MozillaZine

Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted May 30th, 2015, 1:04 pm

As they said in their statements, anything that is uploaded and passes preliminary review is automatically signed. AMO also tends to fast track existing extensions by trusted authors. Remember, they can run a diff on your code and see exactly what you changed very quickly. The real question is whether a brand new extension from a new author will go as easily.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

KilliK

User avatar
 
Posts: 609
Joined: June 18th, 2004, 7:11 am

Post Posted May 30th, 2015, 8:23 pm

patrickjdempsey wrote:The thing is that I don't think Mozilla's goal here has ever been to prevent genuinely "rogue" extensions from some theoretical future... but to prevent the incursion of lazily-written, quasi-legal, "unwanted" extensions as they exist today. I don't even want to know what kind of nightmare series of foot guns these cats would come up with to try to tackle a genuine threat.


exactamundo.
here is a recent example of that:
http://www.theverge.com/2015/5/29/86852 ... -bandwidth

There is a Hola FF extension but you can only install it from their official site.
Mozilla is doing the right thing for not hosting it in their AMO, to the dissatisfaction of many users.
Now they are going one step further to prevent it from being installed by the unsuspected average user.
Of course, he still has the option to do it with the unbranded versions.

This measure is not aiming to eliminate the danger of "bad" addons, only to reduce it.

Frank Lion

User avatar
 
Posts: 20311
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted May 31st, 2015, 4:00 am

KilliK wrote:here is a recent example of that:
http://www.theverge.com/2015/5/29/86852 ... -bandwidth

Here is a recent example by me as how Firefox could stop that -

#1. Take one existing Firefox blocklist.xml.
#2. Add the Hola entry to it.
#3. You're done.

Your point again was what exactly?
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

rsx11m
Moderator
 
Posts: 14425
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted May 31st, 2015, 6:31 am

Yes, such things can be prevented with the existing blocklist mechanism. The only argument they might have is that users may run into the trap between the time that an add-on is offered and when it is blacklisted (which means their sledgehammer solution to assume that all non-AMO extensions are malicious by definition).

Frank Lion

User avatar
 
Posts: 20311
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted May 31st, 2015, 7:15 am

rsx11m wrote:The only argument they might have is...

They might indeed.

I, of course, would then immediately point out that if the new signing system had been up and running a year ago, then Hola could have submitted their extension and it would have been successfully been signed as recently as 4 days ago, as the abuse has only come to light since then.

You would then have a signed malicious extension in the wild for up to a year that could be installed on any current Firefox version, until such time that the signing midsum rejection bug for that extension had been fixed or, er, it had been added to the blockfile.

This remains the case. In other words, Mozilla will have to approve and sign non-AMO addons based on multi criteria including acceptable Privacy clauses, which can later be abused.

To catch a thief, you have to think like a thief.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

rsx11m
Moderator
 
Posts: 14425
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted May 31st, 2015, 7:50 am

Frank Lion wrote:Hola could have submitted their extension and it would have been successfully been signed as recently as 4 days ago, as the abuse has only come to light since then.

Sure, if the review process doesn't work (and apparently isn't followed up upon as in this case), the signing requirement doesn't help a bit either...

therube

User avatar
 
Posts: 19757
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 31st, 2015, 8:15 am

What about a "self-signed" extension?
Will that fly?
Should Hola sign their extension themselves (which they are able to do), not listed on AMO, will someone attempting to install that signed extension, from Hola, be hit?

And if so, what is the whole purpose of this "exercise"?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted May 31st, 2015, 8:20 am

Sound and fury?
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

rsx11m
Moderator
 
Posts: 14425
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted May 31st, 2015, 9:36 am

therube wrote:What about a "self-signed" extension?
Will that fly?

I'd think that you'll have to obey a certain certificate chain, so that shouldn't work unless you get some key (or whatever) from Mozilla to sign it yourself or your own key is accepted by the application.

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted May 31st, 2015, 10:51 am

I believe that "self signed" extensions have still been required to pass an AMO review since 3.6 days.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted May 31st, 2015, 11:09 am

Here's an interesting edge case where signing isn't going to work: The author of this extension has been version-bumping the extension since *before* Firefox 4.0. Because of this, the install.rdf has a maximum compatibility from before Firefox 4.0. Which means that Firefox will *not* automatically accept it as compatible without the version compatibility download from AMO. Which means this extension cannot be installed from a file, but can only be installed from AMO directly.

viewtopic.php?f=38&t=2938349&p=14179895#p14179895
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

rsx11m
Moderator
 
Posts: 14425
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted June 1st, 2015, 8:35 am

That's confusing - on both Firefox 38.0.1 and SeaMonkey 2.33.1 Windows installations, all add-ons have now a "-signed" added, except for NoScript which stays at version 2.6.9.26 (last update on Friday, 29th) without the "-signed" in the displayed extension name.

So, what's special about NoScript, or came that update after the signing was performed and wiped out the signature? I'm rather confident that I've installed it from AMO and not any "unofficial" source.

Frank Lion

User avatar
 
Posts: 20311
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted June 1st, 2015, 8:48 am

rsx11m wrote:So, what's special about NoScript

Nothing and it's also signed - https://addons.mozilla.org/ru/firefox/f ... est.mf#top
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

rsx11m
Moderator
 
Posts: 14425
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted June 1st, 2015, 9:12 am

Ok, the manifest.mf is the same, thus it's just a matter of the naming being inconsistent (and hence implying that "something" is different).

Frank Lion

User avatar
 
Posts: 20311
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted June 1st, 2015, 9:31 am

rsx11m wrote:Ok, the manifest.mf is the same, thus it's just a matter of the naming being inconsistent (and hence implying that "something" is different).

Sorry, I thought you had been following this stuff. Don't you recall this extension being one of them that was done on the failed AMO 'Black Friday' fiasco, when they were originally planning to swing over?

This one (version 2.6.9.25.1-signed) was suffixed back then - https://addons.mozilla.org/en-US/firefo ... /versions/
Last edited by Frank Lion on June 1st, 2015, 9:45 am, edited 1 time in total.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 1 guest