←back to thread

Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)
288 points fernandotakai | 5 comments | 11 Aug 15 03:51 UTC | HN request time: 0.732s | source
Show context
userbinator ◴[11 Aug 15 12:02 UTC] No.10040344[source]
Mozilla's hypocrisy is astounding:

https://blog.mozilla.org/security/2013/01/29/putting-users-i...

"Users should have the choice of what software and plugins run on their machine."

https://blog.mozilla.org/theden/2014/12/15/introducing-a-sma...

"Firefox is dedicated to putting users in control of their online experience"

More recently:

https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in...

"Firefox Puts You in Control of Your Online Life".

The slogan, as found on https://www.mozilla.org/en-US/firefox/new/ , is now "Firefox is created by a global non-profit dedicated to putting individuals in control online." I believe it used to be "users" - see above - but was silently changed. I suppose these "individuals" are the people at Mozilla...?

replies(6): >>10040466 #>>10040472 #>>10040993 #>>10041265 #>>10041365 #>>10052169 #
soapdog ◴[11 Aug 15 14:26 UTC] No.10041265[source]
WTF people. So much hate for Mozilla these days, this appear pitchfork group.

Lets review what the article says: addons needed to be signed. The process is automated. It takes only seconds. It prevents some malware from spreading.

You can still host your addon wherever you want. This is just an extra step that can actually improve security. It requires more effort by the part of the developer but it also helps prevent some security issues.

Firefox Dev Edition and Nightly will have switches to turn this off. Firefox stable and Beta will not. Do you want to switch this off? Move to more bleeding edge versions. Or pick the unbranded version.

The unbranded version is available only in English and this is a problem that can be solved with language packs which are available in the hundreds.

Heck, this is an improvement to security. You can opt out by moving to a different Firefox version, there are three versions you can use, DevEdition, Nightly and Unbranded. If you opt-in you have an extra level of confidence in the addon you're installing.

Developers take only couple seconds to submit and retrieve back their addons and the added bonus for security is great. This will prevent those pesky spyware/malware from hijacking your browser which is a problem faced by many users that are not as tech savvy as this crowd here.

And yet people throw a tantrum....

replies(4): >>10041474 #>>10041622 #>>10041758 #>>10042924 #
4bpp ◴[11 Aug 15 14:52 UTC] No.10041474[source]
What is the rationale behind removing the configuration switch, though? Is there supposed to be some contingent of users who are not sufficiently tech-savvy to be trusted with choosing their own add-ons, but sufficiently tech-savvy to go and edit something in about:config, which really needs to be protected from their own stupidity? This sort of "mother knows best" approach is something I would expect from Apple, not a company that claims to put you in control.

Nightly comes with obvious stability and security problems; I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date at the same rate or comes with some presets regarding UI layout or otherwise that are annoying to someone who is not intending to primarily use it as a testbed.

replies(3): >>10041577 #>>10041820 #>>10045826 #
Klathmon ◴[11 Aug 15 15:05 UTC] No.10041577[source]
Chrome tried that "configuration switch" before, and what happened was malware would find and flip that switch as one of the first things it did once installed.

Then it would work like it used to (installing bullshit extensions, wrecking the browser overall, and being damn near impossible to remove)

replies(1): >>10045360 #
1. yellowapple ◴[12 Aug 15 00:45 UTC] No.10045360[source]
So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

In other words, if malware can open up the configuration of a separate program and alter it, then malicious browser addons are probably the least of your worries.

replies(1): >>10054425 #
2. acdha ◴[13 Aug 15 14:26 UTC] No.10054425[source]
> So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

Plenty of malware runs as the user rather than the admin, so they can install an extension in your profile or change a config setting but cannot rewrite the Firefox binary without an additional exploit.

Similarly, code signing is increasingly common so an attacker who wants to replace Firefox would need to have their own signing certificate and that offers a way to track down the malware authors.

Yes, none of this works against a complete system compromise but security is all about defense in depth. It would be irresponsible not to protect millions of people just because you cannot do so perfectly.

replies(1): >>10055948 #
3. yellowapple ◴[13 Aug 15 17:47 UTC] No.10055948[source]
So why isn't that checkbox / configuration option / etc. under the same protections? If malware's able to check that box to say "yeah, Firefox, unsigned extensions are okay", then it's surely able to wreak all sorts of other havoc (turning off the pop-up blocker, changing the homepage, redirecting "youtube.com" to "redtube.com"... these are just the mundane things). I can't imagine that Mozilla designed Firefox to be externally configurable by malware running under a user context.
replies(1): >>10057947 #
4. Klathmon ◴[14 Aug 15 00:12 UTC] No.10057947{3}[source]
Well without having the signing key, you can't sign anything that will "change", so any of the configuration options are either baked into the executable (and signed) or they are in a config file (in chrome's case an SQLite file, not sure about FF).

And malware can do all sorts of nasty stuff when it's installed, but the issue with extensions specifically is that they are synced and they can run arbitrary code, so malware that can install one on machine A will instantly infect any other machine that firefox is synced to, as well as silently re-installing if you try to remove it. Plus the extension itself has the ability to download and run additional malware.

I saw a particularly nasty setup one time that a chrome extension downloaded a payload and ran it which would re enable/reinstall the chrome extension if it was removed, and the extension would reinstall the payload if it noticed it was missing. The only way out was to either wipe the chrome profile and machine, or be really quick and remove both of them at the same time.

It's obviously not an ideal solution (to block all unsigned extensions), but but when the options are:

1. Let malware run rampant unable to really combat it in any way (while letting it use your software to spread)

2. Castrate the entire extensions system to make them 'safe' (basically turn them into glorified web pages with the same restrictions and all)

3. Disable unsigned extensions and play the wack-a-mole game in a way that you can actually win it.

The option which works out the best for the vast majority of users is number 3.

replies(1): >>10062118 #
5. yellowapple ◴[14 Aug 15 19:04 UTC] No.10062118{4}[source]
My point is that those aren't the only three options.

4. Have the browser executable perform some sort of integrity check on the settings file to detect if it's been tampered with by something that isn't the browser (which admittedly isn't robust, but it's a start and eliminates at least the more simplistic malware).

5. Implement encryption on the settings file so that it can only be read or modified if unlocked with a user-configured passphrase (such as that used for Firefox Sync).

6. Use an additional config file with the same permissions as the browser executable (i.e. requiring administrative privileges to modify) for critical security settings like whether or not unsigned extensions may be installed, thus preventing user-level malware from editing it.

7. Don't sync extensions automatically (as a Firefox user with several machines, extension autosyncing is actually more annoying than it is helpful; I'd really like to be able to selectively sync certain extensions - like Tree Style Tabs and Greasemonkey - while keeping others (like themes) local to specific machines). This solves the problem of malicious addon propagation that you mentioned, since said propagation would require user intervention.

5, 6, and 7 would be much more useful in Firefox than Pocket/Hello integration, builtin PDF readers, or any of the other cruft that's started to creep in. In fact, I'm pretty sure 6 is already possible through that enterprise configuration addon (I know firsthand that it's possible to have settings locked down to administrator-only access through that).

Regardless, my other point is that by default, if malware can manipulate Firefox' settings, it can manipulate other things that are just as bad as malicious extensions (like one's stored passwords). It's already possible to mitigate password storage risks by setting a passphrase on one's password cache, so I see little reason why #5 shouldn't be possible, too.