Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Meh. This is all a result of the fact that Mozilla never came up with a sane approach to dealing with rogue extensions installed at the OS level... which IMO the ONLY sane approach is to simply not allow it. You know what it would have taken to keep extensions from installing themselves? Encrypt the extensions initialization file and only load extensions that appear in the initialization file, remove support for prefs.JS and encrypt user.JS.

That's it. That would remove 99.999% of the problems that users face from external sources. Instead they've opted to make the Firefox experience worse and worse. Because of this same issue they removed keyword.URL and completely crippled the urlbar, created an annoying popup for globally installed extensions that is easily defeated by writing to an unencrypted text file.

Signed Plugins, I could see the utility in that since Plugins connect at the OS level. But signed extensions? What a waste of energy. Just more hoops for developers to jump through. Who's really going to bother? And how does this even remotely encourage experimentation and new developers? Does this mean we will have to install special "debug" builds for every version we test? What a crock.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

The conspiratory side of me suspects that Mozilla's end game is to discourage XUL extension development as much as possible. After all, the *long term* path for Firefox is to move away from Gecko and XUL. Changes like this will do for Extensions what rapid releases and Australis did for Themes. And Mozilla doesn't seem to have any clue that the *only* two things that keep people using Firefox are the extensions and the fact that it's not made by Microsoft, Google or Apple. Take away the power of the extensions and Firefox doesn't stand a chance in this market. Especially considering that the primary tool necessary for a solid mobile experience is Sync which seems to be continually broken.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

patrickjdempsey wrote:Signed Plugins, I could see the utility in that since Plugins connect at the OS level. But signed extensions? What a waste of energy. Just more hoops for developers to jump through. Who's really going to bother? And how does this even remotely encourage experimentation and new developers? Does this mean we will have to install special "debug" builds for every version we test? What a crock.


Wasting energy of both Fx developers and extension developers. There is really so *much* to be done to improve extension installation from AMO and general usability of that site: e.g. there are loads of old, broken and abandoned extensions, some causing serious performance issues and all are fully reviewed, and some even "featured", and no information whatsoever about the problems they may be causing - unless you have the time to dig through the comments or discussions in various forums. There are so many useful things to do in cleaning up the site and taking steps to provide useful information about extensions so that users are aware of potential problems - and instead they are making everything more difficult for everyone by imposing limits instead of providing valid, current and trustworthy information and giving a choice.

patrickjdempsey wrote:The conspiratory side of me suspects that Mozilla's end game is to discourage XUL extension development as much as possible. After all, the *long term* path for Firefox is to move away from Gecko and XUL. Changes like this will do for Extensions what rapid releases and Australis did for Themes. And Mozilla doesn't seem to have any clue that the *only* two things that keep people using Firefox are the extensions and the fact that it's not made by Microsoft, Google or Apple. Take away the power of the extensions and Firefox doesn't stand a chance in this market. Especially considering that the primary tool necessary for a solid mobile experience is Sync which seems to be continually broken.

I think they don't stand a chance if they try to copy what Chrome has because a browser that acts like Chrome will not be able to compete with Chrome, there must be something of value that Chrome doesn't have and this has always been the open platform that encouraged everybody to freely extend with powerful add-ons. Firefox currently has an edge over Chrome in easily customizing with custom home-made and company-made add-ons - now this will be lost. Now if all goes well then SeaMonkey will have that edge :D - but I'm not sure if this is a reason to celebrate :-k
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Back during the 4.0 uplift I started putting together a proposal for a system that would allow extensions to be "retired" or "orphaned" and for other authors to "adopt" them. Included in that was the possibility of AMO extension authors being able to write "suggestions" on the pages of abandoned extensions so users could have the opinion of an author peer on where to go.

I still think there's merit to that concept as it could possibly mean users wouldn't even *notice* a change of hands, with no lull in support when an extension author tires of working on it. It would mean that big breaking changes couldn't *have* to mean the death of extensions the way that they traditionally have (just look at the number of extensions that never got updated for Firefox 3.0, it's not a new phenomena).
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

That would also be a useful addition. But they seem to be putting all the add-ons stuff on the back burner and mistakenly try to put most of the blame for extension problems on malware instead of making AMO a reliable source of information and a user friendly system. If someone got malware then no amount of Mozilla protections will prevent it from affecting any software, including the browser. Installing an adware/malware software that side loads a Fx extension? If I were a malware author I'd simply change my strategy to detecting Fx's omni.ja, which is a plain text source code file and inject whatever nastiness I can dream of, circumventing all new signing protections. What does it take on Windows to do that? A simple UAC prompt that people are used to accepting? Voila! And I believe a good piece of malware can do even better than that. BTW, I'm not sure if sharing ideas how to hack Fx is okay here :mrgreen: :roll:
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

The worst part of all of this to me is that much like the crippling of the URLbar it still doesn't solve the root problem... which is that a search hijacker can easily change your search engine and urlbar search by modifying a text file... no extension required. Conduit et al are already doing that as part of their installer procedure. So what "problem" is this "solution" even trying to combat?
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by barbaz »

patrickjdempsey wrote:So what "problem" is this "solution" even trying to combat?

Well, we can be sure it's definitely not browser malware, because this is just going to encourage malware authors to instead find a way to patch the actual Firefox excutable or associated binaries/shared libraries if possible, which will then making it harder for end users to find, deal with, and remove the malware... :roll:
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

It's not that simply to inject code into the binaries or to hack omni.ja, at least not by a drive-by attack when just visiting a website. On the other hand, if the user voluntarily downloads a file from a site and runs it, ignoring any precautions, it doesn't matter if you install an XPI file or run a script or executable that modifies the actual code.

I'm wondering if those semi-official spyware add-ons will get signed which are distributed through valid downloads, e.g., Ask.com with the Java updates (fortunately they only targeted Firefox thus far, never got it "offered" for a machine with SeaMonkey but not Firefox installed). That sure would be revealing.
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

rsx11m wrote:It's not that simply to inject code into the binaries or to hack omni.ja, at least not by a drive-by attack when just visiting a website. On the other hand, if the user voluntarily downloads a file from a site and runs it, ignoring any precautions, it doesn't matter if you install an XPI file or run a script or executable that modifies the actual code.

But AFAIK all these protections are not meat to protect against just visiting web sites - add-on signing is not needed for that at all, there's the install popup that the user has to accept and if this is not enough it would be sufficient to block the ability to install extensions directly from non-AMO web pages and require installation from a file in the add-ons manager. Most bad extensions come from installers of adware and they will have no trouble hacking omni.ja or an exe.

As you noticed, it doesn't really matter if the user downloads an xpi or an exe - that's the same thing. Does this mean that Mozilla's next step will be to block downloading of all executable files that have not passed their validation?
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
BillT52
Posts: 119
Joined: March 30th, 2008, 10:31 am
Location: New York

Re: Mandatory signing requirement for add-ons may be coming

Post by BillT52 »

I don't use many extensions, but one that I DO use is CatThief's SeaTab X. What will happen to other extensions like this that continue to work even though the extension is no longer supported? Is there any way this restriction could be toggled on/off through a setting "hidden" in about:config, so less savvy users could be protected "for their own good", while those of us who don't indiscriminately download everything we see can continue to use extensions that don't conform to official Mozilla policy? I also use Forecastfox, and even Accuweather seems to be having problems getting their extension through the AMO hoops. A lot of users are going to lose extensions they use every day. If Firefox is going to continue to try and be more like Chrome than Chrome (dragging SeaMonkey down with it), then I might as well use Chrome.

PS I just saw that patrickjdempsey has gotten CatThief's permission to use her code as a basis for his new version of SeaTabX. I'll have to give it a spin. But that still doesn't change the arguement. People use Mozilla browsers because the DON'T have a walled garden.
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

Lemon Juice wrote:But AFAIK all these protections are not mea[n]t to protect against just visiting web sites - add-on signing is not needed for that at all, there's the install popup that the user has to accept and if this is not enough it would be sufficient to block the ability to install extensions directly from non-AMO web pages and require installation from a file in the add-ons manager.

Agreed.

Does this mean that Mozilla's next step will be to block downloading of all executable files that have not passed their validation?

This should be fun, would they try to validate all and every installer or executable that you can think of around the world? :-D
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Drive-by attacks are already prevented by the installable domain list. The big issue is insertion from the OS.

Of course they are going to automatically sign everything currently on AMO... including things like BrandThunder that most of us consider to be crapware.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Philip Chee
Posts: 6475
Joined: March 1st, 2005, 3:03 pm
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Philip Chee »

In my opinion SeaMonkey will be disproportionately affected by the signing requirement as the community is using orphaned and modded extensions either from my xsidebar mozdev site or - more recently - from the addon converter by Lemon Juice. *I* will be pushing hard for this mis-feature to be disabled in SeaMonkey. I believe that several of my SeaMonkey colleagues are of the same mind.

Based on Jorgev's reply to my question, there will (probably) be some sort of build time switch which we can turn off. We shall see. Fingers crossed.

Phil
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Thanks Philip. I certainly hope so!
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

+1
Post Reply