Firefox Add-ons Warning: This extension isn't monitored by Mozilla
Firefox users who open the official Firefox Add-ons repository may notice a new warning message displayed on most extension pages.
The warning reads: "This extension isn't monitored by Mozilla. Make sure you trust the extension before you install it". A read more link points to a support page that explains the concept behind the Recommended Extensions program.
Update: Firefox users may also get "This is not a Recommended Extension. Make sure you trust it before installing." End
The warnings were not displayed before on Mozilla AMO, the name of the add-ons repository, and you may wonder why the warnings are displayed right now.
Mozilla announced the launch of the Recommended Extensions Program for Firefox in early 2019. The main idea behind the program was to create a list of featured extensions that Mozilla would promote in various ways including in Firefox itself but also on Mozilla AMO.
Extensions and their developers had to meet a number of criteria including that extensions needed to be safe and relevant, that the developer was committed to the extension, and that they needed to be "really good" at what they offered.
Due to the curated nature of Recommended extensions, each extension undergoes a thorough technical security review to ensure it adheres to Mozilla’s add-on policies.
Additionally, extensions would would be carefully monitored by Mozilla. Unlike the rest of the extensions, Mozilla would analyze the code of each of the extensions and of any update before allowing it to become available to users of the browser. The process is not all that different from the process that Mozilla used several years ago sans the promotional effects. The organization used to verify each extension before as well but switched to an automated system since then with manual checks after extension availability.
Recommended Extensions have a higher level of trust associated with them because of the extra vetting.
The yellow warnings are displayed for any extension on the Firefox Add-ons website that is not recommended by Mozilla. While it may make sense on first glance to inform users that an extension is not monitored, it seems likely that at least some users will be put off by the warning.
Extension installations may suffer because of that and it is likely that extension developers are not happy because of that. The warning is displayed on pages of very popular long-standing Firefox extensions such as Tampermonkey, User-Agent Switcher, Adblock Plus (the extension with the most installs by far), or Avast Online Security. Even some of Mozilla's own extensions, e.g. Easy Screenshot by Mozilla Online, Firefox Lightbeam, or Notes by Firefox, are listed with the warning.
Firefox Multi-Account Containers is not recommended but one of the few exceptions to the rule as the warning is not displayed for that extension.
Closing Words
Mozilla is right when it states that a particular extension is not monitored by the organization. That's not really the fault of the extension developer on the other hand. Then there is the question of finding out if an extension is trustworthy. Mozilla provides no guidance or information on that, and most Firefox users can't analyze the code of extensions to verify that the extension is trustworthy. And even if they could, the analysis would not include any of the updates that may be pushed out by the developer.
Now You: what is your take on the warning?
A no ser que sea una extensión que se sepa segura, por ejemplo uBlock origin, no suelo hacer clic directamente en el botón de descarga, en la medida de lo posible siempre trato de descargar el archivo .xpi (clic derecho en el botón descarga y “guardar como”) y después analizo con VirusTotal.
There is a reason that Firefox became a borderline irrelevant browser. It all comes down to utility. Firefox has some extensions but not all. Mozilla has tormented developers for years with constantly changing rules and for a long time horrendous wait times for extensions to be approved. Chrome had a much more open policy and as a result everyone developed for them, as a result, users flocked to Chrome, more developers, more utility, etc…
I know of a browser extension that has 1.5 million users on Chrome and they decided it wasn’t worth the hassle of continuing to develop for Firefox and pulled their extension off of Firefox (this is a for profit company with venture funding so they have the resources to continue to develop multiple browsers). I know of another popular add-on that has 600k users on Firefox and it is not recommended, but yet Firefox has all sorts of trivial “recommended” add-ons with under 10k users. Mozilla is a joke because they run the organization with an agenda that doesn’t align with user utility. Pretty sad for a browser that pioneered the add-on marketplace.
This is another step in their roadmap to kill user control over Firefox, here through extensions, by castrating them, disabling them, or scaring users away from installing them. Not because of security, performance, or lack of resources, not either for the benefit of the majority, as the gullible who still trust Mozilla’s words believe it, but, exactly like with Chrome, so that users become more defenseless against companies (browser vendor, built-in disservice providers, web sites, trackers, advertisers…), including the majority of users.
With this objective it mind, it was logical to create the conditions for their store to become a malware party, like the Google stores, by stopping to check extensions (great choice for security, right ?). Spending less resources on that work was only a bonus for them. Unfortunately for them we aren’t yet at this point. But they’ll act as if we were already anyway to discourage users from doing anything that is not the Mozilla’s anti-user defaults.
Wasn’t the switch to Web Extensions suppose to make extensions safe? Are they safer with Web Extensions?
WebExtensions API is a specification standard for “protecting the browser’s core programâ€.
WebExtension API has nothing to do with “extension safety measuresâ€.
In measures against cyber attacks and personal information protection, browser vulnerability countermeasures have become an issue:
Prevention of browser “core program” tampering,
Measures to prevent historical data leakage,
Measures against malware hidden in updates,
Measures against privacy policy violations,
etc.
Based on those perspectives, Mozilla decided to abolish the “XUL†API, which can be directly involved in the program, and switch to the “WebExtension†API, which cannot be involved in the core program.
Why Firefox Had to Kill Your Favorite Extension | How-To Geek(Justin Pot | November 18, 2017, 6:40am EDT )
https://www.howtogeek.com/333230/why-firefox-had-to-kill-your-favorite-extension/
What’s the WebExtensions API? | Browser Extensions – Mozilla | MDN |
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions
Firefox’s WebExtension API is separate from the Chromium’s WebExtension API and is not just a subset. Many Firefox-specific APIs have been established:
Browser support for JavaScript APIs – Mozilla | MDN |
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Browser_support_for_JavaScript_APIs
A Classic Extension Reborn: Tree Style Tab – Mozilla Hacks – the Web developer blog
Interview with an add-on developer (Piro) who rebuilt a very complex extension (Tree Style Tab) created on the legacy XUL platform for the new WebExtensions API
https://hacks.mozilla.org/2017/12/webextension-tree-style-tab/
Want more technical detail? Check out Piro’s post WebExtensions Migration Story of Tree Style Tab for his strategies, code snippets, and architectural diagrams of the XUL and WebExtensions platforms.
WebExtensions Migration Story of Tree Style Tab | Piro’s post
https://piro.sakura.ne.jp/latest/blosxom/mozilla/extension/treestyletab/2017-10-03_migration-we-en.htm
I would like to see from mozilla that obfuscated add-ons would be automatically detected and blocked. There are still lots of them despite they violate mozillas policy.
They should change wording to “Reviewed automatically” or something like this.
It would appear that the warning only appears when using Firefox. On Waterfox there’s no yellow banner to be seen anywhere. https://imgbox.com/NEDpqzMr
The current Waterfox 56.2.14 is the legacy version “Firefox56” platform.(which brings Waterfox inline with security patches from ESR 60.9)
The current Firefox release 69.0
They don’t monitor one of their own extensions (Lightbeam)?
That’s ridiculous.
Firefox Lightbeam – Get this Extension for 🦊 Firefox (en-US)
https://addons.mozilla.org/en-US/firefox/addon/lightbeam/
I verify in Firefox 69.0, but “The yellow warnings†is not displayed.
There is also no “recommended†badge.
It is not an “unverified extensionâ€, nor is it a “recommended productâ€. That’s it.
GitHub – mozilla/lightbeam-we: Web Extension version of the Firefox Lightbeam add-on |
https://github.com/mozilla/lightbeam-we
Issues · mozilla/lightbeam-we · GitHub |
https://github.com/mozilla/lightbeam-we/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aall
Sentence correction:
I verified it with Firefox 69.0, but “The yellow warnings†is not displayed even when [+ Add to Firefox] is executed.
Firefox Lightbeam – Get this Extension for 🦊 Firefox (en-US)
https://addons.mozilla.org/en-US/firefox/addon/lightbeam/
There is no “Recommended” badge on that page.
It is not an “unverified extensionâ€, nor is it a “recommended productâ€. That’s it.
Helpful information:
GitHub – mozilla/lightbeam-we: Web Extension version of the Firefox Lightbeam add-on |
https://github.com/mozilla/lightbeam-we
Issues · mozilla/lightbeam-we · GitHub |
https://github.com/mozilla/lightbeam-we/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aall
Offtopic, Mozilla’s planning to disable DoH by default under specific circumstances — https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Martin, time for you to do another article on this,
A very good decision. Many people think that they can trust firefox extensions blindly, while it’s not the case from the moment they implemented the automatic review process.
This is really bad!
I’m author of several addons, one of them is Recommended, and the rest will now receive this ugly yellow warning???
Considering how much time I’m spending developing these and how little money I got from it, I have to ask myself, why am I even doing this?
@Juraj Mäsiar said on September 7, 2019 at 10:43 am
This is really bad!
I’m author of several addons, one of them is Recommended, and the rest will now receive this ugly yellow warning???
Considering how much time I’m spending developing these and how little money I got from it, I have to ask myself, why am I even doing this?
I am involved (collaborator) with a dozen of add-ons. Most of them have “recommended†badges.
However, every time you update an add-on, the “Recommended†badge has been revoked for a certain period (days to weeks).
Probably because every time it is updated, “examination of validity†such as “code re-examination and operation test†will be thorough.
In the past, there have been malicious incidents such as tricks to embed malicious code in the extension update data.
So it seems that this “re-inspection†procedure has been thoroughly implemented.
About “malicious incidents such as tricks”:
It is time to get rid of Stylish | gHacks Tech News
https://www.ghacks.net/2018/07/03/it-is-time-to-get-rid-of-stylish/
Stylus sees large user increase after Stylish removal | gHacks Tech News
https://www.ghacks.net/2018/07/09/stylus-sees-large-user-increase-after-stylish-removal/
A wave of malware add-ons hit the Mozilla Firefox Extensions Store | gHacks Tech News
https://www.ghacks.net/2019/05/29/another-malware-wave-hit-the-mozilla-firefox-extensions-store/
Reprinted the main part from the article:
Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla’s AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process.
Google’s Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome’s popularity and the fact that Google does not review any extensions manually by default play a role here.
While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a “manual reviewed” batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository.
About “waves of spam extensions in 2017”:
Mozilla’s AMO Extensions store has a spam infestation problem | gHacks Tech News
https://www.ghacks.net/2017/12/13/mozillas-extensions-store-has-a-spam-infestation/
About “waves of spam extensions in 2018”:
Another wave of spam add-ons hits Mozilla Firefox AMO | gHacks Tech News
https://www.ghacks.net/2018/04/09/another-wave-of-spam-add-ons-hits-mozilla-firefox-amo/
About “Google’s Chrome Web Store was hit even harder by unwanted extensions in recent years”:
Another Chrome extension horror story: coinhive and domain registration | gHacks Tech News
https://www.ghacks.net/2017/10/15/another-chrome-extension-horror-story-coinhive-and-domain-registration/
Google’s bad track record of malicious Chrome extensions continues | gHacks Tech News
https://www.ghacks.net/2018/05/11/googles-bad-track-record-of-malicious-chrome-extensions-continues/
Malicious Chrome extensions with Session Replay appear in Chrome Store | gHacks Tech News
https://www.ghacks.net/2018/02/05/malicious-chrome-extensions-with-session-replay-appear-in-chrome-store/
For fun?
Another way to think of it is a greater proportion of users may actually pay attention to who the author is, look into them, and conclude “this is a dude I can trust” as part of their decision to install your addon. Something to take a bit of pride in, perhaps more so than having a larger userbase but with fewer of them giving a damn about the person who created the addon.
Maybe there’s also a subtle distinction to be made between Martin’s description of extensions with these warnings as “not recommended”, and Mozilla referring to them as “non-Recommended”. In general parlance, the specific expression “not recommended” tends to imply disapproval, whereas Mozilla’s wording is being careful not to.
A good thing insofar as it belatedly acknowledges reality. The absence of something like this and the marketing around things like extension signing lulled users into reasonably assuming that by staying within the walled garden, Mozilla had their backs and installing AMO extensions was basically risk-free, when the truth was otherwise. This finally says so.
That User-Agent Switcher extension in the article breaks some pages. I haven’t found one yet that’s completely compatible with adblockers.
@Anonymous,
Depends on the adblocker you’re using I suppose, but I installed it yesterday after reading Jack Wallen’s original review of it back in 2009: https://www.ghacks.net/2009/04/10/extend-firefoxs-user-agent-switcher/
The Windows/Chrome string seems to works best for me. The adblocker I use is uBlock Origin.
There is a history of troubles caused by Poor quality add-ons (function failure, memory leaks, Spyware contamination, abandoned support, etc.) that compromise the reliability of Firefox and Thunderbird.
Even now, such complaints and consultations are posted on the support forum.
Because of this situation, Mozilla seems to have decided that it should specify “Unvalidated extensionsâ€.
There will be various objections, but as a way of avoiding trouble caused by add-ons, there have a valid point.
(In contrast, legitimate ones are clearly indicated as “recommendedâ€)
This badge grant is not popular with power users, but it is “well received by the general user class (Beginners who are overwhelming majority)†in the community forum.
All add-ons are subject to “Add-on Policies”, regardless of how they are distributed. When an add-on is given human review or otherwise assessed by Mozilla, these policies act as guiding principles for those reviews. Add-ons that do not comply with these policies may be rejected or disabled by Mozilla. Therefore, follow these policies when making add-on design and development decisions.
Add-on Policies – Mozilla | MDN |
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews
Review Policy for Thunderbird Add-ons:
thundernest/atn-review-policy · GitHub |
https://github.com/thundernest/atn-review-policy/blob/master/README.md#reasons-your-add-on-might-be-rejected
Postscript:
Add-ons/Reviewers/Guide/Reviewing – MozillaWiki |
https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing
Technical Review:
Introduction
Add-on reviewers help ensure add-ons are safe to use, reliable and clearly presented to users. We also provide quick, clear, and actionable feedback to developers if issues are found with their add-ons.
All decisions should be based on the official Review Policy, please make sure you have read and understood the policy. If you have any questions or need clarifications, the admin team is happy to help. There are no dumb questions when it comes to the review policies!
The add-on review process consists of the following phases:
1. Automatic Review: When an add-on is uploaded, it undergoes a number of automatic validation steps for the general safety of the add-on.
2. Content Review: Within a fairly short time after submission, add-ons are inspected by a human to ensure that the listing adheres to content review guidelines. This includes metadata such as the add-on name and description.
3. Technical Code Review: The source code of the add-on is inspected to ensure it is in compliance with our review policies.
4. Basic Functionality Testing: Once the source code is verified safe, the add-on must be given a basic test in functionality to ensure that it acts as described.
There is a history of troubles caused by Poor quality add-ons (function failure, memory leaks, Spyware contamination, abandoned support, etc.) that compromise the reliability of Firefox and Thunderbird.
Even now, such complaints and consultations are posted on the support forum.
Because of this situation, Mozilla seems to have decided that it should specify “Unvalidated extensionsâ€.
There will be various objections, but as a way of avoiding trouble caused by add-ons, there have a valid point.
(In contrast, legitimate ones are clearly indicated as “recommendedâ€)
This badge grant is not popular with power users, but it is “well received by the general user class (Beginners who are overwhelming majority)†in the community forum.
@owl: how do you know it is well received by the “the general beginner user class”??
in the community forum:
MozillaZine.jp | https://forums.mozillazine.jp/
https://forums.mozillazine.jp/index.php
freesoft-100 | https://freesoft-100.com/
Who can trust Mozilla or any other browser?
I like what Mozilla are doing and you can check your extensions installed and you should see a icon trophy symbol which when hovered over will say recommended.
When you use a stick to prop a house together, you realise it’s not a house but merely a tent.
“We can’t say this extension is bad” is about useless.
“We can’t say it isn’t good” is just as weird.
Not sure I’ve found a recommended extension I’d use so far. Not that they are bad, Mozilla does say they’re good, they either don’t interest me or I already have something similar that isn’t recommended but usage has shown to be good.
Trying to understand the Add On repository is similar to reading this post: painful!
Scaremongering in favor of advertised extensions, how google of them.
@Alan: I love your comment :-))) +1
Mozilla clearly have gone mad.
Seems like a bad idea, and more of a ‘cover our ass’ action.
Really bad that they don’t explain in detail how to verify an extension yourself.
So how long before you’ll only be allowed to install recommended extensions? I mean, that was the point of all the stuff about requiring extensions to be signed and only installed from Mozilla’s website and all that, right? Security? And if they can’t guarantee security from the unrecommended extensions and we know Mozilla does not trust users to handle their own security, they’d rather take away features than let users be responsible for their own security… so it only makes sense. Only allow recommended extensions to keep everyone secure!
(slightly cynical, moi?!)
You’re absolutely right. The attitude Mozilla has is commonly referred to as “catering to the lowest common denominator.” Google uses it all the time to push changes that support their hidden agendas.
Seems as if all AMO extensions which aren’t “recommended” appear to labeled as not monitored with the message explained in the article.
Personally I hide both messages, nonsense in my view. I remember AMO recommending an unhealthy add-on (forgot which one, Ghacks had an article about it) and I wouldn’t consider non-monitored extensions more risky than recommended ones from there on.
My feeling is that Mozilla doesn’t have the time to seriously check all extensions so it’ll check some, if ok label them ‘recommended’ and all the others will be labelled ‘not monitored’.
In other worlds a complete absurdity, except for Mozilla which gets relieved of its responsibilities.
It would have been much better if Mozilla added a blurb to their “recommended extensions” explaining that they have undergone extra scrutiny than to plaster a warning on any extension that isn’t “recommended”.
Plastering the warning on every extension is bad in two ways:
1) It trains users to ignore warnings
2) It misleadingly implies that the extensions are dangerous.
Extensions are dangerous – most of the APIs can be used for nefarious purposes.
It doesn’t train users to ignore the warning, since it’s a legitimate warning and for some extensions you might actually reconsider if you actually need it.
@Valentin:
I disagree that it’s a legitimate warning, really. It’s “warning” that the extension was not put through additional screening, but a warning should be for when there is a reason to suspect that there’s something wrong with the extension — which is not what this warning does.
It trains people to ignore warnings because this will be applied to the vast majority of extensions in the store, guaranteeing that people will install them regardless of the warning. This overtly train people to disregard the warning.
Warnings only really work when they are the exception, not the rule.