
Mozilla Firefox Add-On Signing Update - e15ctr0n
https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/
======
verusfossa
I think this whole thing is a bad idea. They won't allow a scary opt-out
button because some software could turn it on, don't allow about:config
because it could be flipped, don't allow a build flag in stable because
malware could flip it and build. I mean... by that logic, couldn't someone
reskin and redistribute alpha or the 'unbranded' with malware? Firefox is so
afraid of malware, yet it encourages users to store their passwords in plain
text in the browser?

It really feels like a landgrab and not anything anyone has been asking for.
Firefox has to compete with the Chrome web store, but you can't burn your
house down to save a room. What's left if Firefox becomes some centralized
market akin to iOS, Windows Store, Play etc. Forced AMO signing flies in the
face of the decentralized web. "Malware happened" and "Chrome does it" aren't
really answers.

I think getting backed into a corner has made Moz take risks with their
ideology. Hopefully they give developers and users a lot more time to deal
with the upcoming changes.

~~~
irq-1
> It really feels like a landgrab and not anything anyone has been asking for.

Benevolent DRM. Mozilla wants to control the software, even though users want
to be in control. Plugins are __the reason __people always give for using
Firefox. Justifying control by citing non-technical users is telling: users
are to be managed and controlled; users aren 't "us" but the other.

------
superkuh
I understand why they are going walled garden. Non-technical users cannot be
trusted to control their browser. But Mozilla should know if they do this then
I, a technical user, won't use their browser.

I am not an extension developer but it's a rare month when I don't find myself
popping open an .xpi to make changes to the JS and HTML for personal
aesthetics; or bugs only I have. Temporarily loading extensions is not a
solution. They say they'll be producing an "unbranded" non-walled garden
version that for technical users but no such build has been revealed yet. And
if they do make it the unbranded version won't be in my OS repos.

This walled garden, the addition of Adobe EME/DRM, the bundling of "Pocket",
and the incoming drop of XUL based extensions are too much.

~~~
notnarb
While I would agree that these changes are unfortunate for this specific use
case, I do believe there are at least two workarounds for you:

1) Creating an AMO account and running the command line "jpm sign" tool
yourself. This requires a bit of overhead per each new addon you want to make
modifications to, but the actual signing of unlisted addons (which is entirely
automated) had been fast and mostly painless in my experience.

2) Using Firefox Aurora/Developer Edition as your main browser and relying on
its automatic update mechanism.

~~~
superkuh
What's going to prevent malware authors from making a bunch of AMO accounts
and signing their malware if it's so easy and automated?

~~~
notnarb
(I do not work for Mozilla so this is speculation):

As far as I can tell, side loaded extensions require a full, non-automated,
review [http://i.imgur.com/r070Grv.png](http://i.imgur.com/r070Grv.png) and it
wouldn't surprise me if side-loaded extensions were the worst offenders.

Upon discovering a malicious extension, Mozilla could look through all
extensions they've signed and blacklist ([https://addons.mozilla.org/en-
US/firefox/blocked/](https://addons.mozilla.org/en-US/firefox/blocked/)) all
extensions with a similar signature similar to how some anti-malware databases
work.

There is probably not all that much stopping you from writing a malicious
extension that passes the AMO automated review (example:
[https://addons.mozilla.org/en-
US/firefox/blocked/i1058](https://addons.mozilla.org/en-
US/firefox/blocked/i1058)), but the cost for malware writers is going to be
significantly higher since it will be far easier for Mozilla to shut them down
via their blacklists.

------
whoopdedo
TLDR: People complained so we're back-pedaling.

There are good technical reasons for requiring signed add-ons. Well, maybe not
so much "good" but necessary because of other bad things in Firefox that
prevent a less extreme requirement from being implemented.

But the signing requirement isn't what upsets anyone. It's that add-ons must
be signed _only by Mozilla_. The whole mess could have been avoided from the
start by saying that add-ons must be signed by a trusted certificate but the
end-user gets to choose what certificates are trusted.

~~~
jMyles
> good technical reasons

For forcing signed add-ons? Maybe. Mayyybe.

For removing the ability to opt-out of this requirement via the preference?
What's the good technical reason?

~~~
JohnTHaller
Because a third party app on Windows can edit the Firefox preferences file to
set the opt-out preference and then install its unsigned malware/spying/ad-
injecting extension and it'll be loaded the next time Firefox starts up with
no warning to the user.

This is why Chrome hashes its settings files on Windows so that when any 3rd
party app tries to mess with it, it wipes all extensions and extension
settings and resets the homepage and search engine to the defaults.
Unfortunately this also means that you can't move your Chrome settings to
another PC as they'll all get reset. You have to sync to Google to ensure all
your settings aren't wiped by a badware app or a corrupt byte in the Chrome
settings file.

~~~
ambrop7
The security of the browser is conditional on the security of the platform in
the first place, so this does not make sense. Anything that can edit the
settings of the browser without its knowledge can interfere with the browser
and other software in other bad ways.

It especially does not make sense for users who actually do have a reasonably
secure platform, and these "security features" are then purely an annoyance.

~~~
JohnTHaller
Here's the thing, though. They work. It's far easier for a low to mid-tier
bundleware company to build a basic browser extension that inserts ads or
takes over the homepage/search engine using basic off-the-shelf components
than it is for them to install a system-level networking component that
intercepts and changes browser networking calls without breaking things.
Google Chrome took a dual pronged approach to disallow all extensions except
those in their online store an disallow third party changes to browser
settings. So, bundleware can't easily install into Chrome. It can easily
install into Firefox because you or anyone else on the PC can install whatever
you want.

Just because this practice doesn't apply to or benefit you doesn't mean it
doesn't apply to and benefit the majority of browser users. Remember, the
majority of Firefox users don't even use extensions at all. Closing this hole
would increase their security browser-wise.

Ironic Note: Google Chrome, while attempting to block bundleware from
interfering with its own operation, is one of the most widely distributed
bundleware apps. Installers that use dark patterns (tricking users to not
notice they're installing a new default browser) from Oracle's Java to Adobe
Flash to Avast to Antivir all are used to install Chrome onto systems
(hopefully) without the user noticing.

~~~
yuhong
Of course, Google Chrome itself is probably less malicious than many of the
other bundleware. I wonder how many would have supported Firefox doing the
same thing in 2004.

------
doomrobo
Can somebody please explain to me the purpose of this change. I read the blog
post explaining the decision[0]. The crux of the argument was

>many tens of millions of users have non-hosted add-ons that were installed
without their informed consent"

Why go thermonuclear and require add-on signing for everyone? Why not just
make the add-on installation screen a little bit scarier. And if the concern
is to make sure that people are installing what they think they're installing
(i.e not something served by a man in the middle), then maybe just require
that add-ons be downloaded from a site with HTTPS.

I just really don't see the point in this extreme choice.

[0] [https://blog.mozilla.org/addons/2015/04/15/the-case-for-
exte...](https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-
signing/)

~~~
hayksaakian
people become 'blind' to scary screens. see: windows UAC dialogs.

i wish they would clearly indicate what problem it is that they're solving.

\---

edit: after reading the post you linked, it's clear they're fighting against
software installers that 'conveniently' install firefox addons.

for example you download skype, and it 'helpfully' installs an addon for
firefox.

\---

their solutions might solve the problem, but I think it goes too far.

Is it possible to require the user to approve and addons before they are
active on the user's firefox install? even if they came from a 3rd party
source?

~~~
Pxtl
Android does it best - you can install non-play-store stuff, but you have to
go into a scary menu and fiddle with settings. Better than an are you sure
popup.

~~~
Flimm
Because all apps are sandboxed on Android, it's hard for an app to fiddle with
the settings. But desktop applications can fiddle with Firefox settings, so I
can see why Mozilla don't want to allow even a setting.

------
tenfingers
Add-On Signing which can be automated does provide _very_ little added
security for the user, and just serves as a big pain the butt for everyone
else involved.

I'm routinely questioned to do support for users, and I find malware
extensions regularly installed in Chrome which has even stricter requirements.
The other day I found a laptop with one extension that redirected google.com
to a scraper. Chrome did _EVEN_ include a drop-down warning just below the URL
bar that the homepage was being currently redirected by an add-on. Did the
user notice? Not a bit.

In fact, Chrome adding a _WARNING_ for it made me feel even more sad: they
know this is going on. Is FF going to do the same? If I was an user with an
extension that did that for whatever reason I wanted, I would be furious as
hell to see an added warning which I need to disable (IF possible), and that
will be ignored by most users anyway.

Malware developers will just get by faster, so Mozilla will not be able to
keep up with the list of addons to blacklist. At the same time, initial
approvals for legitimate addons will get slower. Reporting issues with Addons
is clearly insufficient as Chrome Store demonstrates. In fact, I'm also _NOT_
ok with the idea that extensions can be blacklisted at all, in spite of that
"added security" aura around it. By the same logic, if extensions are required
to be signed, then blacklisting (and blacklisting updates) shouldn't be
allowed to be disabled.

And, let's remind ourselves, that most of the extensions I've seen installed
were side-loaded with other software (with "extras") that was installed in the
system with the same privileges of the browsers. So really, _I do expect_
malware to simply patch the FF binary to either disable the check or change
the public key, or change it entirely with a patched version.

I do not support walled gardens of any kind. Use a fork.

------
kozukumi
They have the EME build for people who don't want the DRM stuff so why can't
they just offer a build with unsigned extensions allowed in a similar way?

Yes it gets messy but they are making it so. I don't want to use a non-release
(i.e. possibly buggy) version just so I can sideload an unsigned extension.

Just offer a non-front-page build in the same way they do for EME and let's
move on to more important things.

Seriously Mozilla waste so much time and energy discussing all this stuff when
it is patently obvious what the right thing to do is.

~~~
RubyPinch
> so why can't they just offer a build with unsigned extensions allowed in a
> similar way?

From the article that you are commenting on

> at which point unbranded builds based on [...] release will be provided for
> testing.

The article was 3 paragraphs long.

~~~
kozukumi
Apologies, I didn't see release mentioned when I read the article.

------
nabla9
The goal should be to make Firefox brand maximally safe for average user.

Recognizable name is important for non-technical users. Mozilla should take
every effort to make browsing safe for anyone who uses browsers originating
from mozilla.org. Even for average developers. There should be no way to trick
people following instructions that disable add-on signing if they download and
use something they know by the name "Firefox"

What we want is separate no-brand Firefox build that follows Firefox closely.
It should work exactly like Firefox including updates (except when it
explicitly deviates) but have no name recognition or easy association to
Firefox/Mozilla.org. In theory it could be automatic build from Firefox
development team as long as it's impossible to download it from mozilla.org
and associate it with the same site as Firefox unless you know what you are
doing. Any bug or security issue arising form the deviant version should not
have Firefox in the news headline.

~~~
yuhong
I think Mozilla already will do something like this.

------
jMyles
I honest-to-goodness don't understand. Why not just let the preference remain
forever?

~~~
mappu
Malware is currently setting the preference and installing itself. How can you
stop that?

~~~
tomjen3
How can you stop malware fiddling with bits to allow installation of
extensions?

~~~
mappu
_> How can you stop malware fiddling with bits to allow installation of
extensions?_

Require signed extensions - and have the code that does the signing check be
locked for modification (e.g. 755 root in /usr/)

------
ck2
Still stuck on Firefox 41, they broke too many extensions after that.

~~~
cm3
I switched to ESR channel (38.5.2) but I don't know how I'm going to use a
newer ESR when it moves to a broken release. Too many extensions stop working
and XUL extensions are the essence of Firefox. Tried using Chrome but so much
of the ux is different or incomplete to a Firefox user that it's impossible to
feel at home.

