[supernova_00]

So I have just checked in #378216 [Firefox:Extension/Theme Manager]-Disable insecure extension updates by default.

What this means is that we are now enforcing a security restriction on all add-ons. To be specific, if an add-on does not provide a secure method of auto-updating then by default Firefox will refuse to install the add-on. If you have add-ons already installed that are insecure in this way then they will be automatically disabled.

The good news is that addons.mozilla.org already uses SSL for it's updates, so any add-ons you have installed from there will be unaffected by this change. Equally any add-on authors who use SSL on their site, their add-ons will be unaffected. Personally I found 2 of my add-ons were disabled by it, that's 2 out of nearly 20, so hopefully you won't see a major impact.

For add-on authors there is an alternate way to provide secure updates without investing in an SSL key involving digital signatures, unfortunately we've had to hold off on providing the software to make that possible until the backend changes were complete and reviewed. I hope to have something usable available not too long after M8 is released.

Source

So all of your extensions that are not hosted on amo or hosted on a site with an SSL key will be disabled for everyone on trunk builds starting with the 20070904 nightly builds.

[tonymec]

So all of your extensions that are not hosted on amo or hosted on a site with an SSL key will be disabled for everyone on trunk builds starting with the 20070804 nightly builds.

There is a way to disable that check, but of course, if someone then abuses your confidence and replaces an add-on update by some malware, you're on your own. You've been warned!

The trick is: if, at startup, the preference extensions.checkUpdateSecurity is found to be false, then "insecure" extensions won't be auto-disabled. (Pref undefined means true.)

The test is still made, but not acted upon, other than to add the line "This extension does not provide secure updates", where appropriate, in the add-ons manager.

[supernova_00]

Yeah I know but thanks anyways. I was posting this so authors would know what happened in today's build and why users maybe complaining in their threads that their extension is disabled. And also so the authors can get to work on submitting to AMO or getting an SSL key so all of their firefox 3 users won't be screwed out of their extension.

[tonymec]

Yeah I know but thanks anyways. I was posting this so authors would know what happened in today's build and why users maybe complaining in their threads that their extension is disabled. And also so the authors can get to work on submitting to AMO or getting an SSL key so all of their firefox 3 users won't be screwed out of their extension.

Sure. And I was posting this so that, for instance, extension authors who are using, let's say, mozdev rather than AMO, can still check whether their extension "does what it is meant to do" on the latest alpha and pre-alpha builds without jumping through too many hoops.

[supernova_00]

Ah ok

[steviex]

Has this been CCed to the Addons Mirror.... ?

[IceDogg]

Wow, I didn't know I had been using one that was insecure and I thought I had checked them all out. This is IMHO a great new feature. Thanks for the warning supernova_00.

The one is BBCode, is it maybe using mozdev instead of AMO?

[tonymec]

Has this been CCed to the Addons Mirror.... ?

There is <a href="http://forum.addonsmirror.net/index.php?showtopic=6796">a topic there</a> about this same problem, started July 2, with <a href="http://wiki.mozilla.org/User:Mossop:Fx-Docs:AddonUpdateSecurity">a link to the user subpage of the patch author</a> at wiki.mozilla.org. I'm going to add a link to here in that thread.

[steviex]

Good... Just making sure everyone is in the loop

I think this is just stopping a potential problem, before it actually does become a problem....

[tonymec]

Good... Just making sure everyone is in the loop

Talking of the loop: there is also a thread, "Add-ons security restrictions" started slightly less than a day ago at nntp://news.mozilla.org/mozilla.dev.extensions by Dave Townsend aka Mossop, the author of the patch. (And yes, I've heard that NNTP links don't work in Fx at the mo', but that's a different problem.)

I think this is just stopping a potential problem, before it actually does become a problem....

It's unclear to me how this change rates between foresight and paranoia, but let's make the information flow about what it's for and how to use it. A tool to help extension authors is announced but far from ready as yet, see https://bugzilla.mozilla.org/show_bug.cgi?id=394826

[Old kmc]

..starting with the 20070804 nightly builds.

0904??

[supernova_00]

..starting with the 20070804 nightly builds.

0904??

Umm yep, sorry about that and thanks!

[Old Michael Buckley]

Yeah it sure got though to Add-ons Mirror back when this was first announced. Jane (the admin) wanted me to explain everything I knew about it, lol. AMI does not provide updates, so it does not really effect them. It is almost funny (to me) that steviex asked since an AMI mod (tonymec) had already posted twice in the topic, not that you would have know that.

My main reason for posting is to say this same thread is running in the ext dev froum so you might want to look in there too http://forums.mozillazine.org/viewtopic.php?t=581858

IceDogg you might want to see http://codefisher.org/toolbar_button/format_toolbar instead of BBCode, it does use AMO for updates (and is written by me )

[ChillerBaggins]

So all of your extensions that are not hosted on amo or hosted on a site with an SSL key will be disabled for everyone on trunk builds starting with the 20070804 nightly builds.

There is a way to disable that check, but of course, if someone then abuses your confidence and replaces an add-on update by some malware, you're on your own. You've been warned!

The trick is: if, at startup, the preference extensions.checkUpdateSecurity is found to be false, then "insecure" extensions won't be auto-disabled. (Pref undefined means true.)

The test is still made, but not acted upon, other than to add the line "This extension does not provide secure updates", where appropriate, in the add-ons manager.

extensions.checkUpdateSecurity does not exist -- you need to add it.

Open a new tab and type about:config in the address bar - and go

Now right click on anything there and from the pop-up menu select > New > Boolean

Enter > extensions.checkUpdateSecurity and click OK

When it asks to set true or false -- set false. (Or you can right click on it anytime and set false)

All you add-ons will activate again and you'll get a warning message. If add-ons work, just don't update them for a long time.






Edit::
Michael Buckley

I just downloaded your -- BBcode toolbar - make posting easy and fun - format-toolbar-0.1.2.xpi because it would not install!! It's not up-to-date on alpha builds - naughty xxxxx

Opened it up and changed it to version 3.0 finished product. Now install. Haven't tried if it works yet.

em:maxVersion 3.0a4 em:maxVersion

em:maxVersion 3.0 em:maxVersion

One thing, it make another tool bar so I tried to move it up on a used toolbar. You cannot move the toolbar whole -- and have to move each item -- then you can get rid of your now blank toolbar. Be handy if you could move it in one go..



* I made the above little program in Turbo Delphi a while ago. But I just put the image in with YOUR image insert. So your toolbar is working for Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a8) Gecko/2007091216 GranParadiso/3.0a8

Thanx

[Old Michael Buckley]

I know it works in the latest alphas because have been using the 3a9pre quite a bit. With only 0.151% of my visitors using GranParadiso bumping it is not my top priority. I have disabled compatibility checking so it does not bother me. If your into using betas you can try http://codefisher.org/beta/

Yeah I know it would be handy to more it in one go, that is planed for another extension but we are getting a bit of topic now