Sophos Cloud Optix
Mozilla is the latest vendor, if you will excuse me not referring to it as a foundation or a community, to announce a walled garden for its software ecosystem.
In the second half of 2015, it says, Firefox will require all browser extensions to be digitally signed.
The purpose should be obvious: to make it harder for surreptitious, devious or plain malevolent add-ons to make their way into your browser unnoticed.
Extensions can adapt the behaviour of Firefox significantly, from rewriting links and content, through keeping tabs on where you browse, to reading and using your data.
As a result, malicious extensions can be as bad for your digital health as a full-blown malware infection at the operating system level.
How it will work
Mozilla will be the signer-in-chief, and that, apparently, will be that.
If you publish your extension via Mozilla’s equivalent of the App Store, known as AMO, or addons.mozilla.org, the company will automatically vet it, sign it, and make it available for download.
That’ll be a bit like Google’s Bouncer, the automatic process that decides if your Android app is safe for inclusion on Google Play.
The good side of of an automatically-scan-approve-and-sign process is that it’s simple and fast.
That makes it vaguely more egalitarian than a complex and bureaucratic mechanism that tends to favour bigger, more established software makers, who themselves have the staff and bureaucracy to match.
The bad side is that automatic systems for software approval are designed as much to help online software markets grow really quickly as they are to keep the crooks out.
So they don’t always do a very good job of security, and if completely automatic approval systems do let malware or dodgy programs through, they give a powerful but completely false sense of safety that plays straight into the hands of the crooks.
Going off market
Like Google on Android, but unlike Apple on iOS, Mozilla will continue to allow its users to shop “off market,” so you won’t be forced to publish your extensions via AMO.
Unlike on Android, however, this won’t require users to invoke an “allow unsigned extensions” option.
In fact, Mozilla says that there will be no way, neither via command line nor through configuration options, to suppress signature checking.
Instead, all extensions will have to be signed, even “off-market” ones, so instead of devolving the responsibility for off-market content onto the user, Mozilla is going to require developers to make the effort.
→ Apparently, there will be a special sort of exception for in-house extensions, to appease Mozilla’s corporate users. How this will work, and how it will be locked down to prevent malware abusing it as a backdoor, is not yet clear. Presumably you’ll be able to instruct your company browsers to accept extensions signed with a company certificate.
What isn’t clear is how developers will test their extensions under the current Release version before submitting them for approval.
Mozilla says:
Installation of unsigned extensions will still be possible on Nightly and Developer Edition, as well as special, unbranded builds of Release and Beta that will be available mainly for developers testing their extensions.
This, of course, raises the question, “Will the unbranded or the Developer builds be sufficiently similar to the Release versions out in the real world that developers can stand by their testing results?”
It also makes you wonder, “How many users, including businesses, will simply switch to the unbranded versions themselves and be done with this code signing hassle?”
The community strikes back
Security and reliability concerns, however, don’t seem to be what’s worrying some of the more vocal members of the Mozilla community, who have already hit back with comments like this emotive piece:
Please don't do this.
It is taking freedom away from your users, and freedom away from add-on developers.
You are handing a powerful tool to governments & corporations that will suppress add-ons they don’t like, by compelling you not to sign.
Mozilla as a platform for freedom & creative software development will be torn to shreds by this.
Please stop.
We don’t want this, so you can send it back to your boss that we said to shove it.
Mozilla has certainly set the cat amongst its own community’s pigeons.
At this stage, it’s not even clear if the organisation is going to be able to please some of the people some of the time.
Image of wall with ladder courtesy of Shutterstock.
At least it’s open source. If the pile of bad ideas gets high enough there will be a fork and the court of public opinion will choose which version they like the best (or how many versions they’re prepared to support.)
Why doesn’t Firefox just warn people when they’re installing unsigned browser extensions… what’s the problem.
It’s just ridiculous to completely disable the ability to install browser extensions that aren’t signed in normal Firefox releases.
I’m so pissed off right now!
This policy and mindset made me switch from Google Chrome to Mozilla Firefox. Now Mozilla does the same stupid thing. Why?
Now my only options left are still in development:
– Project Spartan aka IE with extensions (while hoping that MS doesn’t do the same thing)
– Vivaldi
Thank you, Google, who promised us to not being evil, and Mozilla, who tells us to “Choose Independent.
Choose Firefox.”, for nothing.
That’s the right way to set the world on fire.
@MrYeah: So what’s the big problem? If you want to install unsigned applications just download and install the Developer edition.
You’re making a big fuss over nothing.
Developer edition is unstable alpha.
Just don’t update firefox to the version that has this requirement.
After familiarizing myself with the Dunning-Kruger effect, I would opine that this is for our own good.
What is the real problem(s) Mozilla is trying to solve? All extensions and addons must be digitally signed with no exceptions is drastic. An Android type system would protect AMO distribution system. The reason given is valid and, yet, because it is drastic step it leads to suspicion there is a “bigger” reason (security hole; financial gain; or…).
This is a good idea. Thank you Mozilla.
It seems like a drastic step. If Mozilla plans to have developer releases that do not require signing, it sounds like a bit of a fork already.
I wonder why they would not simply create a version/fork with the signing requirement so users can choose. No more work on Mozilla’s part and it preserves the freedom and choice current users have, while providing an option, for say corporate IT departments, to use the enhanced security version.
“The purpose should be obvious: to make it harder for surreptitious, devious or plain malevolent add-ons to make their way into your browser unnoticed.”
1) There are already safeguards against silent extension installation
2) The fact that an extension is signed says nothing about the surreptitiousness or deviousness of an add-on (see: Apple Store).
3) Forcing developers who have chosen, for usually very good reasons, not to use Mozilla for extension distribution, are unlikely to want to be subject to their scrutiny as far as when and how they publish their extensions.
Thankfully, there are already alternatives that are not going to follow this kind of big brother nonsense and that are truly independent and promoting a truly Open Web, as Mozilla likes to shout. E.g.: Pale Moon (www.palemoon.org)
You’ve sort of missed the point of my comment, namely that signed extensions will make it *harder* to foist rotten add-ons on users.
Sure, there are already safeguards, but they don’t amount to much. (I’m not judging that. Just saying that requiring a signature from Mozilla *will* make it harder.)
Secondly, the App Store is a strange example to choose as an example of how strict vetting (even if the main purpose is commercial, not for security) “says nothing about dodginess.” Whether you want to admit it or not, it’s harder to get malware into the App Store than into most Android alternative markets.
Thirdly, I think Mozilla’s argument (which has at least some merit) is that a non-trivial percentage of the developers who “have chosen to avoid Mozilla’s scrutiny,” as you put it, have done so for very good reasons indeed, namely to commit cybercrime.
So the idea isn’t perhaps as far-out as you might think, for all that you don’t like it. In other words, your word “nonsense” might be a little over-the-top.
“…namely to commit cybercrime.”
That is rather synical. I have come across many developers creating great (non-malicious) add-ons, that have very valid reasons for not using AMO. It has to do with freedom, that Mozilla is slowly but surely torturing to death: we already have ads in the browser and DRM coming soon. Now this!? The Open Web has been sold out.
I said that “a non-trivial percentage of developers who skip Mozilla’s scrutiny” do so because they are crooks, and offered that as a suggestion that Mozilla’s proposal is not *entirely* unreasonable.
I’m not sure how that is cynical. I’m not denying that many developers may “have very valid reasons for not using AMO” that are also reasons not to want to have their add-ons signed.
AFAIK, Mozilla is not proposing to restrict availability to its source code, which means that calling this a “sell out” of the Open Web might be a bit of a stretch.
Finally………… :- )
This hurts. Too many false-positives. It punishes addon makers that has done nothing wrong.
(Happily posting this from TorBrowser ^_^)
Australis, DRM plans, ads in the new tab site, now this? Hello Vivaldi, here i come! Mozilla has just sold out… Disgusting!
Why not just offer signed-up versions or not as an option to end users? r is Moz starting to follow the ‘free’ but it costs trend? Just about everyone that offered low priced or ‘free’ software eventually find ways of upping the prices. 5% profit on $100.00 is better than 5% of nothing.
Are these newly signed add ons going to be valid with the next released version of Firefox? Or do they have to be resigned for each FF update?
The end of freedom comes under the guise of safety. Thanks for the years of freedom, but I don’t need or want your “safety”. SELLOUTS!
They are conforming to mass influence, by abandoning thier principles.
Specifically Mozilla principles:
#5: Individuals must have the ability to shape the Internet and their own experiences on it.
You are restricting my ability to choose how I experience the internet, by policing what I can install on my browser.
#7: Free and open source software promotes the development of the Internet as a public resource.
Open source tenant #5:
No Discrimination Against Persons or Groups
The license must not discriminate against any person or group
of persons.
Rationale: In order to get the maximum benefit from
the process, the maximum diversity of persons and
groups should be equally eligible to contribute to open
sources. Therefore we forbid any open-source license
from locking anybody out of the process.
Tenant #7.
Distribution of License
The rights attached to the program must apply to all to
whom the program is redistributed without the need
for execution of an additional license by those parties.
Rationale: This clause is intended to forbid closing up
software by indirect means such as requiring a
non-disclosure agreement.
Tenant #9.
License Must Not Restrict Other Software
The license must not place restrictions on other software that
is distributed along with the licensed software. For example,
the license must not insist that all other programs distributed on
the same medium must be open-source software.
Rationale: Distributors of open-source software have the
right to make their own choices about their own software.
Tenant #10.
License Must Be Technology-Neutral
No provision of the license may be predicated on any
individual technology or style of interface.
#9: Transparent community-based processes promote participation, accountability and trust.
This one is more of a personal feeling of lack of transparency, I have been losing trust in them for some time.
I haven’t completely abandoned hope that they will right this ship, but if they refuse to stick to the principles and tenants that got them where they are today, then I wish them a swift and painless fall from grace, and into obscurity.
Considering that the product is still open source, so you can just build it yourself, and that Mozilla still builds its own “unwalled” version of the browser…
…wouldn’t it be a lot quicker to use the “unwalled” version. Or simply to switch to another browser?
PS. A “tenant” is someone who occupies a rented property. I think you mean “tenet”, which is a core belief or principle, especially of a religion.
Will the extension signing improve the chain of security for AMO add-ons?
I am always concerned about something akin to a MITM attack.
Even though I get all of my add-ons from the AMO, I agree that there should be some user level override on the walled garden approach.