Mozilla reveals Firefox add-on lockdown

[A Guy]

Mozilla yesterday detailed plans to require Firefox add-ons to be digitally signed, a move meant to bear down on rogue and malicious extensions, and one that resembled Google's decision years ago to secure Chrome's add-on ecosystem.

Some Firefox users called out Mozilla for disregarding its own long-and-often-expressed ethos of the need for an open Internet.

Source

A Guy

 

[lehnerus2000]

D'oh!

Are they deliberately trying to lose market share by antagonising what's left of the user base?


At this rate I'll have to give up surfing the Internet entirely, since all of the main browsers seem to be junk nowadays.

 

[Tookeri]

Some notes from Mozilla to require add-ons to be signed in the future - gHacks Tech News

Developer and Nightly versions of Firefox are not affected by this, these versions will support unsigned extensions just like before.

Members of the Seamonkey and Pale Moon development team mentioned that they won't implement the feature.

So luckily there are "workarounds" for those who need it

 

[andrew129260]

Are they deliberately trying to lose market share by antagonising what's left of the user base?


At this rate I'll have to give up surfing the Internet entirely, since all of the main browsers seem to be junk nowadays.

Yes, because it is better to have anyone create a addon with malicious intent? Mozilla should have done this years ago.

"We're responsible for our add-ons ecosystem and we can't sit idle as our users suffer due to bad add-ons" Jorge Villalobos imho is completely right.

Add-ons have gotten out of hand, said Mozilla's Villalobos and the rules must be tightened. "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites,"

100% agree with this decision, as I see it first hand every day in my research. I actually think internet explorer right now is safer than firefox.

There are still options like pale moon.

 

[lehnerus2000]

Yes, because it is better to have anyone create a addon with malicious intent? Mozilla should have done this years ago.

What are these malicious add-ons?
Who is installing add-ons that haven't been located via the FF add-ons site?
Is Mozilla hosting them on the FF add-ons site?
Why not have a malicious add-ons list (just like the malicious site list)?

100% agree with this decision, as I see it first hand every day in my research. I actually think internet explorer right now is safer than firefox.

People have been saying that for years.

If you don't run Ad, Flash & Script blockers, it's probably true.

There are still options like pale moon.

I run Pale Moon on W7.
I regularly experience strange lockups lasting 5s to 10s.

Maybe it's a Windows issue.
I run Firefox on Linux Mint and it doesn't exhibit this phenomena.

I've said it before, all the main browsers need to be totally rebuilt.

Maybe MS' Spartan will be "our saviour".
I'm not holding my breath.

 

[Tookeri]

I remember Callender recently recommended an FF add-on not hosted on Mozilla. And that site has a FAQ that actually answers why it's not published there:

Why aren't the Dephormation and Secret Agent add ons published on Addons.mozilla.org?
Several reasons.

I don't subcribe to the view that there can only be one marketplace for computer software. Regardless of the source of your software, you need to make a careful and critical case-by-case assessment of the software products you install on your computer, and the software developers who create them. AMO does not guarantee that hosted add ons are safe to use, or free from spyware. I don't need (or trust) a US company to host my software for me.

Secondly, I don't want to allow Mozilla to learn who has installed my software. It is none of their business! So my add ons are also configured to prevent the browser reporting their presence back to Mozilla. (Did you know, Firefox periodically reports a list of your installed add ons to AMO?).

Finally, I'm not seeking a mass audience for these add ons. They are not aimed at novice internet users.

I'm in good company; other add ons which you won't find on AMO include HTTPS Everywhere (from EFF) and the HTTPS Finder.

https://www.dephormation.org.uk/index.php?page=14

 

[lehnerus2000]

I remember Callender recently recommended an FF add-on not hosted on Mozilla.

OK.

It seems like it is an add-on that most users wouldn't be installing though.

 

[OvenMaster]

Ah, someone will come up with an add-on that will bypass the need for signed add-ons. Gotta love open source!

 

[Layback Bear]

One must remember in my opinion that Open Source is just that. It's open to the good guys and the bad guys. So as always one must be careful. There lies the problem.
Security is not even on the menu of computer needs to most users.

 

[spencer1]

Since the Developer Edition will continue to support unsigned addons, I decided to install it. I then restored my regular Firefox profile into it, and now the browser looks, feels and runs like my old Firefox. Does anyone else use Developer Edition? Any tips and/or warnings? Hopefully this will be an effective workaround if I need it.

 

[Callender]

FF Add ons

I remember Callender recently recommended an FF add-on not hosted on Mozilla.

OK.

It seems like it is an add-on that most users wouldn't be installing though.

Well not recommended exactly - more like suggested reading material. I do use that add on myself and it's not on any Mozilla blocklist. Currently it's possible to disable add on security checks by creating this preference but it's not recommended if that's the only way to install the required add on.



VirusTotal scan for add on .xpi

 

[groze]

What are these malicious add-ons?
Who is installing add-ons that haven't been located via the FF add-ons site?

lehnerus2000,
I have came across malicious add-ons website that try to auto install in firefox. That was just looking up medical stuff. I have installed plugins outside of Mozilla add-onsite in the past. I just use a few now.

My question how will that add-on restriction work with other builds? Cyberfox, Palemoon, Waterfox, etc..

 

[matts6887]

IMO I think thats not such a wise idea for Mozilla to do that because it will take away from developers being able to freely design add ons and extensions for firefox. And indeed why would they want to "alienate" the current user base of firefox users.

 

[lehnerus2000]

What are these malicious add-ons?
Who is installing add-ons that haven't been located via the FF add-ons site?

lehnerus2000,
I have came across malicious add-ons website that try to auto install in firefox. That was just looking up medical stuff. I have installed plugins outside of Mozilla add-onsite in the past. I just use a few now.

Interesting.
I've never experienced that.

I think that I may have once downloaded an xpi file to use in FF.
This was before I started using W7 (i.e. pre-2009).

I should have been more specific though.
I meant, "how many ordinary users (not enthusiasts) are going to look anywhere other than the Mozilla site?"

 

[andrew129260]

IMHO, ordinary users don't even know what extensions or addons are.

 

[Callender]

Addons?

IMHO, ordinary users don't even know what extensions or addons are.

​

Here's one as an example.

 

[andrew129260]

Cute