Most active commenters
  • soapdog(4)
  • (3)
  • yellowapple(3)

←back to thread

Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)
288 points fernandotakai | 40 comments | 11 Aug 15 03:51 UTC | HN request time: 0.863s | source | bottom
1. userbinator ◴[11 Aug 15 12:02 UTC] No.10040344[source]
Mozilla's hypocrisy is astounding:

https://blog.mozilla.org/security/2013/01/29/putting-users-i...

"Users should have the choice of what software and plugins run on their machine."

https://blog.mozilla.org/theden/2014/12/15/introducing-a-sma...

"Firefox is dedicated to putting users in control of their online experience"

More recently:

https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in...

"Firefox Puts You in Control of Your Online Life".

The slogan, as found on https://www.mozilla.org/en-US/firefox/new/ , is now "Firefox is created by a global non-profit dedicated to putting individuals in control online." I believe it used to be "users" - see above - but was silently changed. I suppose these "individuals" are the people at Mozilla...?

replies(6): >>10040466 #>>10040472 #>>10040993 #>>10041265 #>>10041365 #>>10052169 #
2. TazeTSchnitzel ◴[11 Aug 15 12:28 UTC] No.10040466[source]
Users still have control. You can remove plugins you don't like, and if you really want to, use a version of a plugin which allows unsigned extensions.

Arguably this change might give users more control: Trojan horses can no longer secretly side load malware.

replies(1): >>10040506 #
3. SkatAndRap ◴[11 Aug 15 12:30 UTC] No.10040472[source]
Firefox users see through this feel-good marketing nonsense from Mozilla.

They've seen Firefox's UI change for the worse in so many ways, even in the face of wide opposition.

They've seen unwanted bloat, like Hello and Pocket, forced upon them, again in the face of wide opposition.

They've seen their requests for bug fixes and performance improvements go unheeded, sometimes for years.

The easy use of extensions has been the only thing keeping many of these people using Firefox. They've been using many extensions to undo, as much as is possible, the unwanted changes that Mozilla has made.

I use Firefox Nightly, and was recently surprised when, after an update, some custom extensions I had written myself were not loading, and could not be easily enabled. When I found out it was due to this, and I had to start adjusting about:config settings, it was nearly the last straw for me.

I don't want to use another browser, but it's like Mozilla is doing everything in its power to make using Firefox a bad experience for me. I know I'm not alone. We've already seen Firefox' share of the browser market drop from well over 30% to a level of around 10% today, if it isn't actually lower than that.

It's truly sad to see what's happening to what was once such a great browser.

replies(5): >>10040498 #>>10040631 #>>10040723 #>>10040764 #>>10041904 #
4. TazeTSchnitzel ◴[11 Aug 15 12:36 UTC] No.10040498[source]
Some people hate the UI changes. A lot of people are just fine with them.

Hello and Pocket are just two buttons in a toolbar which you can remove.

replies(2): >>10040704 #>>10041211 #
5. userbinator ◴[11 Aug 15 12:37 UTC] No.10040506[source]
Users still have control. You can remove plugins you don't like, and if you really want to, use a version of a plugin which allows unsigned extensions.

You could argue that as long as users can still download a disk editor and change any byte of the disk on their machine they still have control (in fact patching out this signature check could probably be done with a single-byte change to the binary...); the problem is when this control is made more and more difficult.

6. rc4algorithm ◴[11 Aug 15 13:00 UTC] No.10040631[source]
You're being pretty grim. Hello is fucking awesome, and while I don't use Pocket it isn't the end of the world. Firefox isn't Lynx, but even as a Unix guy I enjoy and appreciate it. I also appreciate that they're trying to be more attractive to the masses, which is societally beneficial.
replies(3): >>10040716 #>>10041237 #>>10042747 #
7. gajjanag ◴[11 Aug 15 13:10 UTC] No.10040704{3}[source]
True. However what I have found in general is that I have been spending more and more time tweaking and fiddling Firefox to make it work the way I want it to, i.e similar to the way it was in the past with no Pocket for instance.

It is really annoying to have to watch the Firefox news and other channels to get this kind of information, reason about it, and then make my choice regarding what to do.

Browsers for me are a tool to get my work done, and I don't want to spend my time shaping my browser every time some people in Mozilla decide to change something.

There are two solutions I see: 1. The cynical/pessimistic one: the web is broken, all browsers fail to various extents, and one needs to pick one's poison - Firefox is the least of evils, hence I will continue using it with increasing dissatisfaction.

2. The optimistic one: Firefox and Mozilla will eventually get back on track, and revisit their old values - I find this harder to believe as time passes by.

8. ◴[11 Aug 15 13:12 UTC] No.10040716{3}[source]
9. twelvechairs ◴[11 Aug 15 13:13 UTC] No.10040723[source]
Im a firefox user on all devices and am fine with the ui and dont know what Hello or Pocket are. It has gone through periods of bad choices and bloat before but has been cleaned up over time. I fully expect this to happen again with more annoyances greater than this one. And i still prefer to use it because i support its aims and it supports mine.
replies(1): >>10042183 #
10. debacle ◴[11 Aug 15 13:18 UTC] No.10040764[source]
I don't understand why Mozilla is trying to control the ecosystem. It's an open source product. Why does it need to be locked down like this? Who do they think they are protecting, or even helping, with this?
replies(1): >>10041007 #
11. rockdoe ◴[11 Aug 15 13:48 UTC] No.10040993[source]
Individuals aren't in control over their on-line experience if their browser settings (search etc) are taken over by malware.

I think the average HN reader should go out there once and look at the typical household PC. Bring eye bleach.

12. rockdoe ◴[11 Aug 15 13:49 UTC] No.10041007{3}[source]
Their users?

I'm not sure what you're asking. It's trivial to remove the block for open source contributors, and in fact Iceweasel etc likely won't have it.

But for people who download Windows binaries (or get automatically updated) it's a godsend.

13. hobarrera ◴[11 Aug 15 14:18 UTC] No.10041211{3}[source]
> Hello and Pocket are just two buttons in a toolbar which you can remove.

I would have preferred to see bugs fixed, rather than features that undeniably belong in extensions. Even if it'd been issues that don't even affect me.

replies(1): >>10042360 #
14. anotherangrydev ◴[11 Aug 15 14:22 UTC] No.10041237{3}[source]
As you do, I have a lot of programs and extensions installed on my machine. How about you install them all on yours? Come on! Don't be grim! They are fucking awesome and if you don't use them it's not like it is the end of the world :^)
replies(1): >>10043569 #
15. soapdog ◴[11 Aug 15 14:26 UTC] No.10041265[source]
WTF people. So much hate for Mozilla these days, this appear pitchfork group.

Lets review what the article says: addons needed to be signed. The process is automated. It takes only seconds. It prevents some malware from spreading.

You can still host your addon wherever you want. This is just an extra step that can actually improve security. It requires more effort by the part of the developer but it also helps prevent some security issues.

Firefox Dev Edition and Nightly will have switches to turn this off. Firefox stable and Beta will not. Do you want to switch this off? Move to more bleeding edge versions. Or pick the unbranded version.

The unbranded version is available only in English and this is a problem that can be solved with language packs which are available in the hundreds.

Heck, this is an improvement to security. You can opt out by moving to a different Firefox version, there are three versions you can use, DevEdition, Nightly and Unbranded. If you opt-in you have an extra level of confidence in the addon you're installing.

Developers take only couple seconds to submit and retrieve back their addons and the added bonus for security is great. This will prevent those pesky spyware/malware from hijacking your browser which is a problem faced by many users that are not as tech savvy as this crowd here.

And yet people throw a tantrum....

replies(4): >>10041474 #>>10041622 #>>10041758 #>>10042924 #
16. alexhektor ◴[11 Aug 15 14:39 UTC] No.10041365[source]
We're currently waiting for well over 2 months now for an add-on update to get released -.-

https://blog.mozilla.org/addons/2015/07/22/add-ons-update-68...

17. 4bpp ◴[11 Aug 15 14:52 UTC] No.10041474[source]
What is the rationale behind removing the configuration switch, though? Is there supposed to be some contingent of users who are not sufficiently tech-savvy to be trusted with choosing their own add-ons, but sufficiently tech-savvy to go and edit something in about:config, which really needs to be protected from their own stupidity? This sort of "mother knows best" approach is something I would expect from Apple, not a company that claims to put you in control.

Nightly comes with obvious stability and security problems; I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date at the same rate or comes with some presets regarding UI layout or otherwise that are annoying to someone who is not intending to primarily use it as a testbed.

replies(3): >>10041577 #>>10041820 #>>10045826 #
18. Klathmon ◴[11 Aug 15 15:05 UTC] No.10041577{3}[source]
Chrome tried that "configuration switch" before, and what happened was malware would find and flip that switch as one of the first things it did once installed.

Then it would work like it used to (installing bullshit extensions, wrecking the browser overall, and being damn near impossible to remove)

replies(1): >>10045360 #
19. rndgermandude ◴[11 Aug 15 15:12 UTC] No.10041622[source]
Mozilla will certainly continue to sign my piracy-enabling add-on that is perfectly legal in many jurisdictions worldwide, even after an US court ordered them not to sign it explicitly?

I also heard mozilla got an NSL for my "Ed Snowden for president, Find out more on wikileaks" add-on, or rather, I didn't because NSL.

Then again, I hear a brought coalition of human rights, LGBT and feminist groups lobbying mozilla not to sign my "Find nearest public stoning near you - Saudi Arabia Editon" add-on any more, effectively blacklisting it worldwide. But mozilla will keep to their promise not to blacklist my stuff and my regular users can still use my add-on, right? The creator of Javascript and mozilla CEO Brendan Eich will make sure of it... Oh wait...

Speaking of which, what about my "mozilla - not protecting Brendan from harm was shit" add-on, is that compliant with the mozilla trademark policy that I need to abide by per https://developer.mozilla.org/en-US/Add-ons/Add-on_guideline... ?

Yes, those examples are a bit contrived, but actually not that much over the top. Also, please note that I do not necessarily condone these things ;)

My point being: Security through tech-enforce policy is nice and has a lot of upsides as you say, I agree, but it also may have downsides you aren't even aware of.

replies(1): >>10045812 #
20. WorldWideWayne ◴[11 Aug 15 15:28 UTC] No.10041758[source]
Why is everybody supposed to love the Mozilla Corporation? Just because you do?
21. ◴[11 Aug 15 15:36 UTC] No.10041820{3}[source]
22. bobajeff ◴[11 Aug 15 15:44 UTC] No.10041904[source]
I don't remember Firefox being well over 30%. The highest I've seen them had been 27%.

That said I can see how users don't like Mozilla's attitude. I've actually noticed it as far back as Firefox 3.5. I know users didn't like the changes post Firefox 2.0. It's too bad Firefox wasn't componentized enough to separate UI from the layout engine and JavaScript engine.

I myself like Australis but I'm also someone who's loved Chrome from the beginning. That said I think it was a mistake to turn Firefox into Chrome. They should've released Australis as a separate browser like they did with Firefox in the Mozilla Internet Suite days. That way they wouldn't have alienated so many users and their core user base would've been secure while they experiment with big user facing changes.

These days I'm more disappointed in what they didn't add to the browser like built-in ad-blocking and tracker blocking. I understand they have this view that the web needs ads but that doesn't mean it needs third-party ad networks. Just like popups they degrade the user's experience. More importantly they also compromise the security and privacy of the user. Clearly they are a practice that should be fought against. That they haven't tells me they are no longer an advocate of the user but the site owners.

replies(1): >>10042267 #
23. malnourish ◴[11 Aug 15 16:15 UTC] No.10042183{3}[source]
See, therein lies the problem. I use Firefox because of our mutual views (and the extensions) and there is no competition in that field. Chromium is too pared-down (no sidebar is basically a killer) and I don't want to support a webkit-centered internet.
24. callahad ◴[11 Aug 15 16:23 UTC] No.10042267{3}[source]
> tracker blocking

Try opening a private browsing window in Nightly and see what you get... ;-)

Edit: Here's a screenshot for folks without Nightly handy. http://imgur.com/5khKObb. This is still a work in progress, but we're getting there.

replies(1): >>10042696 #
25. callahad ◴[11 Aug 15 16:33 UTC] No.10042360{4}[source]
> features that undeniably belong in extensions

At least in the case of Pocket, the current browser marketplace seems to disagree: Chrome is the only major browser without a built-in reading list. When it came time to add similar functionality to Firefox, we could either build and maintain our own service and integrations, or we could partner with an established player with sane privacy and data access policies.

We chose the latter. Pocket is already integrated into literally hundreds of applications, and it started life as a Firefox add-on. Embracing that is a reasonable choice in terms of utility and sustainability, as Pocket themselves are already maintaining SDKs and applications on all major platforms.

(Why this is built into the code and not shipped as an add-on was, iirc, an architectural quirk that will hopefully be rectified.)

26. bobajeff ◴[11 Aug 15 17:13 UTC] No.10042696{4}[source]
Had to look it up since I'm not on Nightly or a desktop. I assume your talking about this:

https://blog.mozilla.org/ux/2015/07/user-study-of-tracking-p...

Do you know when this will make it to the stable release or when it will be on by default?

27. dhimes ◴[11 Aug 15 17:19 UTC] No.10042747{3}[source]
I am grateful for Hello now that MS owns Skype.
28. SkatAndRap ◴[11 Aug 15 17:37 UTC] No.10042924[source]
It's not "hatred" you're seeing. It's exasperation after repeated disappointment, so much of it totally unnecessary.

Many of us have been using software from Mozilla, and Netscape before them, for decades now. Generally we've been happy with the software. We were more than happy with earlier versions of Firefox, in fact. But lately we've seen changes made that have not benefited the users of Mozilla's software.

Your comment actually describes some of the problems we're talking about. Users and developers now have to jump through one hoop after another just to get a basic installation of Firefox working.

It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.

Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.

Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.

Firefox used to get better with each release. A new release of Firefox was something we'd look forward to. But lately, each new release of Firefox has brought us new problems to deal with, without bringing any notable improvements.

Repeatedly disappointed people will express their disappointment. Don't misinterpret it as "hatred". See it for what it is: disappointment!

replies(1): >>10045854 #
29. rc4algorithm ◴[11 Aug 15 19:07 UTC] No.10043569{4}[source]
It's funny, one of the other top comments here is about how many features Firefox is removing. Vital, core stuff, like setting being able to set custom user agents for specific domains...

I think the real reason many people are angry is that their demographic isn't catered to. I'm part of that demographic, and it does annoy me sometimes. However, unlike Debian/systemd, I find the tradeoff definitely worthwhile.

30. yellowapple ◴[12 Aug 15 00:45 UTC] No.10045360{4}[source]
So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

In other words, if malware can open up the configuration of a separate program and alter it, then malicious browser addons are probably the least of your worries.

replies(1): >>10054425 #
31. soapdog ◴[12 Aug 15 03:09 UTC] No.10045812{3}[source]
You understand that the addon signing process is automated right? Addon signing is not the same as AMO review. You can sign your addons and distribute them on other channels if they don't match AMO review criterias.
replies(1): >>10045933 #
32. soapdog ◴[12 Aug 15 03:12 UTC] No.10045826{3}[source]
> I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date

Dev Edition is kept up to date. If you check Firefox Versioning workflow, you will see that Firefox DevEdition replaced aurora which was the version between nightly and beta. Its kept very up to date, there are daily updates on the Dev Edition channel. Also the Firefox UI is fully customizable, just click the menu icon in the toolbar, choose customize and start replacing things you don't like.

33. soapdog ◴[12 Aug 15 03:21 UTC] No.10045854{3}[source]
Thanks for keeping it civil. I will address some of your comments in the best way I can.

>It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.

The Web Platform advanced a lot in the last few years. A lot has been added to browsers. They are no longer a simple HTML engine with some CSS and bad JS engines. Browsers these days are almost their own operating systems for good and bad. They have so much stuff going on between all the multimedia features, multiple JS engines and compilers, there are lots of stuff going on. Browsers are larger because the Web grew a lot (not in the sense of size but in complexity)

> Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.

Firefox has always been customizable and the about:config feature enables lots of under the hood tweaks that are not possible everywhere. Making Firefox your own its part of what makes it great. Its a browser you can change to suit your needs, thats less common than people think. Your needs are not the same needs of others. As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.

> Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.

Please don't mix addon signing with AMO review, they are different process with different objectives. Addon signing happens in seconds because its automated. The signed addon is returned to you in seconds and you're free to distribute it as you see fit. Now, if you want to have your addon on AMO then you need to submit to AMO review which may take a long time due to the lack of people and the overall complexity of reviewing that type of code.

replies(1): >>10045875 #
34. ectoplasm ◴[12 Aug 15 03:31 UTC] No.10045875{4}[source]
> As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.

Okay, I want a branded Firefox. I don't want to run a dev edition or nightly. My choices are stable or beta. I probably don't even want beta, but it doesn't really matter. So, I don't really have a choice here.

I can see why signed extensions are a good thing, but removing the option from about:config is unnecessary.

35. rndgermandude ◴[12 Aug 15 03:56 UTC] No.10045933{4}[source]
You do understand that mozilla still could reject certain add-ons, even when only to be signed to be hosted elsewhere, and in fact they do:

>Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days.

Right now, the automatic signing will probably only fail if malware is detected. The "Right now" part is what worries me a bit, tho.

36. ◴[13 Aug 15 03:52 UTC] No.10052169[source]
37. acdha ◴[13 Aug 15 14:26 UTC] No.10054425{5}[source]
> So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

Plenty of malware runs as the user rather than the admin, so they can install an extension in your profile or change a config setting but cannot rewrite the Firefox binary without an additional exploit.

Similarly, code signing is increasingly common so an attacker who wants to replace Firefox would need to have their own signing certificate and that offers a way to track down the malware authors.

Yes, none of this works against a complete system compromise but security is all about defense in depth. It would be irresponsible not to protect millions of people just because you cannot do so perfectly.

replies(1): >>10055948 #
38. yellowapple ◴[13 Aug 15 17:47 UTC] No.10055948{6}[source]
So why isn't that checkbox / configuration option / etc. under the same protections? If malware's able to check that box to say "yeah, Firefox, unsigned extensions are okay", then it's surely able to wreak all sorts of other havoc (turning off the pop-up blocker, changing the homepage, redirecting "youtube.com" to "redtube.com"... these are just the mundane things). I can't imagine that Mozilla designed Firefox to be externally configurable by malware running under a user context.
replies(1): >>10057947 #
39. Klathmon ◴[14 Aug 15 00:12 UTC] No.10057947{7}[source]
Well without having the signing key, you can't sign anything that will "change", so any of the configuration options are either baked into the executable (and signed) or they are in a config file (in chrome's case an SQLite file, not sure about FF).

And malware can do all sorts of nasty stuff when it's installed, but the issue with extensions specifically is that they are synced and they can run arbitrary code, so malware that can install one on machine A will instantly infect any other machine that firefox is synced to, as well as silently re-installing if you try to remove it. Plus the extension itself has the ability to download and run additional malware.

I saw a particularly nasty setup one time that a chrome extension downloaded a payload and ran it which would re enable/reinstall the chrome extension if it was removed, and the extension would reinstall the payload if it noticed it was missing. The only way out was to either wipe the chrome profile and machine, or be really quick and remove both of them at the same time.

It's obviously not an ideal solution (to block all unsigned extensions), but but when the options are:

1. Let malware run rampant unable to really combat it in any way (while letting it use your software to spread)

2. Castrate the entire extensions system to make them 'safe' (basically turn them into glorified web pages with the same restrictions and all)

3. Disable unsigned extensions and play the wack-a-mole game in a way that you can actually win it.

The option which works out the best for the vast majority of users is number 3.

replies(1): >>10062118 #
40. yellowapple ◴[14 Aug 15 19:04 UTC] No.10062118{8}[source]
My point is that those aren't the only three options.

4. Have the browser executable perform some sort of integrity check on the settings file to detect if it's been tampered with by something that isn't the browser (which admittedly isn't robust, but it's a start and eliminates at least the more simplistic malware).

5. Implement encryption on the settings file so that it can only be read or modified if unlocked with a user-configured passphrase (such as that used for Firefox Sync).

6. Use an additional config file with the same permissions as the browser executable (i.e. requiring administrative privileges to modify) for critical security settings like whether or not unsigned extensions may be installed, thus preventing user-level malware from editing it.

7. Don't sync extensions automatically (as a Firefox user with several machines, extension autosyncing is actually more annoying than it is helpful; I'd really like to be able to selectively sync certain extensions - like Tree Style Tabs and Greasemonkey - while keeping others (like themes) local to specific machines). This solves the problem of malicious addon propagation that you mentioned, since said propagation would require user intervention.

5, 6, and 7 would be much more useful in Firefox than Pocket/Hello integration, builtin PDF readers, or any of the other cruft that's started to creep in. In fact, I'm pretty sure 6 is already possible through that enterprise configuration addon (I know firsthand that it's possible to have settings locked down to administrator-only access through that).

Regardless, my other point is that by default, if malware can manipulate Firefox' settings, it can manipulate other things that are just as bad as malicious extensions (like one's stored passwords). It's already possible to mitigate password storage risks by setting a passphrase on one's password cache, so I see little reason why #5 shouldn't be possible, too.