Mozilla Firefox Add-on Signing has started
Mozilla announced in February 2015 that it would require add-ons to be signed in the near future to improve security and privacy for users of the browser.
The idea here was to reduce the number of malicious extensions released for the browser and here especially those not distributed via Mozilla's website through the verification of signatures.
The only option Mozilla has to block malicious add-ons currently is to add them to the global blocklist, but that requires that Mozilla knows about the extension and that's usually when harm is already done.
Add-on signing impacts users and developers to varying degrees. Add-on developers for instance need to submit their add-ons to Mozilla regardless of whether they plan to release it on Mozilla AMO or not.
While it is theoretically possible to skip the submission, it would mean that only Dev and Nightly users can install the add-on as those are the two only channels for which signing is not mandatory.
Unsigned add-ons will be blocked in Stable, Beta and ESR versions of Firefox once the feature lands with no option to override the feature in the browser's preferences or on the about:config page.
This includes all existing add-ons installed in the browser that are not signed and also all extensions with custom modifications (which according to Mozilla need to be submitted then for signing).
The most recent version of add-ons currently hosted on AMO and any new version uploaded to it by developers will be signed automatically. Mozilla mentioned already that this won't be the case for old versions.
Developers who have not uploaded their extensions to AMO yet, HTTPS Everywhere is a prime example, need to do so if they want their add-ons to remain available to Stable, Beta and ESR users.
If you are running the stable version of Firefox you may have noticed that add-on signing has already begun.
When you open the add-ons manager in the browser, by loading about:addons for example, you may already see some signed add-ons listed there.
I checked Firefox Stable, Dev and Nightly but only the stable version of the browser listed the NoScript add-on as signed.
Signing has no impact currently as it is not enforced.
Pale Moon users on the other hand were affected negatively by this as crashes were caused by extensions with improperly formatted signatures or manifest files. Today's update to Pale Moon 25.3.2 fixes the issue.
The developers of the third-party browser already mentioned that they won't implement add-on signing in the browser.
Originally planed to be released in Firefox 39 add-on signing is now on track to be released with Firefox 40.
Additional information are available on Mozilla's Wiki website and the main tracking bug.
I think that doesn’t stop malware, I already saw that the addons (which in fact is only a .zip with another extension name .xpi) can easily manipulated, just copy the cert and the keys into the infected apk and mozilla see this as “legit”. I already reported this, this also affects F-Droid under Android, since there is no hidden server side check if the addon is already installed.
1 – “only Dev and Nightly users can install the add-on as those are the two only channels for which signing is not mandatory”
Also the unbranded builds
2 – “HTTPS Everywhere”
It was reposted and is awaiting review
Ah yes, unbranded builds. Any news on those?
The info available so far is that they will be provided
And as per the mailing list, more info to come soon
So the day when I will have to modify Mozilla’s source code and recompile it in order to disable such idiotic “features” draws near… Oh well…
Please can you upload instructions when you do? :-)
Firefox development stories just give me ulcers anymore. I use Firefox mainly for the extensions and I’m waiting for the update that permanently breaks everything or I can’t work around the changes.
Mozilla, in all my years using Firefox, I haven’t needed this kind of protection. Seems Mozilla just regulates more and more. One of these days, they’re going to push me too far, and I’ll end up using Chrome.
Instead of “regulate”, I should’ve said “dummies down” their browser more and more.
ha ha. You know that chrome extensions are more vulnerable than firefox addons? Plus all your browsing data will be in google hand if you use chrome, ready to be anylased by NSA. I trusrt open source browser than yours chrome. Good luck.
Karl, indeed. I was smitten with Firefox since Nov 2004. Now, not so much and use Pale Moon browser mostly.
BTW, Pale Moon didn’t crash when updating extensions, it showed the same stupid error message as Fx. So Moonchild came up with an update for PM fast! I tried Chrome years ago and found it horribly restrictive. When I uninstalled Chrome, it left hundreds of keys behind which I had to remove one by one. Fx is on its way to become a second hand Chrome.
“BTW, Pale Moon didn’t crash when updating extensions….”
I wonder if it didn’t depend on when you tried.
When Mozilla started serving signed extensions from “AMO” (addons.mozilla.org), around maybe 48 hours ago, its signature process apparently corrupted the extensions. In my Firefox (the latest stable release), attempting to update/install extensions would yield errors and installation would fail. In my Pale Moon (the latest stable x64 release), attempting to update/install extensions would crash Pale Moon each and every time the attempt was made.
Within maybe 12 hours, I believe Pale Moon’s developers stopped forwarding extension update requests from Pale Moon’s addons site to AMO, as an emergency measure. Attempting to update extensions hosted at AMO simply returned a “no updates available” message (whether updates were available at AMO or not).
Within maybe 24 hours, Mozilla apparently fixed their signing process, and updating/installing extensions started working again in Firefox.
Within maybe 36 hours, Pale Moon released and pushed a Pale Moon update that would supposedly no longer crash when users or the browser attempted to install extensions corrupted by Mozilla’s initial extension-signing routine. I can’t personally vouch that that is the case, since I don’t have any corrupted extensions on hand to try it out with, but compatible AMO-hosted extensions signed with Mozilla’s new, non-corrupting signing routine do install just fine.
Anyway, that’s the best I can figure out what happened. Pale Moon’s developers explain most of it in more detail here:
Pale Moon forum â€¢ View topic – Warning: signed add-ons crash Pale Moon
By the way, hats off to the Pale Moon team for their rapid and effective response to a crisis that was not of their making.
Updated to Pale Moon 25.3.2.
All my 50+ FF addons
running just fine in the Pale Moon browser.
– Pale Moon 25.3.2 and FF 37.0.2
– Ubuntu Linux 12.04 (32-bit)
– Samsung Tablet Galaxy Tab3 / Android 4.2.2
I never had security or privacy related problems with extensions in Mozilla products. I had only problems with devs shitty decisions about browser UI.
This php script is checking your IP, the Remote Port, your Browser and your Referrer.
It is a good way to check your IP fast and see for example if a proxy you setup is
working fine or spilling your IP.
setup = noun
set up = verb
Way to go Mozilla, keep working hard to piss off your users.
The brains of Firefox will not admit that Firefox will soon be no more. The shares are going down like a falling rock. Other browsers are taking shares from Firefox.
I still use Firefox, but have been thinking that it is time to change to a different browser. To one that sometimes listens to it’s users and does not keep taking away extensions and options that made it the Browser to have.
Doom and gloom Firefox trolls make me sick. Always starts with “I’m a Firefox user, Computerworld says it’s user share is rock bottom, jump ship!”. Disingenuously combine mobile, desktop, puts Firefox in bad light.
Before we get our knickers in a twist, adopt “wait and see” approach. Mozilla knows too well, breaking addons will cause them more trouble.
Boneheaded signing is too restrictive, Mozilla’s loss.
Regardless the effect of signing requirements… signed or not, many existing extensions will be incompatible with the forthcoming multi-process version of Firefox (aka “e10S” or “electrolysis”). Sigh, I expect we’re approaching the end of the firefox era.
Huh? but tell me, which browser? opera? those guys are the nordic counterpart of these “wise” men, so donÂ´t expect too much from them (they didn’t listen to their base core users and dropped presto in favor of webkit creating a #%&! “new browser”) I.E.? gotta be kidding here, the old fat donkey has lost some weight but still it is not a match for chrome or firefox, too many security holes and overall a very boring experience, though it may be enough for some, power users tend to feel frustrated due to the lack of features. so nope, it isnÂ´t a choice. Safari? same like i.e. but cooler XD. Maxthon? mmm well, the chinese don’t trust us, so i don’t trust them too. Now let me guess “chrome is the obviously choice” you might think, but let me ask you something: Wasn’t chrome itself the reason why you are USING firefox???? So as you might have already notice, i am a bit skeptical about real alternatives. Firefox was used to be very good, a ram hog, but at least they cared about our opinion, but those days are long gone and im sick of the “we know better” attitude towards users so i understand how you feel right now but there is nothing we can do but using tons and tons of add-ons to make firefox cool again. Sadly, firefox is bound to destroy itself by becoming netscape v2 and i fear the day i would be the only firefox user is not that far….
I really hope that Mozilla Firefox’ days are NOT numbered!!!
(I have Strong Feelings about the health of Firefox)
I don’t understand all the technical jargon of what goes on behind the scenes to keep this Wonderful browser afloat . . . BUT at least I know one thing: FIREFOX is the Only Internet Portal that WORKS FOR ME!!!
Features and security are always in conflict. Many of the most secure software out there doesn’t do a great deal. Browsers especially are in the unenviable position of needing to have both cutting edge and secure software. I’ve never had serious issues but as a longtime FIrefox user, I hope the signing process is a short stepping stone to a better experience for everyone.
“Unsigned add-ons will be blocked… This includes all existing add-ons installed in the browser that are not signed ”
They are not going to block only installation of unsigned add-ons, but they will also prevent already installed add-ons from running if they are not signed?
Meaning, the add-ons I installed back in 2005 which are still working fine even though they have not been supported for more than 5 years now will suddenly stop working?
IIUC, they’re going to automatically sign the top versions of all compatible addons which will pass their tests. And even if they don’t, you can change the ID of an addon and submit it for signing youself.
That’s the plan as far as I know it.
though it may be enough for some, power users tend to feel frustrated due to the lack of features. but seems to be really good.
I am stopping with mozilla… I had a stable mozilla running with a USB password manager but now with this signing policy I can’t use this usb key anymore. I refuse to buy other hardware just to satisfy mozilla