Mandatory signing requirement for add-ons is coming
- patrickjdempsey
- Posts: 23686
- Joined: October 23rd, 2008, 11:43 am
- Location: Asheville NC
- Contact:
Re: Mandatory signing requirement for add-ons is coming
As they said in their statements, anything that is uploaded and passes preliminary review is automatically signed. AMO also tends to fast track existing extensions by trusted authors. Remember, they can run a diff on your code and see exactly what you changed very quickly. The real question is whether a brand new extension from a new author will go as easily.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
- KilliK
- Posts: 612
- Joined: June 18th, 2004, 7:11 am
Re: Mandatory signing requirement for add-ons is coming
patrickjdempsey wrote:The thing is that I don't think Mozilla's goal here has ever been to prevent genuinely "rogue" extensions from some theoretical future... but to prevent the incursion of lazily-written, quasi-legal, "unwanted" extensions as they exist today. I don't even want to know what kind of nightmare series of foot guns these cats would come up with to try to tackle a genuine threat.
exactamundo.
here is a recent example of that:
http://www.theverge.com/2015/5/29/86852 ... -bandwidth
There is a Hola FF extension but you can only install it from their official site.
Mozilla is doing the right thing for not hosting it in their AMO, to the dissatisfaction of many users.
Now they are going one step further to prevent it from being installed by the unsuspected average user.
Of course, he still has the option to do it with the unbranded versions.
This measure is not aiming to eliminate the danger of "bad" addons, only to reduce it.
- Frank Lion
- Posts: 21178
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: Mandatory signing requirement for add-ons is coming
KilliK wrote:here is a recent example of that:
http://www.theverge.com/2015/5/29/86852 ... -bandwidth
Here is a recent example by me as how Firefox could stop that -
#1. Take one existing Firefox blocklist.xml.
#2. Add the Hola entry to it.
#3. You're done.
Your point again was what exactly?
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Mandatory signing requirement for add-ons is coming
Yes, such things can be prevented with the existing blocklist mechanism. The only argument they might have is that users may run into the trap between the time that an add-on is offered and when it is blacklisted (which means their sledgehammer solution to assume that all non-AMO extensions are malicious by definition).
- Frank Lion
- Posts: 21178
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: Mandatory signing requirement for add-ons is coming
rsx11m wrote:The only argument they might have is...
They might indeed.
I, of course, would then immediately point out that if the new signing system had been up and running a year ago, then Hola could have submitted their extension and it would have been successfully been signed as recently as 4 days ago, as the abuse has only come to light since then.
You would then have a signed malicious extension in the wild for up to a year that could be installed on any current Firefox version, until such time that the signing midsum rejection bug for that extension had been fixed or, er, it had been added to the blockfile.
This remains the case. In other words, Mozilla will have to approve and sign non-AMO addons based on multi criteria including acceptable Privacy clauses, which can later be abused.
To catch a thief, you have to think like a thief.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Mandatory signing requirement for add-ons is coming
Frank Lion wrote:Hola could have submitted their extension and it would have been successfully been signed as recently as 4 days ago, as the abuse has only come to light since then.
Sure, if the review process doesn't work (and apparently isn't followed up upon as in this case), the signing requirement doesn't help a bit either...
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Mandatory signing requirement for add-ons is coming
What about a "self-signed" extension?
Will that fly?
Should Hola sign their extension themselves (which they are able to do), not listed on AMO, will someone attempting to install that signed extension, from Hola, be hit?
And if so, what is the whole purpose of this "exercise"?
Will that fly?
Should Hola sign their extension themselves (which they are able to do), not listed on AMO, will someone attempting to install that signed extension, from Hola, be hit?
And if so, what is the whole purpose of this "exercise"?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- LoudNoise
- New Member
- Posts: 39900
- Joined: October 18th, 2007, 1:45 pm
- Location: Next door to the west
Re: Mandatory signing requirement for add-ons is coming
Sound and fury?
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Mandatory signing requirement for add-ons is coming
therube wrote:What about a "self-signed" extension?
Will that fly?
I'd think that you'll have to obey a certain certificate chain, so that shouldn't work unless you get some key (or whatever) from Mozilla to sign it yourself or your own key is accepted by the application.
- patrickjdempsey
- Posts: 23686
- Joined: October 23rd, 2008, 11:43 am
- Location: Asheville NC
- Contact:
Re: Mandatory signing requirement for add-ons is coming
I believe that "self signed" extensions have still been required to pass an AMO review since 3.6 days.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
- patrickjdempsey
- Posts: 23686
- Joined: October 23rd, 2008, 11:43 am
- Location: Asheville NC
- Contact:
Re: Mandatory signing requirement for add-ons is coming
Here's an interesting edge case where signing isn't going to work: The author of this extension has been version-bumping the extension since *before* Firefox 4.0. Because of this, the install.rdf has a maximum compatibility from before Firefox 4.0. Which means that Firefox will *not* automatically accept it as compatible without the version compatibility download from AMO. Which means this extension cannot be installed from a file, but can only be installed from AMO directly.
viewtopic.php?f=38&t=2938349&p=14179895#p14179895
viewtopic.php?f=38&t=2938349&p=14179895#p14179895
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Mandatory signing requirement for add-ons is coming
That's confusing - on both Firefox 38.0.1 and SeaMonkey 2.33.1 Windows installations, all add-ons have now a "-signed" added, except for NoScript which stays at version 2.6.9.26 (last update on Friday, 29th) without the "-signed" in the displayed extension name.
So, what's special about NoScript, or came that update after the signing was performed and wiped out the signature? I'm rather confident that I've installed it from AMO and not any "unofficial" source.
So, what's special about NoScript, or came that update after the signing was performed and wiped out the signature? I'm rather confident that I've installed it from AMO and not any "unofficial" source.
- Frank Lion
- Posts: 21178
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: Mandatory signing requirement for add-ons is coming
rsx11m wrote:So, what's special about NoScript
Nothing and it's also signed - https://addons.mozilla.org/ru/firefox/f ... est.mf#top
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Mandatory signing requirement for add-ons is coming
Ok, the manifest.mf is the same, thus it's just a matter of the naming being inconsistent (and hence implying that "something" is different).
- Frank Lion
- Posts: 21178
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: Mandatory signing requirement for add-ons is coming
rsx11m wrote:Ok, the manifest.mf is the same, thus it's just a matter of the naming being inconsistent (and hence implying that "something" is different).
Sorry, I thought you had been following this stuff. Don't you recall this extension being one of them that was done on the failed AMO 'Black Friday' fiasco, when they were originally planning to swing over?
This one (version 2.6.9.25.1-signed) was suffixed back then - https://addons.mozilla.org/en-US/firefo ... /versions/
Last edited by Frank Lion on June 1st, 2015, 9:45 am, edited 1 time in total.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.