MozillaZine

Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Lemon Juice
 
Posts: 784
Joined: June 1st, 2006, 9:41 am

Post Posted January 21st, 2015, 2:49 pm

rsx11m wrote:
Does this mean that Mozilla's next step will be to block downloading of all executable files that have not passed their validation?

This should be fun, would they try to validate all and every installer or executable that you can think of around the world? :-D

Well, this is not as out of reach as it might appear at first - imagine Mozilla strikes up a deal with a service like virustotal.com! #-o

Philip Chee wrote:*I* will be pushing hard for this mis-feature to be disabled in SeaMonkey.

And that is the right state of mind :!: 8-)
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey

barbaz
 
Posts: 1682
Joined: October 1st, 2014, 3:25 pm

Post Posted January 21st, 2015, 5:14 pm

Philip Chee wrote:*I* will be pushing hard for this mis-feature to be disabled in SeaMonkey.

Is there any way we can help you push, and if so what would be involved?
*Always* check the changelogs BEFORE updating that important software!

ElTxolo

User avatar
 
Posts: 2431
Joined: July 30th, 2007, 9:35 am
Location: Localhost

Post Posted January 22nd, 2015, 7:33 am

Philip Chee wrote:In my opinion SeaMonkey will be disproportionately affected by the signing requirement as the community is using orphaned and modded extensions either from my xsidebar mozdev site or - more recently - from the addon converter by Lemon Juice. *I* will be pushing hard for this mis-feature to be disabled in SeaMonkey. I believe that several of my SeaMonkey colleagues are of the same mind ...

Well done!
Thanks for your input ... Phil !! Image
How to Ask Questions The Smart Way - How to Report Bugs Effectively ;)
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20180711 SeaMonkey/2.49.4
Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20170619 SeaMonkey/2.51

LordOfTheBored
 
Posts: 269
Joined: December 7th, 2005, 8:36 pm

Post Posted January 23rd, 2015, 5:26 am

rsx11m wrote:
Does this mean that Mozilla's next step will be to block downloading of all executable files that have not passed their validation?

This should be fun, would they try to validate all and every installer or executable that you can think of around the world? :-D

Especially with the modern tendency for vaguely threatening error messages that have cute cartoon illustrations but no actual details.

"Firefox has blocked access to chrome-installer.exe because it might damage your computer! Don't worry, guys, we're making sure no badware gets on your system!"

thanhthai1691
New Member
 
Posts: 1
Joined: January 22nd, 2015, 11:38 pm

Post Posted January 23rd, 2015, 7:56 pm

i hope the applicable switches may be already available

jbperez
 
Posts: 19
Joined: November 26th, 2004, 1:00 pm

Post Posted February 9th, 2015, 4:32 am

1. I can understand the concern of security. The internet is rife with all sorts of malware taking advantage of any and all attack vectors imaginable.

2. They can require the signing, AS LONG AS THEY PUT IN A FEATURE THAT CAN OPTIONALLY OVERRIDE IT, so that people who actually know what they're doing can proceed.

What is so hard about giving people the choice?

barbaz
 
Posts: 1682
Joined: October 1st, 2014, 3:25 pm

Post Posted February 9th, 2015, 9:56 am

jbperez wrote:1. I can understand the concern of security. The internet is rife with all sorts of malware taking advantage of any and all attack vectors imaginable.

It's already been established in this thread that this can't be to protect users from malware - and in the unlikely event that it is, it's exactly the wrong approach.

jbperez wrote:2. They can require the signing, AS LONG AS THEY PUT IN A FEATURE THAT CAN OPTIONALLY OVERRIDE IT, so that people who actually know what they're doing can proceed.

What is so hard about giving people the choice?

Mozilla is not going to do that. And anyway, why would any SeaMonkey user want the signing to be forced?
Your User-Agent string says Firefox, why don't you try to set up SeaMonkey exactly the way you want, but the *only* add-ons you use are add-ons directly from AMO without any modifications... :wink:
*Always* check the changelogs BEFORE updating that important software!

Frank Lion

User avatar
 
Posts: 20199
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 10th, 2015, 6:27 pm

http://blog.mozilla.org/addons/2015/02/ ... xperience/

I have no intention of making things easy for the bad guys, but there's is a pretty obvious (and devious) way around this signing nonsense.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted February 10th, 2015, 6:46 pm

From the above:

Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.


And an interesting side-effect of this process may be that some of those broken AV toolbars might finally be taken to task:

n the case of developers who want their extensions to be side loaded (installed via an application installer rather than using the usual Web install method) the review bar will be higher, equal to fully reviewed add-ons on AMO (with the exception of AMO content restrictions). This is a convenient installation avenue for software that comes bundled with an extension, for example an antivirus application that includes a Firefox extension that interacts with it.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted February 10th, 2015, 6:48 pm

Frank Lion wrote:I have no intention of making things easy for the bad guys, but there's is a pretty obvious (and devious) way around this signing nonsense.


I can think of a few. And of course... the big horrible things that everyone hates for 3rd parties to do... hijack the homepage and the searchbar are not at all fixed by this.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted February 10th, 2015, 8:31 pm

I see large problems here.

For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We’ll have more details available on this in the near future.


First, noting the above, we have a number of extensions developed for the exclusive use of our employees. This will have to be in place before restrictive signing is in place. I don't have a great deal of faith that it will.

Second, we have a number of our sales, support and customer folks who are outside of our internal network but still need to use a couple of these extensions. From the sound if it, we will need to get these extensions ok'd by AMO. Unless Mozilla is willing to sign a non-disclosure agreement this won't happen. In the case of the outside sales and customers, a VPN is out of the question and, even if it wasn't, it appears that our customers would have to create a profile specifically for use on our system. We can tell the outside sales folks to do this or quit selling our product. Our customers, reasonably, will tell us to go to hell.

Third, and this will affect even the regular extensions, it will make it impossible to make small changes to an extensions and have them tested by the person having the problem before it is placed in production. Unless the process is going to be easily defeated, this means that we will have to make a change, get it signed, have the person test it and, if unsuccessful, repeat the process. At least two of these extensions do things that I doubt automated testing will approve so this will increased delay between development, testing and release.

Firefox should simply not allow an extension to change a home page or be installed from external installation. In the first case, there is not legit reason to do so,.In the second an email can be sent after installation registration suggesting that they install it from AMO which would allow review. They should have black listed such sinners as BrandThunder long ago.


-----------------------
Question: Since this does not seem likely to be coming to SeaMonkey, would it be a good idea to move this to Extension Dev?
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted February 10th, 2015, 9:24 pm

Especially considering how many companies probably switched to local extensions when remote XUL was blocked... I'm betting the corporate fallout from this will be huge. Maybe some smaller companies will switch over to some as-of-yet unannounced "developer builds" but I have a feeling this won't just be something you can pluck from the FTP server.

This seems consequential enough to merit not only being moved to Ext Dev, but possibly be stickied.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

rsx11m
Moderator
 
Posts: 14425
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted February 11th, 2015, 6:14 am

Agreed, by now the discussion here went well beyond how the signing requirement affects SeaMonkey.

Frank Lion

User avatar
 
Posts: 20199
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 11th, 2015, 7:30 am

rsx11m wrote:Agreed, by now the discussion here went well beyond how the signing requirement affects SeaMonkey.

I think we need a clear statement from SeaMonkey as to whether they intend to disable signing in SM or not.

I don't mean the usual 'Firefox dev type 'Personally, I'm against it' pacifications and then it happens anyway, as intended right from the start' type stuff, but a clear statement of intent.

Very unusual (unique?) for me to ask for something like this, but I see trouble ahead and need to be able to plan accordingly.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Lemon Juice
 
Posts: 784
Joined: June 1st, 2006, 9:41 am

Post Posted February 11th, 2015, 7:35 am

The statement comes from the official Mozilla blog entry you linked to: "Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.". To me this sounds like a pretty clear statement!
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 2 guests