Firefox Add-ons Warning: This extension isn't monitored by Mozilla

Martin Brinkmann
Sep 6, 2019
Updated • Dec 31, 2019
Firefox
|
41

Firefox users who open the official Firefox Add-ons repository may notice a new warning message displayed on most extension pages.

The warning reads: "This extension isn't monitored by Mozilla. Make sure you trust the extension before you install it". A read more link points to a support page that explains the concept behind the Recommended Extensions program.

mozilla firefox this extension isnt monitored

Update: Firefox users may also get "This is not a Recommended Extension. Make sure you trust it before installing." End

firefox this is not a recommended extension

The warnings were not displayed before on Mozilla AMO, the name of the add-ons repository, and you may wonder why the warnings are displayed right now.

Mozilla announced the launch of the Recommended Extensions Program for Firefox in early 2019. The main idea behind the program was to create a list of featured extensions that Mozilla would promote in various ways including in Firefox itself but also on Mozilla AMO.

Extensions and their developers had to meet a number of criteria including that extensions needed to be safe and relevant, that the developer was committed to the extension, and that they needed to be "really good" at what they offered.

Due to the curated nature of Recommended extensions, each extension undergoes a thorough technical security review to ensure it adheres to Mozilla’s add-on policies.

Additionally, extensions would would be carefully monitored by Mozilla. Unlike the rest of the extensions, Mozilla would analyze the code of each of the extensions and of any update before allowing it to become available to users of the browser. The process is not all that different from the process that Mozilla used several years ago sans the promotional effects. The organization used to verify each extension before as well but switched to an automated system since then with manual checks after extension availability.

Recommended Extensions have a higher level of trust associated with them because of the extra vetting.

The yellow warnings are displayed for any extension on the Firefox Add-ons website that is not recommended by Mozilla. While it may make sense on first glance to inform users that an extension is not monitored, it seems likely that at least some users will be put off by the warning.

firefox warning

Extension installations may suffer because of that and it is likely that extension developers are not happy because of that. The warning is displayed on pages of very popular long-standing Firefox extensions such as Tampermonkey, User-Agent Switcher, Adblock Plus (the extension with the most installs by far), or Avast Online Security. Even some of Mozilla's own extensions, e.g. Easy Screenshot by Mozilla Online, Firefox Lightbeam, or Notes by Firefox, are listed with the warning.

Firefox Multi-Account Containers is not recommended but one of the few exceptions to the rule as the warning is not displayed for that extension.

Closing Words

Mozilla is right when it states that a particular extension is not monitored by the organization. That's not really the fault of the extension developer on the other hand. Then there is the question of finding out if an extension is trustworthy. Mozilla provides no guidance or information on that, and most Firefox users can't analyze the code of extensions to verify that the extension is trustworthy. And even if they could, the analysis would not include any of the updates that may be pushed out by the developer.

Now You: what is your take on the warning?

Summary
Firefox Add-ons Warning: This extension isn't monitored by Mozilla
Article Name
Firefox Add-ons Warning: This extension isn't monitored by Mozilla
Description
Firefox users who open the official Firefox Add-ons repository may notice a new warning message displayed on most extension pages.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Romulo Severus Extremis said on November 14, 2019 at 8:51 pm
    Reply

    A no ser que sea una extensión que se sepa segura, por ejemplo uBlock origin, no suelo hacer clic directamente en el botón de descarga, en la medida de lo posible siempre trato de descargar el archivo .xpi (clic derecho en el botón descarga y “guardar como”) y después analizo con VirusTotal.

  2. Matt J. said on September 18, 2019 at 6:43 pm
    Reply

    There is a reason that Firefox became a borderline irrelevant browser. It all comes down to utility. Firefox has some extensions but not all. Mozilla has tormented developers for years with constantly changing rules and for a long time horrendous wait times for extensions to be approved. Chrome had a much more open policy and as a result everyone developed for them, as a result, users flocked to Chrome, more developers, more utility, etc…

    I know of a browser extension that has 1.5 million users on Chrome and they decided it wasn’t worth the hassle of continuing to develop for Firefox and pulled their extension off of Firefox (this is a for profit company with venture funding so they have the resources to continue to develop multiple browsers). I know of another popular add-on that has 600k users on Firefox and it is not recommended, but yet Firefox has all sorts of trivial “recommended” add-ons with under 10k users. Mozilla is a joke because they run the organization with an agenda that doesn’t align with user utility. Pretty sad for a browser that pioneered the add-on marketplace.

  3. Anonymous said on September 8, 2019 at 3:24 pm
    Reply

    This is another step in their roadmap to kill user control over Firefox, here through extensions, by castrating them, disabling them, or scaring users away from installing them. Not because of security, performance, or lack of resources, not either for the benefit of the majority, as the gullible who still trust Mozilla’s words believe it, but, exactly like with Chrome, so that users become more defenseless against companies (browser vendor, built-in disservice providers, web sites, trackers, advertisers…), including the majority of users.

    With this objective it mind, it was logical to create the conditions for their store to become a malware party, like the Google stores, by stopping to check extensions (great choice for security, right ?). Spending less resources on that work was only a bonus for them. Unfortunately for them we aren’t yet at this point. But they’ll act as if we were already anyway to discourage users from doing anything that is not the Mozilla’s anti-user defaults.

  4. Anonymous said on September 8, 2019 at 7:08 am
    Reply

    Wasn’t the switch to Web Extensions suppose to make extensions safe? Are they safer with Web Extensions?

    1. owl said on September 8, 2019 at 9:23 am
      Reply

      WebExtensions API is a specification standard for “protecting the browser’s core program”.
      WebExtension API has nothing to do with “extension safety measures”.

      In measures against cyber attacks and personal information protection, browser vulnerability countermeasures have become an issue:
      Prevention of browser “core program” tampering,
      Measures to prevent historical data leakage,
      Measures against malware hidden in updates,
      Measures against privacy policy violations,
      etc.
      Based on those perspectives, Mozilla decided to abolish the “XUL” API, which can be directly involved in the program, and switch to the “WebExtension” API, which cannot be involved in the core program.

      Why Firefox Had to Kill Your Favorite Extension | How-To Geek(Justin Pot | November 18, 2017, 6:40am EDT )
      https://www.howtogeek.com/333230/why-firefox-had-to-kill-your-favorite-extension/

      What’s the WebExtensions API? | Browser Extensions – Mozilla | MDN |
      https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions

      Firefox’s WebExtension API is separate from the Chromium’s WebExtension API and is not just a subset. Many Firefox-specific APIs have been established:
      Browser support for JavaScript APIs – Mozilla | MDN |
      https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Browser_support_for_JavaScript_APIs

      A Classic Extension Reborn: Tree Style Tab – Mozilla Hacks – the Web developer blog
      Interview with an add-on developer (Piro) who rebuilt a very complex extension (Tree Style Tab) created on the legacy XUL platform for the new WebExtensions API
      https://hacks.mozilla.org/2017/12/webextension-tree-style-tab/

      1. owl said on September 8, 2019 at 11:43 pm
        Reply

        Want more technical detail? Check out Piro’s post WebExtensions Migration Story of Tree Style Tab for his strategies, code snippets, and architectural diagrams of the XUL and WebExtensions platforms.
        WebExtensions Migration Story of Tree Style Tab | Piro’s post
        https://piro.sakura.ne.jp/latest/blosxom/mozilla/extension/treestyletab/2017-10-03_migration-we-en.htm

  5. Oki said on September 7, 2019 at 10:28 pm
    Reply

    I would like to see from mozilla that obfuscated add-ons would be automatically detected and blocked. There are still lots of them despite they violate mozillas policy.

  6. Anonymous said on September 7, 2019 at 9:43 pm
    Reply

    They should change wording to “Reviewed automatically” or something like this.

  7. TelV said on September 7, 2019 at 3:15 pm
    Reply

    It would appear that the warning only appears when using Firefox. On Waterfox there’s no yellow banner to be seen anywhere. https://imgbox.com/NEDpqzMr

    1. owl said on September 8, 2019 at 12:05 am
      Reply

      The current Waterfox 56.2.14 is the legacy version “Firefox56” platform.(which brings Waterfox inline with security patches from ESR 60.9)
      The current Firefox release 69.0

  8. PD said on September 7, 2019 at 12:25 pm
    Reply

    They don’t monitor one of their own extensions (Lightbeam)?

    That’s ridiculous.

    1. owl said on September 8, 2019 at 4:36 am
      Reply

      Firefox Lightbeam – Get this Extension for 🦊 Firefox (en-US)
      https://addons.mozilla.org/en-US/firefox/addon/lightbeam/
      I verify in Firefox 69.0, but “The yellow warnings” is not displayed.
      There is also no “recommended” badge.
      It is not an “unverified extension”, nor is it a “recommended product”. That’s it.
      GitHub – mozilla/lightbeam-we: Web Extension version of the Firefox Lightbeam add-on |
      https://github.com/mozilla/lightbeam-we
      Issues · mozilla/lightbeam-we · GitHub |
      https://github.com/mozilla/lightbeam-we/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aall

      1. owl said on September 8, 2019 at 4:47 am
        Reply

        Sentence correction:
        I verified it with Firefox 69.0, but “The yellow warnings” is not displayed even when [+ Add to Firefox] is executed.
        Firefox Lightbeam – Get this Extension for 🦊 Firefox (en-US)
        https://addons.mozilla.org/en-US/firefox/addon/lightbeam/
        There is no “Recommended” badge on that page.
        It is not an “unverified extension”, nor is it a “recommended product”. That’s it.

        Helpful information:
        GitHub – mozilla/lightbeam-we: Web Extension version of the Firefox Lightbeam add-on |
        https://github.com/mozilla/lightbeam-we
        Issues · mozilla/lightbeam-we · GitHub |
        https://github.com/mozilla/lightbeam-we/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aall

  9. Tarmin said on September 7, 2019 at 12:21 pm
    Reply

    Offtopic, Mozilla’s planning to disable DoH by default under specific circumstances — https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

    Martin, time for you to do another article on this,

  10. firefoxer said on September 7, 2019 at 11:49 am
    Reply

    A very good decision. Many people think that they can trust firefox extensions blindly, while it’s not the case from the moment they implemented the automatic review process.

  11. Juraj Mäsiar said on September 7, 2019 at 10:43 am
    Reply

    This is really bad!
    I’m author of several addons, one of them is Recommended, and the rest will now receive this ugly yellow warning???

    Considering how much time I’m spending developing these and how little money I got from it, I have to ask myself, why am I even doing this?

    1. owl said on September 10, 2019 at 1:22 am
      Reply

      @Juraj Mäsiar said on September 7, 2019 at 10:43 am
      This is really bad!
      I’m author of several addons, one of them is Recommended, and the rest will now receive this ugly yellow warning???
      Considering how much time I’m spending developing these and how little money I got from it, I have to ask myself, why am I even doing this?

      I am involved (collaborator) with a dozen of add-ons. Most of them have “recommended” badges.
      However, every time you update an add-on, the “Recommended” badge has been revoked for a certain period (days to weeks).
      Probably because every time it is updated, “examination of validity” such as “code re-examination and operation test” will be thorough.
      In the past, there have been malicious incidents such as tricks to embed malicious code in the extension update data.
      So it seems that this “re-inspection” procedure has been thoroughly implemented.

      About “malicious incidents such as tricks”:
      It is time to get rid of Stylish | gHacks Tech News
      https://www.ghacks.net/2018/07/03/it-is-time-to-get-rid-of-stylish/
      Stylus sees large user increase after Stylish removal | gHacks Tech News
      https://www.ghacks.net/2018/07/09/stylus-sees-large-user-increase-after-stylish-removal/

      A wave of malware add-ons hit the Mozilla Firefox Extensions Store | gHacks Tech News
      https://www.ghacks.net/2019/05/29/another-malware-wave-hit-the-mozilla-firefox-extensions-store/
      Reprinted the main part from the article:
      Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla’s AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process.
      Google’s Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome’s popularity and the fact that Google does not review any extensions manually by default play a role here.
      While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a “manual reviewed” batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository.

      About “waves of spam extensions in 2017”:
      Mozilla’s AMO Extensions store has a spam infestation problem | gHacks Tech News
      https://www.ghacks.net/2017/12/13/mozillas-extensions-store-has-a-spam-infestation/

      About “waves of spam extensions in 2018”:
      Another wave of spam add-ons hits Mozilla Firefox AMO | gHacks Tech News
      https://www.ghacks.net/2018/04/09/another-wave-of-spam-add-ons-hits-mozilla-firefox-amo/

      About “Google’s Chrome Web Store was hit even harder by unwanted extensions in recent years”:
      Another Chrome extension horror story: coinhive and domain registration | gHacks Tech News
      https://www.ghacks.net/2017/10/15/another-chrome-extension-horror-story-coinhive-and-domain-registration/
      Google’s bad track record of malicious Chrome extensions continues | gHacks Tech News
      https://www.ghacks.net/2018/05/11/googles-bad-track-record-of-malicious-chrome-extensions-continues/
      Malicious Chrome extensions with Session Replay appear in Chrome Store | gHacks Tech News
      https://www.ghacks.net/2018/02/05/malicious-chrome-extensions-with-session-replay-appear-in-chrome-store/

    2. Anonymous said on September 7, 2019 at 12:28 pm
      Reply

      For fun?

    3. syrup said on September 7, 2019 at 12:13 pm
      Reply

      Another way to think of it is a greater proportion of users may actually pay attention to who the author is, look into them, and conclude “this is a dude I can trust” as part of their decision to install your addon. Something to take a bit of pride in, perhaps more so than having a larger userbase but with fewer of them giving a damn about the person who created the addon.

      Maybe there’s also a subtle distinction to be made between Martin’s description of extensions with these warnings as “not recommended”, and Mozilla referring to them as “non-Recommended”. In general parlance, the specific expression “not recommended” tends to imply disapproval, whereas Mozilla’s wording is being careful not to.

  12. syrup said on September 7, 2019 at 7:07 am
    Reply

    A good thing insofar as it belatedly acknowledges reality. The absence of something like this and the marketing around things like extension signing lulled users into reasonably assuming that by staying within the walled garden, Mozilla had their backs and installing AMO extensions was basically risk-free, when the truth was otherwise. This finally says so.

  13. Anonymous said on September 7, 2019 at 4:53 am
    Reply

    That User-Agent Switcher extension in the article breaks some pages. I haven’t found one yet that’s completely compatible with adblockers.

    1. TelV said on September 7, 2019 at 3:29 pm
      Reply

      @Anonymous,

      Depends on the adblocker you’re using I suppose, but I installed it yesterday after reading Jack Wallen’s original review of it back in 2009: https://www.ghacks.net/2009/04/10/extend-firefoxs-user-agent-switcher/

      The Windows/Chrome string seems to works best for me. The adblocker I use is uBlock Origin.

  14. owl said on September 7, 2019 at 4:17 am
    Reply

    There is a history of troubles caused by Poor quality add-ons (function failure, memory leaks, Spyware contamination, abandoned support, etc.) that compromise the reliability of Firefox and Thunderbird.
    Even now, such complaints and consultations are posted on the support forum.
    Because of this situation, Mozilla seems to have decided that it should specify “Unvalidated extensions”.

    There will be various objections, but as a way of avoiding trouble caused by add-ons, there have a valid point.
    (In contrast, legitimate ones are clearly indicated as “recommended”)

    This badge grant is not popular with power users, but it is “well received by the general user class (Beginners who are overwhelming majority)” in the community forum.

    All add-ons are subject to “Add-on Policies”, regardless of how they are distributed. When an add-on is given human review or otherwise assessed by Mozilla, these policies act as guiding principles for those reviews. Add-ons that do not comply with these policies may be rejected or disabled by Mozilla. Therefore, follow these policies when making add-on design and development decisions.
    Add-on Policies – Mozilla | MDN |
    https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews
    Review Policy for Thunderbird Add-ons:
    thundernest/atn-review-policy · GitHub |
    https://github.com/thundernest/atn-review-policy/blob/master/README.md#reasons-your-add-on-might-be-rejected

    1. owl said on September 7, 2019 at 4:39 am
      Reply

      Postscript:
      Add-ons/Reviewers/Guide/Reviewing – MozillaWiki |
      https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing
      Technical Review:
      Introduction
      Add-on reviewers help ensure add-ons are safe to use, reliable and clearly presented to users. We also provide quick, clear, and actionable feedback to developers if issues are found with their add-ons.
      All decisions should be based on the official Review Policy, please make sure you have read and understood the policy. If you have any questions or need clarifications, the admin team is happy to help. There are no dumb questions when it comes to the review policies!
      The add-on review process consists of the following phases:
      1. Automatic Review: When an add-on is uploaded, it undergoes a number of automatic validation steps for the general safety of the add-on.
      2. Content Review: Within a fairly short time after submission, add-ons are inspected by a human to ensure that the listing adheres to content review guidelines. This includes metadata such as the add-on name and description.
      3. Technical Code Review: The source code of the add-on is inspected to ensure it is in compliance with our review policies.
      4. Basic Functionality Testing: Once the source code is verified safe, the add-on must be given a basic test in functionality to ensure that it acts as described.

  15. owl said on September 7, 2019 at 3:14 am
    Reply

    There is a history of troubles caused by Poor quality add-ons (function failure, memory leaks, Spyware contamination, abandoned support, etc.) that compromise the reliability of Firefox and Thunderbird.
    Even now, such complaints and consultations are posted on the support forum.
    Because of this situation, Mozilla seems to have decided that it should specify “Unvalidated extensions”.

    There will be various objections, but as a way of avoiding trouble caused by add-ons, there have a valid point.
    (In contrast, legitimate ones are clearly indicated as “recommended”)

    This badge grant is not popular with power users, but it is “well received by the general user class (Beginners who are overwhelming majority)” in the community forum.

    1. Klaas Vaak said on September 7, 2019 at 9:38 am
      Reply

      @owl: how do you know it is well received by the “the general beginner user class”??

      1. owl said on September 7, 2019 at 11:47 pm
        Reply
  16. Steve said on September 7, 2019 at 2:07 am
    Reply

    Who can trust Mozilla or any other browser?

  17. shawross said on September 7, 2019 at 1:39 am
    Reply

    I like what Mozilla are doing and you can check your extensions installed and you should see a icon trophy symbol which when hovered over will say recommended.

  18. Anonymous said on September 6, 2019 at 9:20 pm
    Reply

    When you use a stick to prop a house together, you realise it’s not a house but merely a tent.

  19. ULBoom said on September 6, 2019 at 8:46 pm
    Reply

    “We can’t say this extension is bad” is about useless.
    “We can’t say it isn’t good” is just as weird.

    Not sure I’ve found a recommended extension I’d use so far. Not that they are bad, Mozilla does say they’re good, they either don’t interest me or I already have something similar that isn’t recommended but usage has shown to be good.

    Trying to understand the Add On repository is similar to reading this post: painful!

  20. Alan said on September 6, 2019 at 8:17 pm
    Reply

    Scaremongering in favor of advertised extensions, how google of them.

    1. Klaas Vaak said on September 7, 2019 at 9:35 am
      Reply

      @Alan: I love your comment :-))) +1

  21. ShintoPlasm said on September 6, 2019 at 8:01 pm
    Reply

    Mozilla clearly have gone mad.

  22. Stanley said on September 6, 2019 at 7:48 pm
    Reply

    Seems like a bad idea, and more of a ‘cover our ass’ action.

    Really bad that they don’t explain in detail how to verify an extension yourself.

  23. SocialMediaGrandpa said on September 6, 2019 at 7:28 pm
    Reply

    So how long before you’ll only be allowed to install recommended extensions? I mean, that was the point of all the stuff about requiring extensions to be signed and only installed from Mozilla’s website and all that, right? Security? And if they can’t guarantee security from the unrecommended extensions and we know Mozilla does not trust users to handle their own security, they’d rather take away features than let users be responsible for their own security… so it only makes sense. Only allow recommended extensions to keep everyone secure!
    (slightly cynical, moi?!)

    1. John C. said on September 7, 2019 at 10:42 am
      Reply

      You’re absolutely right. The attitude Mozilla has is commonly referred to as “catering to the lowest common denominator.” Google uses it all the time to push changes that support their hidden agendas.

  24. Tom Hawack said on September 6, 2019 at 7:23 pm
    Reply

    Seems as if all AMO extensions which aren’t “recommended” appear to labeled as not monitored with the message explained in the article.

    Personally I hide both messages, nonsense in my view. I remember AMO recommending an unhealthy add-on (forgot which one, Ghacks had an article about it) and I wouldn’t consider non-monitored extensions more risky than recommended ones from there on.

    My feeling is that Mozilla doesn’t have the time to seriously check all extensions so it’ll check some, if ok label them ‘recommended’ and all the others will be labelled ‘not monitored’.

    In other worlds a complete absurdity, except for Mozilla which gets relieved of its responsibilities.

  25. John Fenderson said on September 6, 2019 at 6:55 pm
    Reply

    It would have been much better if Mozilla added a blurb to their “recommended extensions” explaining that they have undergone extra scrutiny than to plaster a warning on any extension that isn’t “recommended”.

    Plastering the warning on every extension is bad in two ways:

    1) It trains users to ignore warnings
    2) It misleadingly implies that the extensions are dangerous.

    1. Valentin said on September 7, 2019 at 2:49 pm
      Reply

      Extensions are dangerous – most of the APIs can be used for nefarious purposes.
      It doesn’t train users to ignore the warning, since it’s a legitimate warning and for some extensions you might actually reconsider if you actually need it.

      1. John Fenderson said on September 9, 2019 at 4:56 pm
        Reply

        @Valentin:

        I disagree that it’s a legitimate warning, really. It’s “warning” that the extension was not put through additional screening, but a warning should be for when there is a reason to suspect that there’s something wrong with the extension — which is not what this warning does.

        It trains people to ignore warnings because this will be applied to the vast majority of extensions in the store, guaranteeing that people will install them regardless of the warning. This overtly train people to disregard the warning.

        Warnings only really work when they are the exception, not the rule.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.