Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

Well, SeaMonkey has been adopting Toolkit code mostly for the lack of own resources to maintain the old code (and yes, sometimes because the Toolkit version was actually better than XPFE).
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

barbaz wrote:... would that make those installers "actually illegal malware"?...


Only if they violate the Trademarks they hold on the name and the icon image (some variance on this too)... otherwise the licensing allows derivatives period. One of the comments, I forget exactly where, said all one has to do is completely replace Fx preferably with user consent. That's the irony on this signing requirement... and there is nothing the Mozilla Foundation can do about it other than close doors for devs which they are doing well on that already. FOSS is intended to be free to develop, derive and adapt. If this means making a split/fork it's fully legal. I also roughly remember conversations about a decade ago about how the foundation abhors patents and copyrights which is why everything is FOSS... things change... companies fall... that's an unfortunate part of commercialism but law persists.

rsx11m wrote:... adopting ...


Much better wording than inheriting. :)
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

barbaz wrote:what percentage will subsequently take it to the next level and try to find a way to hack-patch Firefox binaries or omni.ja to achieve the same effect as their extension did (would that make those installers "actually illegal malware"?)...


As mentioned in the discussion, a program hacking into the binary would/should flag AV software because that's definitely not "legal" behavior. The goal is to stop crapware that side-loads search and homepage hijackers... although this is already somewhat covered in the new searchbar scheme.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

patrickjdempsey wrote:a program hacking into the binary would/should flag AV software because that's definitely not "legal" behavior.


I think a user initiated rebranding would be just fine and in line especially since it's on their property not Fx's. Property laws also haven't been discussed nearly enough and we all should know that possession is 9/10ths of law. :) Granted the UUID and other ids would need to be redressed as well... all part of rebranding... although source compilation would probably be easier as long as the output initially matches the distribution release binaries.
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

patrickjdempsey wrote:As mentioned in the discussion, a program hacking into the binary would/should flag AV software because that's definitely not "legal" behavior.

The crapware doesn't have to change the binary - it is enough that it can access it and then copy it to its own location and write the modified version to disk as its own - nothing illegal for an AV. Then only change program shortcuts but that doesn't even need admin rights so it's trivial. This is just one of the ways to bypass the new system pretty easily and there's lots more. Sure, crapware authors will need to make some effort but the level of difficulty is pretty low - and they are probably far more creative in devising workarounds than us because they live off of it.
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

This part of the discussion seem to be more involved than necessary for a number of reasons. Both changing the binary or changing the shortcut would require more work than most of these folks will be likely to do and could be easily defeated by AVs should it become a problem. The question here is does making Mozilla the arbitrator of what is good or right the best way to deal with the problem or is there a less intrusive way to deal with it? As far as I am concerned there is an easier way to deal with it-- don't allow installations or any other outside agents to install extensions or change homepages.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
WaltS48
Posts: 5141
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Re: Mandatory signing requirement for add-ons may be coming

Post by WaltS48 »

WLS wrote:I don't understand how this pertains to users.

I'm not planning on installing anything new.

Will my already installed extensions just stop working?

Will they all update to the signed version, even if the extension hasn't changed other than the signature?

It appears my post to m.a.user-experience asking those questions didn't pass moderation.
Maybe they didn't think of it?


Well as Jorge pointed out in his response to my post in m.a.user-experience.

Question:
Will current Firefox users have to update all already installed
extensions when they run the first version of Firefox with the signing
requirement?


Answer:
Yes. In the case of AMO extensions, we will sign the latest versions and
increment their version number. That is, if developers don't get them
signed before we do. For non-AMO developers, they will need to this
themselves.

Keep in mind that there will be a 12 week transition period where
Firefox will only warn about unsigned extensions, so there should be
sufficient time for add-on developers to get their users updated before
Firefox begins to enforce this more strictly.
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

Found some historical chatter in the development platform side at Pros and cons of different add-on install methods.

I'll have to spend some more quality time reading this to see how many reversals AMO/FX is having with their current reproach... but it's there for those who are interested but it is a lengthy read. Perhaps this could improve some alternatives with some additional insight.
"Those who cannot remember the past are condemned to repeat it."
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

LoudNoise wrote:The question here is does making Mozilla the arbitrator of what is good or right the best way to deal with the problem or is there a less intrusive way to deal with it? As far as I am concerned there is an easier way to deal with it-- don't allow installations or any other outside agents to install extensions or change homepages.


The second part is likely going to happen anyway regardless of this system as it's being planned to do something similar as to what was done with the search engine. One of the big problems Mozilla is facing is that they simply never bothered to come up with a system for distributions that is safe and makes sense for corporate environments that doesn't leave the software wide open to malware. And the "solutions" being proposed as well as the one implemented for search plugins already, don't seem to be taking distributions into account whatsoever. Mozilla ignoring this use-case doesn't make it go away, and if anything it makes their solutions more complicated than they really need to be IMO.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

WLS wrote:Answer:
Yes. In the case of AMO extensions, we will sign the latest versions and
increment their version number. That is, if developers don't get them
signed before we do. For non-AMO developers, they will need to this
themselves.


Well that's interesting that means that they are required to support that version instead of the actual maintainers/creators. The taste in my mouth for this change is getting more sour. e.g. they are forking it which should move all issue tracking to their side. Bugzilla will probably be flooded and this may end up being a much worse "user" experience overall with debate on who did what to whom. As a developer I am pretty sure I won't be supporting their customized forks and this will actually increase their work-load with distillation. Not the brightest bulbs in the bunch I think. ;)

EDIT: With some more thought and the available data presented here the signing process will double the overhead for production releases for AMO and probably triple it for non-AMO releases. So much for the theory that they will be making this quick and simple for legitimate devs. As far as maintainer signing goes that could divide the time a little bit but that defeats the purpose of signing... the word paradox comes to mind for me. Most devs know how lengthy it is to get AO's approved already. Storage requirements will probably double as well.
"Those who cannot remember the past are condemned to repeat it."
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Since Google Groups sucks and I can't just link to a single response I'm going to quote here a rather long response from Nicholas Nethercote in the thread Martii linked. I'm posting this because I think it's a good read for some folks here who might not be 100% up on why this is being done (even if we disagree with the "solution") this is the problem. Anyone who's participated in a "how do I remove Babylon toolbar" thread here is already well versed:

Nicholas Nethercote wrote:This has been an interesting thread. It's also been very abstract. Let's make things more concrete.

Clint said:

> I think we need to solve this by turning it around from a "how do we defend
> Firefox against X" question to a "what do the users want from these addons,
> and what do the developers of the legitimate sets of these addons hope to
> provide" question. With the users squarely in mind, I believe we can make
> much better decisions.

Here's my answer to what users want from add-ons:

Adblock Plus
Video DownloadHelper
Greasemonkey
Firebug
Download Statusbar
Personas Plus
FlashGot
NoScript
DownThemAll!
WOT - Know Which Websites to Trust
Tab Mix Plus
Flagfox
Easy YouTube Video Downloader
Flashblock
Element Hiding Helper for Adblock Plus
ImTranslator - Online Translator, Dictionary, TTS
FireFTP
Web Developer
IE Tab
IE Tab V2 (FF 3.5, 4, 5, 6, 7+)

That's the top 20 most popular add-ons on AMO. These are excellent add-ons, you've probably heard of a lot of them, you may have some of them installed yourself. These are add-ons that users have taken effort to install. Every add-on on that list makes me happy (well, except for https://bugzilla.mozilla.orgshow_bug.cgi?id=669730). When people say things like "The only reason I haven't switched to Chrome is because of Firefox's add-ons", this is what they're talking about. In many cases even if you've never heard of one of these add-ons, you can tell just from its name roughly what it does.

In contrast, when I look at the top 20 most popular add-ons (including AMO and non-AMO add-ons) my heart sinks. The only ones I'm genuinely happy to see are the AMO ones. A few others make me think "hmm" and the rest make me think "oh god". Unfortunately this list is considered sensitive so I can't discuss it directly in a public forum. But I can point you at https://bugzilla.mozilla.org/attachment.cgi?id=600823, which has the top ~100 add-ons, including non-AMO ones, listed in alphabetical order. I spent some time looking some of these ip. I've put some interesting links and data points in a list at the bottom of this email. I did some cherry-picking when making that list, certainly, but I still feel like I've been diving through dumpsters in the bad part of town. Some notable things I learnt:

- For many of these, even the ones where the name is known, it's hard to find any kind of official website to deliberately download the add-on.

- The fact that third-party add-ons cannot be uninstalled from within Firefox is hugely confusing to users. The number of "how do I disable the XYZ add-on" hits you see is astounding.

- It's interesting that several add-ons (e.g. Yahoo! Toolbar, Microsoft .NET Framework Assistant) are hosted on AMO but the vast majority of the installations are not from AMO. This could mean there's a prominent alternative location that the add-on can be installed from, but I suspect third-party installs are mostly
responsible.

- Apart from the anti-virus add-ons, I don't recognize anything in that list that provided integration between Firefox and other apps. I could well be missing some, though.

- There are 17 add-ons that have "toolbar" in their name.

> If we frame the problem as "defending Firefox from
> malicious crap" then the solution we create isn't going to be as complete as
> it could otherwise be.

That's true. But the evidence suggests that "defending Firefox from malicious crap" has to be a sizeable part of the solution.

In my opinion, user control should be the #1 principle when it comes to add-ons -- users should be able to run exactly the add-ons they want to, no more and no less. Third-party add-ons are an enormous loophole in the "no more" part of that. The Firefox 8 opt-in check made that loophole much smaller (and if we lived in a perfect world where users always read and understood all warnings it would even smaller). Do we have any data about how effective that opt-in check is? E.g. how many third-party installs were disabled and how many were re-enabled by users? I'd love to see any such data.

Nick

----

Results of my searches. Most of the links were in the top handful of Google search results. I randomized this list so they're in no particular order.

- Conduit Engine: 6 of the top 10 Google search results are about how to remove it.

- Anti-banner (Kaspersky): http://www.ghacks.net/2010/10/02/remove ... m-firefox/

- PC Sync 2 Synchronisation Extension (Nokia) - AMO: #4 Google hit: How to remove PC Sync 2 Synchronisation Extension (http://www.techyforums.com/index.php?showtopic=307)

- Java Quick Starter: #1 hit on Google is "Removing the Java Quick Starter Add-on" (viewtopic.php?f=38&t=921325&start=15)

- Microsoft .NET Framework Assistant: Remarkably popular for an add-on that doesn't do much.

- {22C7F6C6-8D67-4534-92B5-529A0EC09405} , a.k.a. Trend Micro NSC Firefox Extension: http://community.trendmicro.com/t5/Home ... td-p/38616

- Ask toolbar: http://blog.mozilla.com/sumo/2012/02/21 ... n-process/

- DataMngr (???): SpyBot Search and Destroy classifies it as malware: http://forums.spybot.info/showthread.php?t=62634. And it was nominated for blocklisting last year due to crashes but nothing happened: https://bugzilla.mozilla.org/show_bug.cgi?id=665775.

- Babylon: #1 hit on Google is http://www.ghacks.net/2011/08/17/how-to ... ompletely/. #3 hit is "Manual Removal Guide for Babylon.Toolbar" (http://forums.spybot.info/showthread.php?t=64962)

- {4ED1F68A-5463-4931-9384-8FFF5ED91D92}, a.k.a. McAfee SiteAdvisor: The old version was by far the leakiest add-on I've ever seen: https://bugzilla.mozilla.org/show_bug.cgi?id=727938. The new version (3.4.1.195) is better, but still easily the 2nd leakiest add-on I've ever seen: https://bugzilla.mozilla.org/show_bug.cgi?id=729608

- Java Console: Lots of Firefox installations have multiple old versions hanging around uselessly. Remarkably popular for an add-on that doesn't do much.

- Garmin Communicator: has 51,249 AMO users, and *many* more non-AMO users. https://addons.mozilla.org/en-US/firefo ... ws/295748/ is interesting, too.

- ShopperReports: 7 of the top 10 google hits are about how to remove it. (At least it has a home site, http://www.shopperreports.com.)

- Search Helper Extension: http://arstechnica.com/microsoft/news/2 ... update.ars
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Martii wrote:EDIT: With some more thought and the available data presented here the signing process will double the overhead for production releases for AMO and probably triple it for non-AMO releases.


Since at least 2009 I recall AMO consistently having outtages during browser updates because of addons updates checks. Just CHECKING. Not even downloading full versions... just checking to see if there is a new version. I *believe* it's one of the reasons Firefox now spreads updates out over a couple of days. Mozilla has reduced this demand somewhat by setting up addons so that versions can be compatibility "bumped" without a new upload/download, but the CHECKING part still happens and still causes AMO outtages that often result in people's addons being disabled for a few days around the time of the update.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

patrickjdempsey wrote:Since Google Groups sucks and I can't just link to a single response I'm going to..

...ask Frank to do the link for me (far right under 'More message actions')

https://groups.google.com/d/msg/mozilla ... emaUs_kcYJ
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Frank Lion wrote:
patrickjdempsey wrote:Since Google Groups sucks and I can't just link to a single response I'm going to..

...ask Frank to do the link for me (far right under 'More message actions')

https://groups.google.com/d/msg/mozilla ... emaUs_kcYJ


Oopps I saw that... but I think my brain tripped up on the goofy icon icon.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

patrickjdempsey wrote:Oopps I saw that... but I think my brain tripped up on the goofy icon icon.

I had an edge. Much of Google's stuff on Android is laid out in the same obscure fashion, so I knew it would be there somewhere.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
Post Reply