Firefox 42 will not allow unsigned extensions

WTF people. So much hate for Mozilla these days, this appear pitchfork group.

Lets review what the article says: addons needed to be signed. The process is automated. It takes only seconds. It prevents some malware from spreading.

You can still host your addon wherever you want. This is just an extra step that can actually improve security. It requires more effort by the part of the developer but it also helps prevent some security issues.

Firefox Dev Edition and Nightly will have switches to turn this off. Firefox stable and Beta will not. Do you want to switch this off? Move to more bleeding edge versions. Or pick the unbranded version.

The unbranded version is available only in English and this is a problem that can be solved with language packs which are available in the hundreds.

Heck, this is an improvement to security. You can opt out by moving to a different Firefox version, there are three versions you can use, DevEdition, Nightly and Unbranded. If you opt-in you have an extra level of confidence in the addon you're installing.

Developers take only couple seconds to submit and retrieve back their addons and the added bonus for security is great. This will prevent those pesky spyware/malware from hijacking your browser which is a problem faced by many users that are not as tech savvy as this crowd here.

And yet people throw a tantrum....

What is the rationale behind removing the configuration switch, though? Is there supposed to be some contingent of users who are not sufficiently tech-savvy to be trusted with choosing their own add-ons, but sufficiently tech-savvy to go and edit something in about:config, which really needs to be protected from their own stupidity? This sort of "mother knows best" approach is something I would expect from Apple, not a company that claims to put you in control.

Nightly comes with obvious stability and security problems; I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date at the same rate or comes with some presets regarding UI layout or otherwise that are annoying to someone who is not intending to primarily use it as a testbed.

Chrome tried that "configuration switch" before, and what happened was malware would find and flip that switch as one of the first things it did once installed.

Then it would work like it used to (installing bullshit extensions, wrecking the browser overall, and being damn near impossible to remove)

Mozilla will certainly continue to sign my piracy-enabling add-on that is perfectly legal in many jurisdictions worldwide, even after an US court ordered them not to sign it explicitly?

I also heard mozilla got an NSL for my "Ed Snowden for president, Find out more on wikileaks" add-on, or rather, I didn't because NSL.

Then again, I hear a brought coalition of human rights, LGBT and feminist groups lobbying mozilla not to sign my "Find nearest public stoning near you - Saudi Arabia Editon" add-on any more, effectively blacklisting it worldwide. But mozilla will keep to their promise not to blacklist my stuff and my regular users can still use my add-on, right? The creator of Javascript and mozilla CEO Brendan Eich will make sure of it... Oh wait...

Speaking of which, what about my "mozilla - not protecting Brendan from harm was shit" add-on, is that compliant with the mozilla trademark policy that I need to abide by per https://developer.mozilla.org/en-US/Add-ons/Add-on_guideline... ?

Yes, those examples are a bit contrived, but actually not that much over the top. Also, please note that I do not necessarily condone these things ;)

My point being: Security through tech-enforce policy is nice and has a lot of upsides as you say, I agree, but it also may have downsides you aren't even aware of.

Why is everybody supposed to love the Mozilla Corporation? Just because you do?

It's not "hatred" you're seeing. It's exasperation after repeated disappointment, so much of it totally unnecessary.

Many of us have been using software from Mozilla, and Netscape before them, for decades now. Generally we've been happy with the software. We were more than happy with earlier versions of Firefox, in fact. But lately we've seen changes made that have not benefited the users of Mozilla's software.

Your comment actually describes some of the problems we're talking about. Users and developers now have to jump through one hoop after another just to get a basic installation of Firefox working.

It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.

Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.

Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.

Firefox used to get better with each release. A new release of Firefox was something we'd look forward to. But lately, each new release of Firefox has brought us new problems to deal with, without bringing any notable improvements.

Repeatedly disappointed people will express their disappointment. Don't misinterpret it as "hatred". See it for what it is: disappointment!

So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

In other words, if malware can open up the configuration of a separate program and alter it, then malicious browser addons are probably the least of your worries.

You understand that the addon signing process is automated right? Addon signing is not the same as AMO review. You can sign your addons and distribute them on other channels if they don't match AMO review criterias.

> I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date

Dev Edition is kept up to date. If you check Firefox Versioning workflow, you will see that Firefox DevEdition replaced aurora which was the version between nightly and beta. Its kept very up to date, there are daily updates on the Dev Edition channel. Also the Firefox UI is fully customizable, just click the menu icon in the toolbar, choose customize and start replacing things you don't like.

Thanks for keeping it civil. I will address some of your comments in the best way I can.

>It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.

The Web Platform advanced a lot in the last few years. A lot has been added to browsers. They are no longer a simple HTML engine with some CSS and bad JS engines. Browsers these days are almost their own operating systems for good and bad. They have so much stuff going on between all the multimedia features, multiple JS engines and compilers, there are lots of stuff going on. Browsers are larger because the Web grew a lot (not in the sense of size but in complexity)

> Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.

Firefox has always been customizable and the about:config feature enables lots of under the hood tweaks that are not possible everywhere. Making Firefox your own its part of what makes it great. Its a browser you can change to suit your needs, thats less common than people think. Your needs are not the same needs of others. As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.

> Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.

Please don't mix addon signing with AMO review, they are different process with different objectives. Addon signing happens in seconds because its automated. The signed addon is returned to you in seconds and you're free to distribute it as you see fit. Now, if you want to have your addon on AMO then you need to submit to AMO review which may take a long time due to the lack of people and the overall complexity of reviewing that type of code.

> As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.

Okay, I want a branded Firefox. I don't want to run a dev edition or nightly. My choices are stable or beta. I probably don't even want beta, but it doesn't really matter. So, I don't really have a choice here.

I can see why signed extensions are a good thing, but removing the option from about:config is unnecessary.

You do understand that mozilla still could reject certain add-ons, even when only to be signed to be hosted elsewhere, and in fact they do:

>Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days.

Right now, the automatic signing will probably only fail if malware is detected. The "Right now" part is what worries me a bit, tho.

> So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

Plenty of malware runs as the user rather than the admin, so they can install an extension in your profile or change a config setting but cannot rewrite the Firefox binary without an additional exploit.

Similarly, code signing is increasingly common so an attacker who wants to replace Firefox would need to have their own signing certificate and that offers a way to track down the malware authors.

Yes, none of this works against a complete system compromise but security is all about defense in depth. It would be irresponsible not to protect millions of people just because you cannot do so perfectly.

So why isn't that checkbox / configuration option / etc. under the same protections? If malware's able to check that box to say "yeah, Firefox, unsigned extensions are okay", then it's surely able to wreak all sorts of other havoc (turning off the pop-up blocker, changing the homepage, redirecting "youtube.com" to "redtube.com"... these are just the mundane things). I can't imagine that Mozilla designed Firefox to be externally configurable by malware running under a user context.

Well without having the signing key, you can't sign anything that will "change", so any of the configuration options are either baked into the executable (and signed) or they are in a config file (in chrome's case an SQLite file, not sure about FF).

And malware can do all sorts of nasty stuff when it's installed, but the issue with extensions specifically is that they are synced and they can run arbitrary code, so malware that can install one on machine A will instantly infect any other machine that firefox is synced to, as well as silently re-installing if you try to remove it. Plus the extension itself has the ability to download and run additional malware.

I saw a particularly nasty setup one time that a chrome extension downloaded a payload and ran it which would re enable/reinstall the chrome extension if it was removed, and the extension would reinstall the payload if it noticed it was missing. The only way out was to either wipe the chrome profile and machine, or be really quick and remove both of them at the same time.

It's obviously not an ideal solution (to block all unsigned extensions), but but when the options are:

1. Let malware run rampant unable to really combat it in any way (while letting it use your software to spread)

2. Castrate the entire extensions system to make them 'safe' (basically turn them into glorified web pages with the same restrictions and all)

3. Disable unsigned extensions and play the wack-a-mole game in a way that you can actually win it.

The option which works out the best for the vast majority of users is number 3.

My point is that those aren't the only three options.

4. Have the browser executable perform some sort of integrity check on the settings file to detect if it's been tampered with by something that isn't the browser (which admittedly isn't robust, but it's a start and eliminates at least the more simplistic malware).

5. Implement encryption on the settings file so that it can only be read or modified if unlocked with a user-configured passphrase (such as that used for Firefox Sync).

6. Use an additional config file with the same permissions as the browser executable (i.e. requiring administrative privileges to modify) for critical security settings like whether or not unsigned extensions may be installed, thus preventing user-level malware from editing it.

7. Don't sync extensions automatically (as a Firefox user with several machines, extension autosyncing is actually more annoying than it is helpful; I'd really like to be able to selectively sync certain extensions - like Tree Style Tabs and Greasemonkey - while keeping others (like themes) local to specific machines). This solves the problem of malicious addon propagation that you mentioned, since said propagation would require user intervention.

5, 6, and 7 would be much more useful in Firefox than Pocket/Hello integration, builtin PDF readers, or any of the other cruft that's started to creep in. In fact, I'm pretty sure 6 is already possible through that enterprise configuration addon (I know firsthand that it's possible to have settings locked down to administrator-only access through that).

Regardless, my other point is that by default, if malware can manipulate Firefox' settings, it can manipulate other things that are just as bad as malicious extensions (like one's stored passwords). It's already possible to mitigate password storage risks by setting a passphrase on one's password cache, so I see little reason why #5 shouldn't be possible, too.