
Firefox to Discontinue Sideloaded Extensions - rahidz
https://blog.mozilla.org/addons/2019/10/31/firefox-to-discontinue-sideloaded-extensions/
======
Etheryte
This seems to be somewhat badly written copy on Mozilla's part. To clear up
what this change actually means for an end user:

\- You can still manually install extensions. From now on, all installations
will need explicit user confirmation.

\- No extensions can be installed silently. This is what sideloading did, all
extensions in a special folder were installed in all Firefox instances on the
computer without the user's consent.

This is most definitely a Good Thing, as it means for example no malicious
extensions can be silently installed by malware etc. Communicating this change
could've been done better, though.

~~~
twapi
"\- You can still manually install extensions"

Yes, but not as XPI file. For manual installation, you can install similar to
Chrome, that's from source code folder

~~~
devcpp
Will Firefox stop copying Chrome's features that are hostile to power users at
some point?

~~~
ghaff
Probably not. There's a clear conflict between what (some) power users want
and what the best/safest choices are for the general public. And, in general,
mainstream platforms like Firefox should default to what's best for the
general public. (Yes, you could have bypass mechanisms but backdoors like that
are more or less asking for trouble.) See also Apple.

Added: It's not clear to me how "hostile to power users" this particular
change is. But my general statement still applies.

~~~
ptero
It is not clear what is best for the general public.

You can aim for the "safest" choice, which seems to be what you are
advocating. If so, it needs to be said explicitly and the implications of
functionality reduction (that safety increases always brings) openly discussed
and debated.

The model of claiming "we will do what is best for users" with a freedom to
replace "best" by "X" has been thoroughly compromised by googles and facebooks
of this world. We need to be explicit about goals and tradeoffs. Not attacking
your post, just arguing for being clear and honest on goals of non-commercial
software.

My 2c.

~~~
Digit-Al
I do agree with you to a point. I do think they have a difficult task trying
to balance protecting people from their own ignorance and catering to power
users who know exactly what they are doing and desire more freedom.

An option that just occurred to me is to be able to start Firefox with a
special flag that would give access to some extra options to allow actions
that reduce security - such as sideloading for example.

To help prevent innocent users being coerced into starting Firefox with that
flag it could be something like "Firefox.exe -pleasehackme".

Power users would know what the flag is for but even the most naive user might
hesitate to start Firefox using a command inviting themselves to be hacked :-)

Probably a stupid idea, but just putting it out there.

~~~
mastax
So now the malware edits the firefox shortcut to start it with that argument
and then installs its malicious addons. That doesn't help at all.

~~~
apostacy
Yeah, exactly. Malware could also just delete vanilla firefox and replace it
with the developer edition. Just overlay ads over the browser window itself.
Or anything else really.

Trying to protect against hostile code already running on the same computer as
the browser is futile. At best, it should warn the user if suspicious
modifications were made.

And it comes at such a high cost for such a narrow measure of protection.

------
TazeTSchnitzel
What this is:

• Preventing malware and enterprises from silently installing unremovable
extensions through a special mechanism

What this is not:

• Preventing users from installing extensions without using the Internet (they
can just load an xpi file like always)

• Preventing power users from installing unsigned extensions (already not
possible in standard Firefox except non-persistently for development, but
Mozilla provide unbranded builds which let you use extensions)

Why this is being done:

• Preventing adware adding itself to your browser without your consent and
making itself difficult to remove

Not why this is being done:

• Mozilla hates users / the open Internet / freedom (their foremost concern is
protecting users from malware nonconsensually installing extensions, they have
always provided versions of Firefox allowing you to do whatever you want if
you want that, and indeed standard Firefox does let you load unsigned
extensions temporarily)

~~~
mike_hock
I do hope that Debian will start patching out these nanny features, though,
including the ones we've already had for a while (like no unsigned
extensions). Maybe it's time for a revival of Iceweasel.

If malware gains enough access to my system to put extensions in the
sideloading folder I have bigger problems than Mozilla can protect me from.

------
justinclift
Sounds like it'll be useful for stopping things like "McAfee" from
automatically installing their crap into Firefox without asking.

~~~
djsumdog
Most AV software patch dlls, or inject their own code into running browsers.

~~~
TheCoelacanth
Most AV software is basically malware itself.

------
TeMPOraL
All is fine, but:

> _If you self-distribute your extension via sideloading, please update your
> install flows and direct your users to download your extension through a web
> property that you own, or through addons.mozilla.org (AMO)._

And what if I don't want to use a "web property" to distribute an extension?
What if I want to give my users a honest-to-God file, whether via e-mail or IM
message or USB drive?

> _Please note that all extensions must meet the requirements outlined in our
> Add-on Policies and Developer Agreement._

Or what? I can't make an extension and give it to friends unless it meets your
policy? That's pushing it a bit.

~~~
fencepost
If you're making extensions and distributing them by hand to your friends
you're so far outside the mainstream of Firefox users that you might as well
not exist and they shouldn't be making decisions based on your usage patterns.

This is aimed at Joe Average User who maybe downloaded a program from
sourceforge and suddenly every user on the computer has Myway Search
installed, or something with serious privacy problems that's injecting itself
into every web page they visit.

~~~
t0astbread
So this means Firefox doesn't want power users who maybe just wanna write a
quick hack for a website without distributing it?

~~~
jasonlotito
Incorrect. As has been made clear previously, you can still install unsigned
extensions if you're using Beta, Nightly, or Developer Edition, which are
intended for power users. The discussion here is around the vanilla,
mainstream version of Firefox. They still support power users.

~~~
catalogia
What are my options if I want don't want to be a guinea pig running bugging
prerelease software, and I want automatic updates because I don't want to
accidentally be a chump running outdated software?

As far as I know, unbranded doesn't autoupdate while beta, nightly, and
developer are all buggy software for guinea pigs.

Edit: Why are both the responses I've received worded rudely? Did I say
something wrong?

~~~
exolymph
You are not entitled to having your edge case supported in whatever specific
manner you desire.

~~~
TeMPOraL
They're entitled to complain, though; that's a proper, by-the-rules way to
signal preferences to the market.

FWIW, I agree. Having the choice only between casual user version and unstable
dev version is missing a power user option in the middle. I'm personally not
going to abandon Firefox over this, but I'm that less interested in embracing
web as a platform for productive work.

------
jressey
> If you self-distribute your extension via sideloading, please update your
> install flows and direct your users to download your extension through a web
> property that you own, or through addons.mozilla.org (AMO).

Everything is fine. This is blocking automatic extension installation. You can
still install extensions manually.

------
dessant
Mozilla intends to remove all methods for installing private extensions in the
release version of Firefox. The extension source code must be disclosed to
Mozilla during signing, and it must adhere to their add-on policies [1].

Mozilla is blocklisting benign extensions distributed outside of Firefox Add-
ons which do not follow these guidelines [2].

They are working on disabling a method which allows users with root access to
configure Firefox to load unsigned extensions [3], citing concerns over adware
with root access. The feature is being disabled even on Linux, where such
adware was never really a problem, despite making several other use cases
impossible.

Requiring extensions to be signed by default is a great initiative by Mozilla,
but we must be given ways to install private extensions in the release version
of Firefox without disclosing the source code to Mozilla, or worrying that an
extension for personal use may be blocklisted.

Forbidding local extensions in the release version of Firefox, without a way
to override the option, guarded by administrative access and appropriate
warnings, is heavy-handed and has a questionable threat model.

Signing can be turned off in Firefox Developer Edition (based on Firefox Beta)
and unbranded builds (no automatic updates), but those browsers are not meant
for end users. We must be given ways to install private extensions in the best
version of Firefox, and that is the release version of the browser.

Not even Google is this heavy-handed, they allow installing local extensions
in Chrome after users enable an option, although a warning is shown on browser
restarts about the presence of external extensions, which can be dismissed.

[1] [https://extensionworkshop.com/documentation/publish/add-
on-p...](https://extensionworkshop.com/documentation/publish/add-on-policies/)

[2] [https://github.com/jeremiahlee/page-
translator/issues/26](https://github.com/jeremiahlee/page-
translator/issues/26)

[3]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1514451](https://bugzilla.mozilla.org/show_bug.cgi?id=1514451)

~~~
SpicyLemonZest
But I think Chrome’s example clearly shows why they feel they have to do this.
The average user doesn’t understand extensions the same way you do; to them,
Firefox is Firefox no matter how many bells and whistles are added on. So it’s
a serious reputational risk that Mozilla currently allows unsafe code to run
in an official Firefox release.

edit: Like, look at your second link. The extension was running remote code
loaded from a third-party site! I'm sure you see why Mozilla can't just let
that happen.

~~~
dessant
Chrome's example clearly shows that having secure default options, while also
giving users more control and educating them about possible drawbacks, is a
viable alternative to restricting user freedoms and keeping users ignorant.

The extension was running remote code from Google Translate. The extension's
author could no longer run a safe, unlisted extension in their own browser.
Mozilla should have no business in what code people run in their own browsers,
when that code was distributed outside of Mozilla services.

This is esentially arguing that user scripts, and the extensions which enable
them, should be banned too.

~~~
SpicyLemonZest
Sometimes they should be. Consider CORS for example; Firefox will refuse to
load some resources it's been instructed to load, and there's no way to make
it load them without breaking other things, but this is completely
uncontroversial. Enforcing security boundaries is a reasonable thing for a
program to do.

~~~
dessant
Users should be treated with respect and given control over their own devices,
while platforms should do their best to implement safe defaults, and educate
users about the potential risks of certain actions.

CORS is a security directive set by sites over which users have full control
through browser configuration and extensions.

~~~
SpicyLemonZest
And that's absolutely the right way to think about CORS. But what it actually
does under the hood, the underlying behavior that makes CORS effective as a
security directive, is:

* You instruct your computer to load site A. Site A has some scripts on it, so part of the process of loading site A is executing that Javascript code.

* The Javascript code instructs Firefox to display a resource from site B.

* Firefox refuses to display that resource, even though your website told it to, because it doesn't think displaying the resource would be safe.

I think that's also the right perspective here. Firefox won't run unsafe
extensions, in the same way and for the same reasons as it won't run unsafe
cross-origin requests.

~~~
dessant
Please do not label local extensions as inherently unsafe, it's extremely
disingenuous to label software that has not been rubber-stamped by Mozilla as
unsafe.

You keep bringing up CORS, but that is a security directive that can be
disabled in Firefox. Even an essential security measure such as CORS is
allowed to be disabled using extensions approved by Mozilla, opening users up
to universal XSS by any site they visit.

In any case I don't think CORS is relevant in a discussion about Mozilla
taking away user freedoms under the pretext of a threat model that falls apart
once subjected to close scrutiny.

~~~
SpicyLemonZest
Maybe I'm missing something. As far as I know Firefox only allows you to
disable a subset of CORS checks.

I just fundamentally don't agree that taking away extension functionality
means taking away user freedoms. Even if Firefox developers are completely
wrong about security, I have no moral right to make their project execute my
code. My user freedom is to develop and run a modified version of the Firefox
code, which Mozilla does allow by making Firefox free software.

~~~
pbhjpbhj
And this I think is the crux of how FF has changed its no longer "here's a
browser for you to have" it's "here's _our_ browser, you can only use it like
this".

This is how you get "we added an addon that you can't remove" and "we re-added
icons to the toolbar that you removed" and now "we won't let you simply
install any addon".

And presumably next year "only addons from the Mozilla walled-garden"? That
seems to be the direction it's going.

Mozilla allow users to do stuff, you say. They used to be about enabling
users. Only allowing things a user has a moral right to demand of you doesn't
sound like FOSS.

------
prashnts
I got concerned for a moment that this will end up forcing all extensions to
be available only from Add On store, (similar to Chrome). Thankfully it’s not
that. Note that even extensions distributed outside their store need an
automatic signing. It takes a few seconds and is done through the web-ext cli
tool. This is good!

~~~
dessant
> I got concerned for a moment that this will end up forcing all extensions to
> be available only from Add On store, (similar to Chrome). Thankfully it’s
> not that.

Mozilla is working on achieving exactly that, and in fact Firefox is already
worse than Chrome in this aspect, see my comment here:
[https://news.ycombinator.com/item?id=21418604](https://news.ycombinator.com/item?id=21418604)

~~~
prashnts
Thanks for this. I want to say that it’s all bad choice from Mozilla and rant,
but instead I want to understand the threat model they’re considering.
Extensions do get a lot of access to browser, and may also use side-
channels[1] to work around inaccessible apis. From a brief look at the linked
discussions, I grock that they’re thinking about a malware with admin
privileges installing the add-on. Is it likely that some malware only has
access to “side-load addons” and nothing more? If not, then can’t it just
install keylogger, network monitor, etc? I can’t find better answers other
than my speculations.

[1]: Not that I have one such exploit, but even without access to “tabs”
permissions, extensions can still query the status of tabs, run benchmark
processes, and add context menus with various “filters” such as right click on
a text or image. Sure this doesn’t give direct access to data, but timing
attacks and such should be possible.

~~~
dessant
I agree that having a discussion on the actual threat model Mozilla is working
with is the best way to approach this issue.

Mozilla is trying to defend against malware or adware with root access on the
device.

Malware with root access can do what it wants, inluding just replacing the
Firefox executable, keylogging, making screenshots, intercepting traffic, or
patching Firefox in any number of ways.

Adware can legally do the same if users give consent. Most antivirus software
in fact injects code and is capable of controlling processes, they also
intercept traffic to monitor for threats.

If both malware and adware can do esentially what they want on the device,
then we are left with how this change affects users.

Users can install a different browser, or patch Firefox, but it becomes
prohibitive for regular users to control their own browsers if they choose to
continue using Firefox, because they lack the expertise to make the necessary
changes.

Disallowing local extensions at all costs in Firefox has minimal security
benefits, while greatly harming user and software freedom.

------
kwk1
How will this affect extensions packaged in Linux distributions, e.g. Debian's
webext-* packages. I for one want to be able to do stuff like `sudo apt
install firefox webext-ublock-origin` and have all the users on the system
have this extension installed and enabled.

~~~
ripdog
Debian will need to patch Firefox for this to continue to work.

~~~
dessant
I think Debian already compiles Firefox with a flag to allow unsigned
extensions, but this may require further changes.

------
dealpete
I was amused by this doublespeak:

"To give users more control over their extensions, support for sideloaded
extensions will be discontinued."

~~~
majewsky
I know where you're coming from, I don't see a contradiction here. This is
about extensions that are side-loaded e.g. through an enterprise group policy
or by a snake oil product, where the user in front of the screen did not
explicitly approve the installation of the extension. Disabling this means
that users have to approve each extension, which does indeed give them more
control.

~~~
chinhodado
Thẹn why not just leave the functionality there but force users to confirm the
installation the next time you restart the browser? And make it possible to
remove the sideloaded extension always?

~~~
LocalH
They're converting these "sideloaded" extensions into "normally installed"
ones, and then the user will gain that ability. They're not just wiping these
extensions without warning.

 _During the release cycle for Firefox version 73, which goes into pre-release
channels on December 3, 2019 and into release on February 11, 2020, Firefox
will continue to read sideloaded files, but they will be copied over to the
user’s individual profile and installed as regular add-ons. Sideloading will
stop being supported in Firefox version 74, which will be released on March
10, 2020. The transitional stage in Firefox 73 will ensure that no installed
add-ons will be lost, and end users will gain the ability to remove them if
they chose to._

~~~
chinhodado
But then again why not just treat these sideloaded extensions as first-class
citizen, add support for their removal, and add confirmation before enabling
them the first time?

------
bayindirh
The question in my mind is how this change is gonna affect the enterprise
installations.

I'm aware of some installations which rely on both auto configuration and some
proprietary extensions to the enterprises themselves which needs to be non-
removable and always active.

Disabling installation of sideloaded extensions may make these installations
harder, if not impossible.

------
doguozkan
I think the main point here is that sideloaded add-ons cannot be removed
through the add-on manager. Malicious software can still install add-ons
silently and without explicit consent, but now the user can view and remove
those much more easily.

------
nathancahill
Title is flame-bait. It should say "Firefox to Discontinue Silently
Sideloading Extensions"

------
vkaku
Bad, bad Mozilla! For me, personally, it's what makes this model so fallible
and not developer / community friendly. What if, tomorrow, some country
blacklists the Firefox website, and one still needs to load some privacy
extensions? This is exactly the sort of usecase Firefox should allow, if it's
pro privacy.

~~~
mintplant
Add-ons can still be installed from outside addons.mozilla.org, as long as
they're signed (an automated process), or you're using something other than an
official stable-channel Firefox build and have unsigned add-on install
enabled.

The announcement in question pertains to a specific method of silently force-
installing unremovable add-ons to Firefox.

------
nullc
Won't the "bundleware" just directly frob Firefox's state to make it think the
user authorized it?

------
fareesh
There is a rule about ensuring the original title is the same as the
submission title but in this case the original title is quite badly written.

Is there some way to submit this post or edit the title to maintain compliance
with the submission rule and also make it less misleading?

------
4bpp
What would be a reasonable way to let Mozilla know that I strongly disagree
with this decision (and, really, the majority of calls they have made
surrounding extension security lately)? Who was responsible for making this
decision on their end? I am very close to the point where I can no longer
recommend Firefox to anyone (after sticking with them through some of the
darkest years in terms of product quality), because they are becoming a worse
enemy of the open internet than Google but harder to hold accountable for it.

~~~
balelayers
I don't know the answer to your question, but why do disagree so strongly?

------
SaltySolomon
So, how do you now install Add-Ons on computers without internet access?

~~~
hereisdx
Sideloadong is automatic installation of extensions by 3rd party software. You
can still install extensions manually using the extension package file and
opening it with firefox. What you cant do is automate this.

~~~
duncanawoods
Sideloading generally means just not using an official store so this seems to
be poorly communicated.

------
qwerty456127
If an extension can't be installed silently (e.g. by a -rd party app installer
once you forget to uncheck a checkbox) that's great (except for enterprise
users perhaps as they need to automate such tasks). If I can't just install an
extension/app manually from a file on my hard drive - I don't need such a
browser/platform.

------
2ion
Say I wanted to provide a multi-seat computer where all users have a certain
default addon experience using Firefox, like installing uBlock Origin. This
seems to make provisioning such a setup impossible? Or I would have to
generate Firefox profiles dynamically, on-the-fly?

------
gtirloni
It seems Chrome already does that since June 2018:
[https://blog.chromium.org/2018/06/improving-extension-
transp...](https://blog.chromium.org/2018/06/improving-extension-transparency-
for.html)

------
Mindwipe
The communication around this is completely atrocious.

Given the obvious threats that a single signing authority presents (as proven
by Apple recently) Mozilla should be decentralising the signing here to a few
hundred redundant parties worldwide.

------
hartator
> To give users more control over their extensions, support for sideloaded
> extensions will be discontinued.

Isn't kind of contradictory?

------
vbezhenar
Sounds good for public users, sounds bad for intranet users. Is there some
Firefox fork without all those restrictions?

~~~
evilpie
For intranet/companies you should use Group Policies to install extensions:
[https://github.com/mozilla/policy-
templates#extensions](https://github.com/mozilla/policy-templates#extensions)

~~~
ahmedalsudani
What prevents a shitty vendor from setting up policies? It looks like all you
need to do is create a file and put it in the right place.

------
yosefzeev
The timing of this event is curious. Hasn't this been an issue since almost
the inception of web browsers?

------
dbetteridge
To me this seems shortsighted to say the least, sounds like you now need
Mozilla to validate and approve your extension for use?

Please correct me if I'm reading it wrong.

Saying "To give users more control over their extensions, support for
sideloaded extensions will be discontinued." Also seems disingenuous at
best...

~~~
adrinavarro
The post clearly states that users can install extensions through the
developer's website. The main difference here is that extensions cannot be
silently installed — users have to explicitly install them.

Sounds good to me. No more annoying adware extensions.

~~~
dbetteridge
I agree regarding adware, I think its just a poorly written post in terms of
clarity. It could have been better summarised as

We are removing sideloading (The ability to silently install extensions from
your local machine as an xpi file)

\- This will not affect the ability to manually install extensions, they will
need to be installed from a source code directory (Link to chrome post on
same)

\- This makes users safer (Malicious extensions will need to be approved and
installed by a user)

\- This makes it more obvious when an extension is installed (Confirmation
dialog)

ETC

Thanks for making me read into it further

------
g3houdini
Time for a new browser introduction....

------
zAy0LfpBZLC8mAC
So, from now on malware will come with a minimal Firefox binary included where
this functionality is patched out, and the malware will use that binary for
installing extensions into the Firefox profile on your machine.

What will Mozilla do next then? Close the source so malware authors can't
compile their own Firefox, for security reasons? Only allow installation on
DRMed systems?

~~~
zAy0LfpBZLC8mAC
I would really like to know why people are downvoting this ... like, how is
this not exactly what is going to happen next on the malware side?

~~~
unqueued
It does not appear anything you said was wrong, so I don't know why you are
being downvoted.

