Mozilla to require add-ons to be signed in the future
I published an article just yesterday about unique Firefox extensions praising the extension API of the web browser.
Mozilla announced today that it will introduce extensions signing later this year which changes several processes for extension developers and many users of the browser.
Before we look at the reasoning behind the move, lets take a look what extension signing means, how it is implemented and what impact it will have.
Extensions that developers submit for hosting on Mozilla's add-on repository get signed if they pass the review process once the system is in place. Existing extensions that are already published on the site will be signed automatically.
Extension developers who don't host their extension on the add-on repository will need to create an account on the site and submit the extension to Mozilla for review if they want to make it available for Stable or Beta versions of Firefox.
The extension that is submitted this way does not need to be listed publicly and if it passes all checks, will be signed just like any other extension.
Mozilla is working on a third option that it wants to offer for extensions that are not offered publicly at all but did not reveal the process for these extensions yet.
Unsigned extensions cannot be installed in Firefox Stable or Beta anymore after a period of two release cycles where warning messages are displayed to inform users and add-on developers about the new process. According to Mozilla, there won't be an override switch or config parameter to bypass this once the blocking is in effect.
Developer and Nightly versions of Firefox are not affected by this, these versions will support unsigned extensions just like before.
Only add-ons are affected by the change. Themes and dictionaries are handled just like before.
Little changes for add-on developers who upload their add-ons to Mozilla's add-on repository already.
The only change for them is that they may need to use Developer or Nightly versions of Firefox for testing as they won't be able to use stable or beta versions anymore.
The situation is different for add-on developers and companies who don't publish their add-ons on the official website. If they want to continue offering the extension to the majority of Firefox users, they need to create an account on the site and go through the upload and review process each time they create or update extensions.
It is theoretically possible to limit the extension to Developer and Nightly users only and nothing would change in this case.
Firefox users who run stable or beta versions of the browser won't be able to install unsigned extensions. The impact may be low but there is one caveat that users may run into: previous versions of extensions on the Mozilla site won't be signed.
Another issue is that modified extensions cannot be installed anymore unless you go through the same signing process as add-on authors.
The Firefox installation process will change as well. When you click on the add to Firefox button will check if the extension is verified. If it is it will make available the install button which you need to click to install it. You see a mockup of the process above.
Members of the Seamonkey and Pale Moon development team mentioned that they won't implement the feature.
When will this take effect?
Mozilla plans to display warning messages in the second quarter of 2015, likely with the release of Firefox 39 which, according to the Firefox release schedule, will land June 30, 2015.
Warnings are displayed in the next two release cycles (12 weeks from the release of Firefox 39) after which the permanent blocking of unsigned extensions will take effect.
What is the reason behind the move?
The main reason behind the move is to improve the security and privacy of Firefox users. The current process is impracticable, as it relies on Mozilla's blocklist feature to block malicious extensions in the browser.
To block an extension, Mozilla needs to know about it first.
The organization hopes that the new process reduces the number of malicious extensions for Firefox and the impact that these extensions have.
Assuming that malicious extensions won't be signed by Mozilla, these extensions can not be installed by Firefox users in stable or beta versions of the browser.
The impact is therefore reduced to Developer and Nightly versions which make up only tiny percentage of all installations.
Mozilla's approach is different from that of Google. While Google has a similar process in place, it requires that extension developers host their extensions on the Chrome Web Store. There is virtually no option to not host it there while Firefox developers still have options to host it on Mozilla AMO or on their own sites.
Now You: What do you think, how big of an impact will that change make?
This is quite possibly a deal-killer for me. I don’t want Mama Mozilla sitting coop over what I can install and what I can’t in my browser, and limiting extension use to what I can find in addons.mozilla.org — with, as you say, explicitly no option to override — leaves such a sour taste in my mouth that I’m not quite sure where I’ll go next. Chrome is, of course, just as bad, but one of the things that kept me with Firefox was the diverse extensions I could install.
Firefox seems hell-bent on becoming Chrome, even if it means killing the customizability that made it distinct to begin with.
Companies can still offer their extensions outside AMO.
As was mentioned below, what of the ability to customize add-ons? what of the ability to crate add-ons for private use, simply because of a personal need?
This is definitely a deal-breaker for me.
I’ve been using Seamonkey since it was Netscape 3, and sadly, this will be a painful goodbye.
SeaMonkey is NOT Firefox. We don’t intend to impose any signing restrictions at all.
Thanks for the clarification!
I don’t get it, if you can install unsigned (or even self-signed) addons through external providers, then what the hell is the point in the first place?
Developers who want to distribute their extensions through other means need to get it signed. Once done, they can offer downloads on any third-party site they want and users can install them in all versions of Firefox.
Thanks for the clarification on Seamonkey.
In general, I still think this feature should be offered with an overriding mechanism, for those who wish/ need it.
Mozilla’s reasoning behind this is that they fear that malicious add-on developers manipulate the override switch as well so that their extensions get installed on user systems.
@Martin – If Mozilla seriously believes this, this is a like a pure insult to power users like myself. I have control over my >own< system. I'm not an average user which deletes the internet once per week or has 30 toolbars. Mozilla is seriously trying to hard to create a "Chrome-like" structure, and I'm sure this will even go so far that at one point their browser isn't really that open source anymore, like Chrome.
@Ratty – Thanks for the info as well! :)
If the extension is not malicious, then there’s no reason they can’t submit it to mozilla to verify. I just received all 50 of my addons updated with -signed attached.
I can understand this move.
Here I have 2 add-ons that do not appear on AMO : Sage++ (Higmmer’s Edition) and uBlock. I believe it is in the uBlock‘s developer intentions to propose eventually his add-on to Mozilla, but no idea concerning Sage++. I also have several tiny add-ons, originally bookmarklets transformed into button add-ons on Codefisher‘s site : those as I understand it would not work with new AMO rules.
Well, the price of security. As always crooks push laws to be enforced and enforced laws bother everyone), even for different reasons.
To limit the action of scum I’m ready to be bothered here and there.
> to propose eventually [uBlock] to Mozilla
@Deathamns, who did the port to Firefox is taking care of this. It is my understanding uBlock has already been submitted. There was a glitch when he submitted the first time, as he found out someone else, we don’t know who, had already submitted uBlock to AMO.
I see a big problem with this approach: If I decide to modify an already existing extension (they ARE open source, after all) I will find myself unable to use it in Stable unless I submit it to Mozilla for signing.
Yep, that is a problem.
Ugh! I am a developer, and I don’t like this at all.
What if I want to create some personal/private addons just for use in our office? There is no reason why I need to have Mozilla even look at them. Perhaps they are so custom that they are only for use with our own internal website. They would fail any review, but they serve us just as we need.
I *don’t* like the idea of not being able to test in my own specially-customized test browser. I don’t *want* to change it.
Signing is fine for addons to be consumed by the public, and I advocate the use of the security measure, but I really think they should allow for an override for personal use, dev use, and non-public use. It could as easy as a normal about:config setting whether or not to require signatures for particular addons.
In fact, what I will end up doing is just *not* upgrading my firefox anymore.
I believe they are releasing an identical version of stable firefox developer edition that you can use instead of the consumer grade stable that will allow unsigned addons.
As described here I doubt it will have all that much effect on users, most of whom install from AMO anyway. It certainly won’t mean any individuals or organizations /must/ stop offering their own extensions outside of AMO; they’ll just need to have Mozilla validate them first (though I expect this will rankle some of them–it is, after all, a “guilty until proven innocent” approach), presuming they want to continue using Firefox, that is. The Firefox “clones” may decide to remove the offending code in order to ignore such security/safety measures.
It won’t affect me at all.
firefox is open source right?,
so it should be easy for someone to modify firefox to make it available again.
This is a great idea and long overdue although exactly how things will be handled for different scenarios (add-ons for personal use, etc) is extremely confusing right now and full details aren’t offered or ready, but there’s plenty of time for things to get hammered out.
There have been a lot of issues created when add-on developers sell their add-ons and the new owners sneak in all kinds of ads, crap, and sometimes dangerous coding and the user gets that junk installed and stuck with it all without warning by simply updating their add-on.
There have been posts on this site about that, and Mozilla support has always had to deal with this also.
There’s also the 3rd party sites and vendors who distribute their own add-ons from their sites or cram them in with other software and there’s no accountability for when things go wrong for the user. Then, Mozilla gets blamed, more specifically, Firefox is blamed and it’s blamed for the toolbars, viruses, malware and whatever else that gets installed and Mozilla hears “Goodbye Firefox” and, I’m going to Chrome”.
I do believe that there – needs – to be (and will be), a balance between being able to do what we want with add-ons (hacking them), and install what we want and from where, and preventing things from going to hell by bad actors who end up giving Firefox as a product a bad name and pisses off users and chases them away.
“Little changes for add-on developers who upload their add-ons to Mozilla’s add-on repository already.”
Not from what I understand so far but I’m still learning.
We won’t be able to easily work on and test our add-ons in release and beta versions and beta testers of add-ons won’t be able to do it of course either.
That’s a huge issue but I’m confident that it will be worked out.
In the end, this is the right things to do.
Greetings from your Pale Moon Add-ons Site Administrator and Team Leader..
We are watching the situation very closely. We DO have a total mirror of every Firefox extension that was listed in AMO’s repository as of September 2014 in case these changes cause a hindrance to Pale Moon.
Also know that we also will NOT be employing this kind of nonsense and do not require our interaction for Add-ons not hosted on our add-ons site and have a classification for self hosting which we call “Externals” where we encourage and support listing an add-on but it is not on our server.
While we slowly march from supplement to replacement to AMO it is still a long road and for the short term self hosting or hosting elsewhere is actually helps us. The minimum interaction we require for Externals to be listed is simply give us some info.. Short Description, an Icon, the name of the add-on, and the url of where it is. That is it and it will be added.
Let me reiterate. Pale Moon will continue being TRULY open to development of browser extensions WITHOUT restrictions caused by POLICY and we will work with you.
As an example. we recently worked with the developer of FoxyProxy to get their add-on working in Pale Moon which is now supported. Nebulous review teams be damned!
Matt A. Tobin
– Add-ons Site Administrator and Team Leader
– Core Contributing Developer / “Comm” Codebase Engineer
– IRC Channel Coordinator (irc.mozilla.org #palemoon)
————————————————- for the Pale Moon Project
Thanks Matt, I have updated the article to reflect the stance of the Pale Moon team and that of SeaMonkey.
Oh i see – another hit into power users and add-on developers face..
Have used Firefox since it’s very early days, while i write that, i uninstall Firefox and install Vivaldi Browser.
Thanks god there are companies who understand the power users need for hardcoded features without having to install for everything more complex an add-on as Mozilla requires since Australis has landed. UI Chrome clone my a**!
Bye Firefox, enjoy your evershrinking marketshare!
For all of you who are having enough too – http://www.vivaldi.com and http://www.vivaldi.net
A browser from Power User for Power User!
What are the cons of switching to the Developer Edition?
Mozilla integrates and tests features in it that may not be ready yet for prime time. While you should not notice huge differences to the stable or beta version, it may run less stable from time to time because of that.
Martin, future ghacks articles would be welcome (as each major firefox version is released) detailing the specific differences between release channel and “developer Edition”.
Specific to the issue of workaround to installng unsigned extensions, I’m wondering: “Why not just use the Developer Edition”? I think I’ve read somewhere that, theoretically, some of the dev tools could be exploited (er, they unnecessarily expose a greater potential attack surface)… but I’m drawing a blank trying to recall a specific example. Is it really inadvisable to use DeveloperEdition for general, daily use, surfing?
In the abstract, I don’t have a problem with code signing. It’s simply a way to verify authorship.
I don’t have a problem with Firefox only running signed add-ons, either.
My only concern is this: signed by WHO?
The USER should have control over what keys the browser uses to check signatures, and should be able to add the signing keys of anyone they trust.
Mozilla has decided to increase safety by being the sole gatekeeper – but this of necessity reduces user freedom.
Walled gardens are very nice, and very safe, but they’re still a prison. Mozilla has made a decision against it’s own principles.
“The USER should have control over what keys the browser uses to check signatures, and should be able to add the signing keys of anyone they trust.”
I bet Mozilla will add some way to do that for e.g. organizations that want to code and run custom in house extensions for their intraweb or the like.
I am so sad to hear this message.I am a amateurish developer. I often develop some small addon just for my self ,and I only user the release version.Moz wants to controll the market by the name of security.This is not the style of firefox.Besides ,It is so hard to make my addn rivewed,I don’t think MOZ has enough people to reivew the extention.Moz should not control the addon system like google, people should take responsibility for their self, not MOZ,we know what we are doing when we download a addon.
“In order to improve user security, we are now requiring devs who create personal-use addons to remain on outdated, insecure browsers.” – Mozilla
Makes sense to… wait no it doesn’t…
I need to look at Pale Moon again and see if they decided to keep Tab Groups. A feature that was removed only to make an extremely buggy re-appearance as an add-on. Was a complete deal breaker for me when it was removed.
Unbranded builds should also be mentioned
” Installation of unsigned extensions will still be possible on Nightly and Developer Edition, as well as special, unbranded builds of Release and Beta that will be available mainly for developers testing their extensions. “
agree with BGM: “Signing is fine for addons to be consumed by the public, and I advocate the use of the security measure, but I really think they should allow for an override for personal use, dev use, and non-public use”
also just a thought … if one of those ginormous competitor browser companies out there that could afford to, actually did set up a large team of developers to make an overload of applications to Mozilla to create a bottleneck at the approval stage… that would push all the legitimate applications further away from making it… thereby slowly killing off the browser’s innovative customisable appeal and ultimately users.
Well, to quote Benjamin Franklin: â€œThose who surrender freedom for security will not have, nor do they deserve, either one.” – And exactly this will happen… Seriously, there is always a way around. If malicious add-on developers need to completely wreck and modify the Firefox installation to avoid this, then they will do it. And the average user will click “Yes” on these Windows UAC prompts anyway.
giving a warning massage should be enough…..
there is no need blocking addon…..
I like this, more security. Users who are advanced enough to modify the code of add-ons likely also aren’t strangers to the Nightly/Dev versions of Firefox.
I hate this new “We know it better” trend.
There won’t be an override??? Not even in about:config? Come on. The whole point of Firefox is to have a customized browser. Those who want to be safe can use this feature but let’s have something for those who want to experiment, even if it is dangerous.
Just a reminder if people don’t know. You can install any addon for Chrome too regardless of channel through the group policy whitelisting. It is a bit of a hassle to set it up, but once you do, you can easily whitelist any extension you want to use.
As for Firefox, I think it is a bad idea for the most part. For example, Lastpass regularly releases updates on its own website, while the one at the AMO is several version behind probably b/c the AMO people don’t review updates fast enough. I understand this on the whole will benefit the userbase especially non technical users b/c I have seen the crap people do and let do to Firefox, but the feature unnecessarily punish people who know what they are doing.
There are orphan add-ons which are useful but no longer within the attention sphere of the original developer or in some cases the developer is gone from this world. Will orphan add-ons that are in use be locked out as of 39?
Is it possible to create another brand browser that closely tracks the Firefox releases with a low time lag and with the _only_ difference being the disabling of this “feature”? Such a brand would be a haven for those who create personal add-ons or people that run into a serious orphan problem.
Don, all add-ons in store will get signed automatically as far as I know.
Mozilla is doing its best to drive both users and developers away from Firefox.