Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

rsx11m wrote:
Does this mean that Mozilla's next step will be to block downloading of all executable files that have not passed their validation?

This should be fun, would they try to validate all and every installer or executable that you can think of around the world? :-D

Well, this is not as out of reach as it might appear at first - imagine Mozilla strikes up a deal with a service like virustotal.com! #-o

Philip Chee wrote:*I* will be pushing hard for this mis-feature to be disabled in SeaMonkey.

And that is the right state of mind :!: 8-)
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by barbaz »

Philip Chee wrote:*I* will be pushing hard for this mis-feature to be disabled in SeaMonkey.

Is there any way we can help you push, and if so what would be involved?
User avatar
ElTxolo
Posts: 2807
Joined: July 30th, 2007, 9:35 am
Location: Localhost

Re: Mandatory signing requirement for add-ons may be coming

Post by ElTxolo »

Philip Chee wrote:In my opinion SeaMonkey will be disproportionately affected by the signing requirement as the community is using orphaned and modded extensions either from my xsidebar mozdev site or - more recently - from the addon converter by Lemon Juice. *I* will be pushing hard for this mis-feature to be disabled in SeaMonkey. I believe that several of my SeaMonkey colleagues are of the same mind ...

Well done!
Thanks for your input ... Phil !! Image
How to Ask Questions The Smart Way - How to Report Bugs Effectively ;)
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20240109 SeaMonkey/2.53.18.1
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20240324 SeaMonkey/2.53.19 :lildevil:

~
LordOfTheBored
Posts: 307
Joined: December 7th, 2005, 8:36 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by LordOfTheBored »

rsx11m wrote:
Does this mean that Mozilla's next step will be to block downloading of all executable files that have not passed their validation?

This should be fun, would they try to validate all and every installer or executable that you can think of around the world? :-D

Especially with the modern tendency for vaguely threatening error messages that have cute cartoon illustrations but no actual details.

"Firefox has blocked access to chrome-installer.exe because it might damage your computer! Don't worry, guys, we're making sure no badware gets on your system!"
thanhthai1691
New Member
Posts: 1
Joined: January 22nd, 2015, 11:38 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by thanhthai1691 »

i hope the applicable switches may be already available
jbperez
Posts: 19
Joined: November 26th, 2004, 1:00 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by jbperez »

1. I can understand the concern of security. The internet is rife with all sorts of malware taking advantage of any and all attack vectors imaginable.

2. They can require the signing, AS LONG AS THEY PUT IN A FEATURE THAT CAN OPTIONALLY OVERRIDE IT, so that people who actually know what they're doing can proceed.

What is so hard about giving people the choice?
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by barbaz »

jbperez wrote:1. I can understand the concern of security. The internet is rife with all sorts of malware taking advantage of any and all attack vectors imaginable.

It's already been established in this thread that this can't be to protect users from malware - and in the unlikely event that it is, it's exactly the wrong approach.

jbperez wrote:2. They can require the signing, AS LONG AS THEY PUT IN A FEATURE THAT CAN OPTIONALLY OVERRIDE IT, so that people who actually know what they're doing can proceed.

What is so hard about giving people the choice?

Mozilla is not going to do that. And anyway, why would any SeaMonkey user want the signing to be forced?
Your User-Agent string says Firefox, why don't you try to set up SeaMonkey exactly the way you want, but the *only* add-ons you use are add-ons directly from AMO without any modifications... :wink:
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

http://blog.mozilla.org/addons/2015/02/ ... xperience/

I have no intention of making things easy for the bad guys, but there's is a pretty obvious (and devious) way around this signing nonsense.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

From the above:

Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.


And an interesting side-effect of this process may be that some of those broken AV toolbars might finally be taken to task:

n the case of developers who want their extensions to be side loaded (installed via an application installer rather than using the usual Web install method) the review bar will be higher, equal to fully reviewed add-ons on AMO (with the exception of AMO content restrictions). This is a convenient installation avenue for software that comes bundled with an extension, for example an antivirus application that includes a Firefox extension that interacts with it.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Frank Lion wrote:I have no intention of making things easy for the bad guys, but there's is a pretty obvious (and devious) way around this signing nonsense.


I can think of a few. And of course... the big horrible things that everyone hates for 3rd parties to do... hijack the homepage and the searchbar are not at all fixed by this.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

I see large problems here.

For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We’ll have more details available on this in the near future.


First, noting the above, we have a number of extensions developed for the exclusive use of our employees. This will have to be in place before restrictive signing is in place. I don't have a great deal of faith that it will.

Second, we have a number of our sales, support and customer folks who are outside of our internal network but still need to use a couple of these extensions. From the sound if it, we will need to get these extensions ok'd by AMO. Unless Mozilla is willing to sign a non-disclosure agreement this won't happen. In the case of the outside sales and customers, a VPN is out of the question and, even if it wasn't, it appears that our customers would have to create a profile specifically for use on our system. We can tell the outside sales folks to do this or quit selling our product. Our customers, reasonably, will tell us to go to hell.

Third, and this will affect even the regular extensions, it will make it impossible to make small changes to an extensions and have them tested by the person having the problem before it is placed in production. Unless the process is going to be easily defeated, this means that we will have to make a change, get it signed, have the person test it and, if unsuccessful, repeat the process. At least two of these extensions do things that I doubt automated testing will approve so this will increased delay between development, testing and release.

Firefox should simply not allow an extension to change a home page or be installed from external installation. In the first case, there is not legit reason to do so,.In the second an email can be sent after installation registration suggesting that they install it from AMO which would allow review. They should have black listed such sinners as BrandThunder long ago.


-----------------------
Question: Since this does not seem likely to be coming to SeaMonkey, would it be a good idea to move this to Extension Dev?
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Especially considering how many companies probably switched to local extensions when remote XUL was blocked... I'm betting the corporate fallout from this will be huge. Maybe some smaller companies will switch over to some as-of-yet unannounced "developer builds" but I have a feeling this won't just be something you can pluck from the FTP server.

This seems consequential enough to merit not only being moved to Ext Dev, but possibly be stickied.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

Agreed, by now the discussion here went well beyond how the signing requirement affects SeaMonkey.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

rsx11m wrote:Agreed, by now the discussion here went well beyond how the signing requirement affects SeaMonkey.

I think we need a clear statement from SeaMonkey as to whether they intend to disable signing in SM or not.

I don't mean the usual 'Firefox dev type 'Personally, I'm against it' pacifications and then it happens anyway, as intended right from the start' type stuff, but a clear statement of intent.

Very unusual (unique?) for me to ask for something like this, but I see trouble ahead and need to be able to plan accordingly.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

The statement comes from the official Mozilla blog entry you linked to: "Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.". To me this sounds like a pretty clear statement!
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
Post Reply