the developer tools from the stock version,
because clearly it's too dangerous in the hand of people that could cut&paste
code with full privileges into it, and it's only a keystroke away!

This is a giant slap in the face, frankly.

I don't see a difference between a walled garden such as google play and this.

~~~
tired_man
I gave Mozilla money back in the day when they asked for donations in the
beginning to be on that full-page NY Times ad.

I wonder if I can have a refund? I'm very disappointed in how Firefox has
aged.

------
systemz
Mozilla is doing everything to stop using their browser.

~~~
glass-
And instead people are going to use what?

~~~
bigbugbag
not sure yet, but as soon as there's something I'm making the switch.

Too many extensions are required to try to make firefox into something usable,
mainly reverting changes or fiwing broken or missing features: ad blocking,
sidebar, download manager, bringing back the add on bar, putting back the
ability to disable javascript, session manager, cookie manager ability to take
screenshot, mouse gestures, tab manager, …

------
SCHiM
I like the fact that a security issue is being tackled. What I absolutely hate
is the fact that there are no ways to turn this option off.

Just like HSTS I can't turn this off and it leaves a bad taste in my mouth.
Were originally I considered firebox to be a browser for power users, now I'm
not too sure any more.

~~~
acdha
I'm mixed on the general issue – an option to turn it off is an option which
is certain to be used to social engineer millions of people – but this is
somewhat different from HSTS:

HSTS allows a site owner to set a security policy for access their own
servers. There's no downside to using it, it doesn't affect anyone else, and
in any case if you choose to use a service you're subject to their security
policies. The fundamental choice is unaffected: use their service or go
somewhere else.

In contrast, this is more controversial because it involves telling the user
that they cannot do something they want to do. I think there's a strong
argument that this is a pragmatic choice in the current security environment
but it really does undercut user choice unless you reach the point of saying
that the users who want to do this should know how to compile Mozilla.

~~~
SCHiM
I really, really disagree. If your data is on my computer I should have a say
in what happens to it. If I want to tunnel your hsts connection through a
proxy I should be able to do so.

You can't imagine how frustrated I was when I found out that I couldn't use my
proxy any more, because some guy somewhere decided that it'd bee too hard to
hard to add the following lines to firefox:

if (user_doesn't_want_hsts) { dont_do_hsts(); }

I can't even bend my head around how someone thought it was acceptable to
totally take this option away from people. I understand that such an option
should be hidden deep inside a config somewhere so as to prevent a normal user
from compromising his/her own security. But please don't presume that you did
everyone a service by taking this option away. I can't express how angry and
frustrated I become when I even think about it.

As for your 'no downside', as I said, perhaps not for normal users. But I most
definitively am not. And I probably need to jump though a lot of hoops to tear
this "feature" out of my own firefox build.

~~~
acdha
> I really, really disagree. If your data is on my computer I should have a
> say in what happens to it. If I want to tunnel your hsts connection through
> a proxy I should be able to do so.

You need to read more about how HSTS actually works:

[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

It does nothing that a site could not do by having their webserver redirect
all HTTP requests to HTTPS with the exception that it prevents the browser to
never make an insecure request to prevent a man-in-the-middle attacker from
tampering with it.

Of particular interest, note that it does not prevent you from using a proxy
if you choose to configure one. The only thing it prevents is a transparent
proxy intercepting all traffic on the network, which is a class of MITM
attack, and a frequent source of security or privacy issues.

If you need to use a tampering SSL proxy you would, of course, need to
configure it to generate certificates using a CA which you trust, which is a
well-documented feature and something which has already been a requirement for
many, many years.

> As for your 'no downside', as I said, perhaps not for normal users. But I
> most definitively am not. And I probably need to jump though a lot of hoops
> to tear this "feature" out of my own firefox build.

Or learn how to configure your proxy so that it works with the security
mechanism rather than unnecessarily exposing you to attacks. Your argument is
a perfect example of why this is a good move: most people will simply hit
whatever button causes the page to load without thinking through the security
implications.

------
dogma1138
An automated review which takes seconds? What will it be looking for exactly?
Seems to be something that will either break every extension out there or will
be so easy to bypass that it won't do much.

"This is not the same process that currently applies to AMO add-ons, which has
been typically slower."

Also the fact that you can't seem to be able to disable it even with some
"debug/developer" mode in FF seems to be a bit over the top.

What happens if you are tied to an older FF extension that isn't signed? What
happens when you want to develop an extension? yes beta extensions will be
signed also but what happens before the BETA what happens when i just want to
make hello world and to learn what i can do?

------
norea-armozel
This is going to be an annoying change me since I use the 1Password extension
which isn't signed as far as I know. So, it's likely I'll switch over to
Chrome (which I've had performance issues with in the past) or Pale Moon.
Seriously, it's my browser. It's fine if you want to make users white list
extensions but to completely block unsigned extensions is a bit over zealous.
Unless Mozilla makes the signing process automatic (since it seems some
extensions on addons.mozilla.org can go months before being updated to the
current version) I don't see this working out at all.

~~~
Eva_Schweber
Hi. I'm Eva and I work for AgileBits, the makers of 1Password.

I wanted to reassure you that we are working with Mozilla on getting our
Firefox extension signed. That will allow you to continue using Firefox as
your default browser while still using the 1Password browser extension.

------
rquirk
Will this also affect Firefox for Android?

Mozilla currently don't provide a dev build for Android, just regular and beta
versions
[https://play.google.com/store/apps/developer?id=Mozilla](https://play.google.com/store/apps/developer?id=Mozilla)

The security problem that this "fixes" is not really an issue on Android due
to Android's own app sandboxing, so maybe the Android build will allow
unsigned extensions? It's not mentioned in the FAQ.

~~~
rockdoe
Mozilla provides Aurora and Nightly for Android. They're just not on the Play
Store, but you can download them from their website.

[https://nightly.mozilla.org/](https://nightly.mozilla.org/)

 _not really an issue on Android due to Android 's own app sandboxing_

A malicious add-on could still steal all your passwords.

------
flippinburgers
Who wants malware affecting all of the naive users on the internet? I don't. I
think you can all put your pitchforks away and take a deep breath knowing that
Firefox is trying to improve the experience for people who are not like
yourselves. The process is automated and takes little time. Stop acting so
entitled.

------
djent
Firefox disabled HTTPS Everywhere with no warning to me whatsoever. I use Dev
Edition. I always just assumed it would always work, but apparently I can't
rely on that anymore. Wasn't Mozilla pushing for non-encrypted HTTP to be
deprecated? They should wait for that to happen before disabling HTTPS
Everywhere.

------
Communitivity
Epic fail. Mozilla should be making the browser subsystems more secure, not
saying 'Trust us, we'll ensure your add-ons are secure'.

Will the add-ons source code be reviewed by a CISSP skilled in the languages
used within the add-on? Will the add-on be tested with the top 1000 add-on
combinations out there? If the add-on provides an API, will it be tested using
fuzzing? The list of these questions, and the others to which your answer is
likely 'no', goes on. If you are not doing these things then you are providing
a false sense of security. You may catch the bottom 60-80% of malware and
unstable add-ons, but the most dangerous 20% will likely slip through, in my
opinion.

This does not make sense from a UX perspective, as MANY others here have
pointed out, so I won't go into that further. I will point out that it doesn't
make sense from a business perspective either. If you are saying your add-on
signing program improves security, and you let an add-on through that has
malware, then you might be sued (I am not a lawyer, this does not constitute
legal advice, etc.).

So to recap and summarize, with brevity, and with accuracy...

EPIC FAIL

~~~
TazeTSchnitzel
The law allows people to make mistakes. You clearly have no idea what you are
talking about.

~~~
Communitivity
Heh. Sure :)

You're right about law, I know little - I am not a lawyer.

I suspect there will be someone who blames their corporate data breach on
Mozilla's policy, if they can make even the flimsiest case. Mozilla might win,
at the cost of money, time, and bad PR. I suspect it more likely that they'd
settle out of court. I'd love to hear a lawyer weigh in.

I also love how I posted on here (I seldom do) about an issue I felt
passionately about, in an area that I do know a bit about, and you responded
with a personal attack.

Ask yourself this, what is it you hate so much about the world, yourself, me,
or my post that compelled you to personally attack a complete stranger who was
donating time and thought to the discussion? Did it make you feel better?
Stronger? Isn't that the very behavior you've campaigned against, elsewhere on
the web?

------
hobarrera
> [...] plugins don't need to be signed.

So the worst kind of threat is still there. Great job, Mozilla!

~~~
MacsHeadroom
That's because plugins are going to need to be white-listed (modifiable via
about:config). The win64 (beta) edition of Firefox only allows the Flash
Player Plugin, for example.

~~~
nightpool
isn't this still vulnerable to the attack reported up-thread where whatever
malware just goes and changed about:config before installing their plugin?
(and the reason that the addon opt-out is being removed from ff42)

------
mashed_potato
As if it wasn't already difficult enough explaining to people why I use
Firefox...

------
gdulli
I hope Firefox 41 is really good because it's the last one I'll be using.

~~~
DarkTree
What do you consider the better alternative? (serious question)

~~~
toni
I think at this moment it's fair to say that switching to Pale Moon is the
next obvious step for power-users in need of fiddling with their browser as
they please.

------
benmccann
This is very frustrating. Made worse by the fact that they just replaced their
packaging tool with a new jpm tool that doesn't yet match the functionality of
the old tool.

------
droithomme
I wonder if extensions will be allowed that facilitate illegal activity, such
as downloading youtube videos in violation of copyright.

------
norea-armozel
Does anyone know if the maintainers of Pale Moon or Waterfox intend to keep
the extension signing requirement on their builds?

~~~
TheLoneWolfling
I very much doubt Pale Moon will, based on their reaction to previous
restrictions and removals of features. I know that it would be hypocritical if
they did.

Waterfox... I don't know.

------
ck2
Between that and e10s being on by default, FF42 is going to go over like a
lead balloon.

I hope 41 is an ESR

update, nope: only 38 and 45 are ESR

[https://mozorg.cdn.mozilla.net/media/img/firefox/organizatio...](https://mozorg.cdn.mozilla.net/media/img/firefox/organizations/release-
overview-high-res.7f1fea43e9e2.png)

~~~
shdon
What would be the problem with e10s? Sure, it's a big change, but it seems
quite desirable imho.

~~~
TheLoneWolfling
2-3x the memory use and lower performance due to the additional overhead of
talking between processes.

There are advantages, but it is not without its disadvantages.

~~~
shdon
[https://wiki.mozilla.org/Electrolysis/Firefox](https://wiki.mozilla.org/Electrolysis/Firefox)

"Goals

There are number of things we believe the e10s project will give us:

...

2\. Improved performance, especially on multi-core machines.

3\. Better memory core stats."

That seems to directly contradict your concerns. However, these are stated
goals and may not align with practical reality. I'd be surprised if, when
these are numbers 2 and 3 on their list of priorities, the reality would be so
very different.

~~~
TheLoneWolfling
See
[https://news.ycombinator.com/item?id=9558745](https://news.ycombinator.com/item?id=9558745)
(and actually the rest of that submission also)

Now, mind you, that was nearly 3 months ago. But the concerns there are still
very relevant.

~~~
shdon
Those 3 months can make a world of difference. I'd like to see it in action
before I decide whether it is a good or a bad thing.

Also, I'd be very surprised if the numbers in this little test are more than
anecdotal. Performance will depend heavily on the kind of content you're
viewing and I'd wager that the IPC calls make up a very small minority of the
runtime profile for a tab process. Also, not everything is so performance-
critical. For instance, if response to a mouse click went from 1 to 7
milliseconds, would anybody notice it? If _everything_ in the browser just
slowed down by a factor of 2, would Mozilla really ship it?

~~~
TheLoneWolfling
> if response to a mouse click went from 1 to 7 milliseconds, would anybody
> notice it?

Considering that a frame at 60fps is ~16.7ms, YES. That's 42% of your _total_
frame budget!

And it's not just IPC calls, either. There are many things that are less
efficient when you segment things between multiple processes.

Also, you're completely ignoring / missing the point of memory use. FF (or
rather, Pale Moon) is currently using >1/4 of the RAM on my laptop. And swap
is (really really really really really) slow.

~~~
shdon
The exaggerated response time example was for a typical usecase. The amount of
situations where there is actually 60fps rendering going on and necessary are
few and far between. Most browser usage is of fairly static content.
Especially in the case of a mouse click, when you expect something to change
on the screen and almost everything in that change will depend on something
much slower than the simple IPC call (if that even happens) of tranferring the
mouse click event. Splitting things up between multiple processes can slow
things down if done badly, and can also bring tremendous speedups if done
right. I assume the folks at Mozilla know what they're doing.

And yes, I'm ignoring memory usage for now. Mostly because it is a horribly
complex thing, especially in multi-process situations. The numbers are
notoriously difficult to interpret between working set, commit charge, shared
memory, memory mapped file IO. Unless you're actually debugging the code or an
expert, it's basically just guesswork. Mozilla have improved Firefox's general
memory footprint significantly these past few years and they're not going to
throw those advancements away easily. Again, I trust them to know what they're
doing.

As I said before, I'll reserve judgement on e10s until I get to experience it
in daily use. All I will say in advance is that the premise and the stated
goals make a lot of sense to me and it seems like a highly desirable
technology.

------
rjempson
Here is an idea, sometimes it is a good idea to look inwards rather than
outwards.

------
dieg0
readability extension i miss you so much

------
rak_112
At this point I don't think I'll ever return to using firefox after the
mountain of stupid shit mozilla has pulled in the last ~2 years.

~~~
NotOscarWilde
I share your sentiment, but Google Chrome is better only in terms of
performance [1], it fares worse in both privacy and extensibility (no ad
blockers/addons on mobile Chrome).

For people like me, who want:

* a free software browser

* android/desktop sync

* adblock and other addons

it is pretty much a binary choice between two evils.

[1]: Possibly, of course -- but that is a debate for another time.

------
debacle
Is there a good open Firefox fork that are relatively well maintained? This is
getting out of control.

~~~
TheLoneWolfling
Pale Moon is decent. Or would be, except for the frustrations with addon
compatibility. (Suffice to say, the Australis update pushed breaking changes
to add-ons, in such a way that you cannot easily support both pre-Australis
and post-Australis)

------
bpodgursky
Ad-blockers have finally reached a point that the financiers of the major
browsers are setting the groundwork for tightening the screws on them. Not
right now, but in a couple years when earnings start trending down. Google and
Yahoo -- driven by ads -- fund Chrome and Firefox, over half the browser
market.

Nobody innately wants to be evil; these are still * mostly * engineer driven
companies. But when it comes to an extensential crisis of revenue vs freedom,
there is no real choice.

So thanks guys. We had a good run with open browsers, but it is quickly
drawing closed because you just couldn't stand the ANNOYANCE of seeing ads
next to your content. It's been fun, and now back to the darkness we go.

~~~
adamc
I don't see what would prevent folks from switching to a fork if that
happened.

~~~
bpodgursky
Sure. It will be a fork that falls behind master without funding or support.
Get enough momentum and push it far enough and Chromium and Firefox will stop
being OSS altogether.

~~~
acdha
This is indistinguishable from the conspiracy theories people used to
circulate about a magic carburetor design which got 85MPG and was killed by
Detroit automakers for unknown reasons.

Just look at the chain of unsupported assertions which have to all come true
for this to make any sense: Mozilla will prevent you from installing ad-
blockers, and that this will bother enough users to matter but somehow that
won't lead to enough volunteered developer time to maintain even an almost
unmodified “fork” which changes only a build flag (or a signing key)?

Or that somehow if that proved popular enough to attract a large number of
users they'd react not by reconsidering such policies but instead push
everyone over to Edge/WebKit? Microsoft and Apple are not primarily
advertising companies and at least Apple is marketing actively on the idea of
respecting your privacy – it's hard to imagine anyone working at a browser
vendor not realizing that such a move is simply going to push users to switch.

