I created and maintain an extension that is used by visually-impaired people around the world (it has been translated by volunteers into Dutch and Chinese, for example).
Occasionally a Firefox update breaks this extension. OK, fine, that's the cost of doing business. Of course, the automated compatibility report that Firefox creates is utterly useless; it almost never catches the breakage. But that's a side rant....
There can be a decent turnaround lag (sometimes on the order of a few days) to get a new version of an extension reviewed by addons.mozilla.org. In the meantime, I have made a habit of building a new version of the extension and giving it to anyone who asks. Some people rely on it to use the web and can't wait for Mozilla to do their thing (another side rant: I once stupidly forgot to check in a key resource. I've since changed my development process to keep this from happening again. But the non-functional extension that I pushed passed Mozilla's review just fine. Makes me wonder how much value the review process is really adding.)
If I want to be able to continue this process, I will need to sign the extension myself (and who knows what histrionics Firefox will throw if a user tries to replace an extension with one that has the same UUID but a different signature!)
Hi, Mozilla developer here, speaking for only myself. I'm not sure why we don't make this clearer on the wiki page, but I think the reason there's no override is that any malware installation routine would simply activate it and continue on its merry way. (Disclaimer: I didn't work on this feature and am going by recollection and my own logic.)
We see many copies of Firefox infested with rogue add-ons the user didn't ask for or isn't even aware of. Sometimes these add-ons even ship with big-name software, with no opt out or with the opt out squirreled away in some dark corner. Typically, they do one or more of the following: (1) spy on the user, (2) add affiliate codes for money, (3) cause performance problems and crashes.
The network is a pretty hostile place these days. It's no longer 14-year-olds playing around for fun; there are moneyed interests in the game. And the sorts of people who don't frequent HN are pretty much helpless and clueless in the perpetual tug of war between various companies and mafias. As a "user agent", we have the opportunity defend users who lack the sophistication to root around and remove invasive software they didn't ask for.
Of course, if you're reading this, you're in a different category. You have a better idea which software to trust, and you know how to scour your machine if something gets past you. That's why nightlies and the Developer Edition let you do whatever you want: you aren't the ones who need hard-coded protections to shield you from pref-twiddling installers.
I hope that provides some needed context. Safe surfing, all!
Why is this downvoted? These inbuilt add-ons might not be 'rogue', but are definitely the ones which many users didn't ask for, or aren't even aware of.
It's been a few months already, and Mozilla is still 'undecided' on what will happen to Enterprise add-ons.
The only two options you are giving us are:
1) Either remain on 'ESR' branch, which is always outdated, OR,
2) Reveal private Enterprise source code to you to get it signed (it might even be illegal for employees to do that).
Both of them could be unacceptable to many organizations.
> We see many copies of Firefox infested with rogue add-ons the user didn't ask for or isn't even aware of.
GoogleUpdate?
why Firefox could not remove these extension itself? I needed to remove some files from the harddisk --I doubt john.doe will be able to remove such evils
Please excuse the rant tone, these things make me feel my intimacy raped
Mozilla does this from time to time for really egregious cases [1]. There is a high cost to staging the block. If the author is known there is a delay to try to get the author to ship a fix [2]. If it is unknown then the block can proceed rather quickly but the cost of changing the extension to avoid the block is usually cheap [3].
> but I think the reason there's no override is that any malware installation routine would simply activate it and continue on its merry way.
And what's stopping said malware installation routine from patching my firefox.exe or /usr/bin/firefox or whatever to bypass the signature check? Or patching the running program in-memory? How would it even access that checkbox? This concern seems a bit far-fetched to me.
The target is not illegal malware which, as you say, would do anything. But there's a vast amount of detrimental foistware doing malicious things (e.g. injecting ads, tracking) under legal cover because the user somewhere forgot to uncheck some light-grey box in an installer. Anyone tried to install something from Sourceforge lately?
Modifying the Firefox installation directory would get flagged by any anti-virus, but software using the defined extension points does not -- the user "agreed" to it.
Right, but my point is that if some bit of adware is capable of checking that box without being able to do far more nefarious things (like outright patching/replacing Firefox itself), then one particular symptom of that ability ought to be the least of users' - and Mozilla's - concerns; that indicates an ability to modify the execution state of a program during runtime, in which case probably nothing on that computer is safe.
That's a fair point. Thanks for the explanation. I think it's cool that Firefox has become mainstream enough to have so many non-tech-savvy users that Mozilla has to save them from themselves. I wish there was another approach, but I understand your viewpoint.
> If I want to be able to continue this process, I will need to sign the extension myself
This seems like a good approach to me. Instead of Mozilla itself signing developers' extensions, why can't Mozilla issue certificates so developers can sign their own extensions locally? If a developer turns rogue, Mozilla can revoke their certificate.
Because bad guys can just keep getting new certs when their old ones are revoked, unless you do identity validation (which costs money as it requires actual humans, so the certs can't be cheap or free).
> There can be a decent turnaround lag (sometimes on the order of a few days)
Actually, the link says
> Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds
You may be thinking of a different type of review process, the signing one sounds almost instantaneous.
That's for non-public add-ons. If you submit a public add-on, even a minor update, it has to go through the AMO bureaucracy. I currently have an update that was uploaded on July 10, 2015, and is at queue position of 64 of 137. There are no code changes; it's just being updated because Mozilla changed their build system.
This seems to be part of Mozilla's effort to be more like the Apple and Google stores.
I wouldn't think Chrome Web store is full of Malware. Yes, it's not free of those, but the bad ones are quickly removed by both Chrome's policing, and users' flagging. That's how Mozilla should go forward. The problem with manual reviewing is, it depends on the 'volunteers' time availability, and a stupid Review system which is NOT FCFS. You are told you are 37th out of 150 in the queue, but you see that you either remain at that position while others are being approved, your queue position goes both up and down, and some times your add-on is instantly approved even when you are 100th in the queue. All this takes many days even if your users are waiting for a critical fix. This is the biggest turn off in uploading add-ons for Firefox.
You can sign the addons and distribute it on other channels. If you want to have it on AMO then it takes a while to review. The process is done by volunteers
This is one of the things which is frustrating about Mozilla.
I love that they stand for open protocols, free software and user privacy, but I don't love what they prioritize.
Reviewing extensions is critical to their user-experience.
If this really doesn't have an team of paid staffers, that's unfortunate.
I don't use many extensions but I'm finding I have to use more as Mozilla remove features from Firefox.
For example you can no longer set the User Agent string on a per site basis natively in Firefox preferences [0]. This would be very handy to force HTML5 video on BBC News when you don't want to install flash [1]. I only discovered this setting was deprecated by finding that bug report whilst researching the blog post.
I disagree. Having no PDF viewer is more secure than having a PDF viewer.
I'd have no problem with Mozilla releasing a separate PDF viewer, either as an extension, a standalone application or even a Web site. I also have no problem with Mozilla setting Firefox's default PDF application as a stub which downloads their separate viewer. But it shouldn't be built in to Firefox.
In any case, it is not the job of a Web browser to subvert the user's OS setup.
> I disagree. Having no PDF viewer is more secure than having a PDF viewer.
No, because that means you still do have a PDF viewer, but it's whichever the user has installed, most likely Acrobat, which is vulnerability-ridden.
> But it shouldn't be built in to Firefox.
Why shouldn't it? Browsers aren't limited to HTML. They also support plaintext, SVG, many image formats, XML, and so on. What's wrong with supporting PDF?
> No, because that means you still do have a PDF viewer
I didn't say "having no PDF viewer in Firefox", I said "having no PDF viewer".
> Browsers aren't limited to HTML. They also support plaintext, SVG, many image formats, XML, and so on. What's wrong with supporting PDF?
I would call that feature creep; even so, there are still a few differences:
HTML provides mechanisms for embedding images[0], so trying to support some common formats in the browser is a reasonable approach. A better approach would have the OS handle image formats, eg. like the datatype mechanism in AmigaOS[1].
The example image formats at [0] include single-page, non-interactive PDFs. Supporting such an image format might be reasonable, although I've never seen such a thing used in the wild. That's not what Firefox provides, though. Instead, it provides a whole application embedded in a tab, with a GUI for navigating around documents. The equivalent analogy for images would not the facility to decode the format; it would be the bundling of a whole image browsing GUI like Gwenview[2], which I certainly would object to. As it stands, FF treats a standalone image file as if it were a standalone img element, which is perfectly reasonable. The same goes for plain text, which FF effectively treats as if it were in a pre element. Again, it doesn't provide a special application for navigating text files.
SVG is also specifically mentioned in the HTML spec[3], hence providing browser support for SVG isn't straying too far from providing support for HTML. Again, FF doesn't provide a embedded GUI application for navigating SVGs (unless you count the Web Inspector stuff, which also has no place in the browser and should be either a separate extension or rolled into Firebug).
XML is just a syntax, which browsers need to support if they want to support XHTML[4], in the same way they need to support UTF-8 as a syntax for representing the text in HTML documents. Hence it's completely in-scope.
How is having a built-in PDF viewer more secure than downloading the PDF and viewing it in Adobe Reader or Foxit? Is it just that those readers have vulnerabilities that Firefox doesn't?
Yes. The Firefox viewer sits on top of the JavaScript sandbox, which is the same sandbox that has to withstand attacks from pretty much everything on the internet and has been very hardened over the years (same for other browsers).
Ironically it had a vulnerability last week, but that's ONE and that's why it got so much attention. Adobe Reader and similar have had hundreds.
Allowing people to implement viewers for file types that run in the sandbox as plugins seems like a good idea then. Not that I mind that a PDF-viewer is already built in, but firefox can't support all file types.
Opera had this feature before it became yet-another-WebKit-clone. A lot of other settings were per-site too.
It's very useful for sites that complain or even block you from visiting depending on your browser, which you'll undoubtedly find if you venture far enough on the Internet.
Sometimes. With the new ultra-frequent release cycle, as a volunteer maintainer I don't always have the time. And sometimes it breaks in ways that are not visible to me (I run Linux, for example, so bugs that show up on OSX or Windows only are going to be caught by users. These are few and far between, but have happened.)
Super noob question: Would it make sense for FF to realize a version which an extension is approved for? You create an extension capable for 1.0, they release 1.1, any client who has 1.1 has the extension automatically disabled? Assuming this is your business and you dont mind going through the approval process, then your users would have a better experience with this process no? Being notified they simply can't use it yet?
To note, there is a client-side workaround that allows whitelisting of ALL unsigned extensions (they might consider creating a whitelist of UUIDs or something "humans" can handle like the name of an extension). I was able to change the following and uBlock and Ghostery immediately started working in the "Aurora" build: go to about:config ; set xpinstall.signatures.required = false
Two details: the extensions need to be signed by Mozilla, and only US English speakers will be allowed to disable this requirement.
The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties. (And of course to use, copy, and redistribute.) This is a sharp turn away from the free-software ethos that made Firefox possible in the first place.
I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.
If this disturbing move sticks, Mozilla will become an increasingly tempting target for whatever group wants to control what software you can install on your own computer — whether that’s Sony Pictures, the NSA, or Amazon.
The old free software movement has died. We need a new free software movement.
In addition to the "en-US locale only" restriction, I wonder if unbranded builds will be made available for non-desktop platforms. I would like to run my own extension, or that of the company I work for, on multiple platforms and especially without having to share proprietary source code with Mozilla et al.
I think they removed alternate signature checks from the base code (may affect other browsers), and the preference to disable Mozilla signature checks is a global switch. So they've made things even harder than they have to be for those who don't want to comply with the new model.
According to Mozilla, they have to do this because a user who has control of their OS might install malware and might grant it root/admin privileges. Such malware could not only tamper with extensions, it could tamper with the permission and preference systems and other key components and files. IOW, if Mozilla continues to pursue this policy, we may be looking at the beginning of a more comprehensive lockdown of Mozilla applications.
It might be wise to try to hold the line somewhere. In general, we aren't going to be more secure if we allow ourselves to be locked into simplified configurations that suit the mass market.
Perhaps they assume that to program enough to write an extension, you need to learn English. I’ve met people here in Argentina who say that. My view is that, even if that is the status quo ante (and I’m not sure it really is) it’s a status quo we must disrupt, not ossify.
China [1] and Brazil [2] feature strongly non-English developer communities. Regardless, keying such features to a language is just painfully ignorant. On a closer look though, it appears that beside the developer edition having the setting, the unbranded version will only be released for en-us.
ESR has some bits about "Learn English if you want to code" - but politics of it aside, this isn't even about coding. This is about using a plugin that someone has not signed (like, for instance, RES for Chrome which for the longest time did not have a Store entry iirc).
Wise words, kragen. With the excuse "you need english because" a new form of imperialism is on the making. And what is worse, is that this attitude is often self-imposed.
Because there is no such a thing like “English, the lingua franca”; changing the name do not change the content.
We should stop self-deluding ourselves in believing that English exits in a geopolitical void. English is the language of the anglosphere, and speaking English is a huge favor to those economies, and that comes with a sense of cultural inferiority as well, in many peoples.
There is a such thing as "English, the lingua franca" no matter how much one tries to will it away.
Aviation is a curious industry. English is commonly spoke between flight crews and ground stations world wide (with few but notable exceptions). Circumstances where the English meaning of a word wasn't well understood by the flight crew or the wrong words were spoken have, on occasion, lead to disaster--Avianca Flight 52 [1] comes to mind, among others.
I simply cannot agree that mutual intelligibility is bad simply on the merit that it somehow creates a "sense of cultural inferiority."
It sounds like you're saying that using English as the lingua franca of aviation puts at risk the lives of flight crews for whom English is not a native language, as well as their passengers. This seems like a good example of how English-as-lingua-franca gives special worldwide advantages to native English speakers.
What I'm suggesting is that having a standard for communication is less likely to put lives at risk. I can't help but wonder if you're invoking Poe's Law by advocating from what is arguably an extremely fringe standpoint.
Otherwise, the alternative would be to require air traffic controllers to learn a dozen languages, and then you wind up with an even worse problem than having everyone settle on a single language with codified standards.
This sounded super weird. But I guess what you are referring to is that the will only release en-US-localized builds of the "unbranded firefox" editions. That I can understand, the logistics of building and shipping all the i18n editions for an off-brand build is probably significant.
This requirement is ridiculous, a lot of developers can't speak English at all. And what about British English ? Is it not as good as American English for development ?
> The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties.
You've been on HN for over six and a half years. Surely you can't be this jaded or obtuse?
That freedom is absolutely, unequivocally preserved: The entire source to Firefox is available under OSI-approved libre licenses.
APIs change, but the freedom of the software isn't determined by its exposed APIs, but by your ability to exercise the Four Freedoms enumerated by the FSF at http://www.gnu.org/philosophy/free-sw.html. Debian exercises these freedoms with every build of the IceWeasel browser from Firefox's source.
I'm not jaded, and as to whether I'm obtuse, I have to let the other commenters judge.
I agree that, yes, in theory, you legally have that freedom. But if Mozilla thought users were practically able to exercise that freedom, there would be no way for them to impose a change like this; all the users would switch to a fork. In practice, maintaining a fork of a major active software project is a huge amount of work and easily to do poorly (think of the Debian OpenSSL hole), and nearly all the people qualified to do it work at Mozilla or are burned out. And Mozilla, if they want to make it harder to maintain a fork, has a wide variety of strategies at their disposal.
(In case it matters, I'm typing this comment in Iceweasel!)
As a side note, it seems to me rather in poor taste to attack my intelligence in the first line of your comment, and suggests that you think your arguments won't stand on their own merits.
I apologize for the disparagement; I was miffed at your statement that "only US English speakers will be allowed to disable this requirement," which completely misrepresents the situation, followed by doubt about Firefox's status as F/OSS. Instead of ascribing that to malice, I should have assumed good intent and that the communications from our end were unclear.
As to the English issue, we have absolutely no intent to restrict the signature opt-out to English speakers.
Much like with our Nightly builds, the unbranded copies of Firefox will only be pre-compiled with en-US strings. Additional locales can be added at any time through https://addons.mozilla.org/firefox/language-tools/.
For users that want to disable verification without installing a language pack, the Developer Edition and ESR builds will always allow for opting out and will continue to be released will a full complement of pre-compiled locales.
As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt, which has been the case since version 0.6 in 2003. These signatures are tools to ensure integrity and provenance, not to restrict your freedoms. Much like with the secure apt initiative, it's entirely possible for users to opt out of these protections after jumping through minimally invasive hoops.
Oh, hey, yep. Tripping over my own ignorance there.
I didn't realize that latest-mozilla-central-l10n/ subdirectory existed; I've always gone straight for latest-trunk/, which it turns out is a symlink to latest-mozilla-central/, which only contains the en-US builds. Thanks for pointing that out. I'll file a bug to get https://nightly.mozilla.org/ updated to point to the localized builds.
> As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt
Said parallel is imperfect. With APT, you can add custom signatures (say, if you run a private or organization-specific repo). AFAICT, Firefox offers no such capability.
Thank you for clarifying, but I am still very skeptical.
I would have no problem with signature verification if, as with apt, users can decide which keys to trust. (And you don't have to download a whole new copy of apt to do it!) But the intent of this announcement seems to be that Mozilla will prevent users from doing that, on the theory that they will make bad choices. Well, some of them will!
But it's far more dangerous to take those choices away from them — that guarantees that they're trusting the wrong company.
Mozilla have been doing odd things in recent years, almost like they are transitioning into an authoritarian movement. Want to use unsanctioned extensions? No, go away. Want to use non-secure HTTP? Sure, but we will take away your features. Want to work for them but have unapproved views? Fired. All this is from viewing them as an outsider, so you never know, but something is different.
There was a large outcry, then he resigned. His resignation can be directly traced to his views. Whether he was technically fired or "decided" to resign seems largely irrelevant.
I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.
I think it's just another battle in The War on General Purpose Computing. I like to keep this quote in mind: "Freedom is not worth having if it does not include the freedom to make mistakes."
> only US English speakers will be allowed to disable this requirement
You can install any non-English locale (language-pack) on top of Firefox. I do that (because I want to be able to switch from a language to another). So it is a two-steps installation.
> The old free software movement has died. We need a new free software movement.
There is nothing wrong with the free software movement just because someone does something disagreeable---that's like saying there's something wrong with your operating system because you have malware on it.
"Firefox Puts You in Control of Your Online Life".
The slogan, as found on https://www.mozilla.org/en-US/firefox/new/ , is now "Firefox is created by a global non-profit dedicated to putting individuals in control online." I believe it used to be "users" - see above - but was silently changed. I suppose these "individuals" are the people at Mozilla...?
WTF people. So much hate for Mozilla these days, this appear pitchfork group.
Lets review what the article says: addons needed to be signed. The process is automated. It takes only seconds. It prevents some malware from spreading.
You can still host your addon wherever you want. This is just an extra step that can actually improve security. It requires more effort by the part of the developer but it also helps prevent some security issues.
Firefox Dev Edition and Nightly will have switches to turn this off. Firefox stable and Beta will not. Do you want to switch this off? Move to more bleeding edge versions. Or pick the unbranded version.
The unbranded version is available only in English and this is a problem that can be solved with language packs which are available in the hundreds.
Heck, this is an improvement to security. You can opt out by moving to a different Firefox version, there are three versions you can use, DevEdition, Nightly and Unbranded. If you opt-in you have an extra level of confidence in the addon you're installing.
Developers take only couple seconds to submit and retrieve back their addons and the added bonus for security is great. This will prevent those pesky spyware/malware from hijacking your browser which is a problem faced by many users that are not as tech savvy as this crowd here.
Mozilla will certainly continue to sign my piracy-enabling add-on that is perfectly legal in many jurisdictions worldwide, even after an US court ordered them not to sign it explicitly?
I also heard mozilla got an NSL for my "Ed Snowden for president, Find out more on wikileaks" add-on, or rather, I didn't because NSL.
Then again, I hear a brought coalition of human rights, LGBT and feminist groups lobbying mozilla not to sign my "Find nearest public stoning near you - Saudi Arabia Editon" add-on any more, effectively blacklisting it worldwide. But mozilla will keep to their promise not to blacklist my stuff and my regular users can still use my add-on, right? The creator of Javascript and mozilla CEO Brendan Eich will make sure of it... Oh wait...
Yes, those examples are a bit contrived, but actually not that much over the top. Also, please note that I do not necessarily condone these things ;)
My point being: Security through tech-enforce policy is nice and has a lot of upsides as you say, I agree, but it also may have downsides you aren't even aware of.
You understand that the addon signing process is automated right? Addon signing is not the same as AMO review. You can sign your addons and distribute them on other channels if they don't match AMO review criterias.
You do understand that mozilla still could reject certain add-ons, even when only to be signed to be hosted elsewhere, and in fact they do:
>Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days.
Right now, the automatic signing will probably only fail if malware is detected. The "Right now" part is what worries me a bit, tho.
It's not "hatred" you're seeing. It's exasperation after repeated disappointment, so much of it totally unnecessary.
Many of us have been using software from Mozilla, and Netscape before them, for decades now. Generally we've been happy with the software. We were more than happy with earlier versions of Firefox, in fact. But lately we've seen changes made that have not benefited the users of Mozilla's software.
Your comment actually describes some of the problems we're talking about. Users and developers now have to jump through one hoop after another just to get a basic installation of Firefox working.
It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.
Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.
Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.
Firefox used to get better with each release. A new release of Firefox was something we'd look forward to. But lately, each new release of Firefox has brought us new problems to deal with, without bringing any notable improvements.
Repeatedly disappointed people will express their disappointment. Don't misinterpret it as "hatred". See it for what it is: disappointment!
Thanks for keeping it civil. I will address some of your comments in the best way I can.
>It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.
The Web Platform advanced a lot in the last few years. A lot has been added to browsers. They are no longer a simple HTML engine with some CSS and bad JS engines. Browsers these days are almost their own operating systems for good and bad. They have so much stuff going on between all the multimedia features, multiple JS engines and compilers, there are lots of stuff going on. Browsers are larger because the Web grew a lot (not in the sense of size but in complexity)
> Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.
Firefox has always been customizable and the about:config feature enables lots of under the hood tweaks that are not possible everywhere. Making Firefox your own its part of what makes it great. Its a browser you can change to suit your needs, thats less common than people think. Your needs are not the same needs of others. As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.
> Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.
Please don't mix addon signing with AMO review, they are different process with different objectives. Addon signing happens in seconds because its automated. The signed addon is returned to you in seconds and you're free to distribute it as you see fit. Now, if you want to have your addon on AMO then you need to submit to AMO review which may take a long time due to the lack of people and the overall complexity of reviewing that type of code.
> As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.
Okay, I want a branded Firefox. I don't want to run a dev edition or nightly. My choices are stable or beta. I probably don't even want beta, but it doesn't really matter. So, I don't really have a choice here.
I can see why signed extensions are a good thing, but removing the option from about:config is unnecessary.
What is the rationale behind removing the configuration switch, though? Is there supposed to be some contingent of users who are not sufficiently tech-savvy to be trusted with choosing their own add-ons, but sufficiently tech-savvy to go and edit something in about:config, which really needs to be protected from their own stupidity? This sort of "mother knows best" approach is something I would expect from Apple, not a company that claims to put you in control.
Nightly comes with obvious stability and security problems; I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date at the same rate or comes with some presets regarding UI layout or otherwise that are annoying to someone who is not intending to primarily use it as a testbed.
Chrome tried that "configuration switch" before, and what happened was malware would find and flip that switch as one of the first things it did once installed.
Then it would work like it used to (installing bullshit extensions, wrecking the browser overall, and being damn near impossible to remove)
So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?
In other words, if malware can open up the configuration of a separate program and alter it, then malicious browser addons are probably the least of your worries.
> So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?
Plenty of malware runs as the user rather than the admin, so they can install an extension in your profile or change a config setting but cannot rewrite the Firefox binary without an additional exploit.
Similarly, code signing is increasingly common so an attacker who wants to replace Firefox would need to have their own signing certificate and that offers a way to track down the malware authors.
Yes, none of this works against a complete system compromise but security is all about defense in depth. It would be irresponsible not to protect millions of people just because you cannot do so perfectly.
So why isn't that checkbox / configuration option / etc. under the same protections? If malware's able to check that box to say "yeah, Firefox, unsigned extensions are okay", then it's surely able to wreak all sorts of other havoc (turning off the pop-up blocker, changing the homepage, redirecting "youtube.com" to "redtube.com"... these are just the mundane things). I can't imagine that Mozilla designed Firefox to be externally configurable by malware running under a user context.
Well without having the signing key, you can't sign anything that will "change", so any of the configuration options are either baked into the executable (and signed) or they are in a config file (in chrome's case an SQLite file, not sure about FF).
And malware can do all sorts of nasty stuff when it's installed, but the issue with extensions specifically is that they are synced and they can run arbitrary code, so malware that can install one on machine A will instantly infect any other machine that firefox is synced to, as well as silently re-installing if you try to remove it. Plus the extension itself has the ability to download and run additional malware.
I saw a particularly nasty setup one time that a chrome extension downloaded a payload and ran it which would re enable/reinstall the chrome extension if it was removed, and the extension would reinstall the payload if it noticed it was missing. The only way out was to either wipe the chrome profile and machine, or be really quick and remove both of them at the same time.
It's obviously not an ideal solution (to block all unsigned extensions), but but when the options are:
1. Let malware run rampant unable to really combat it in any way (while letting it use your software to spread)
2. Castrate the entire extensions system to make them 'safe' (basically turn them into glorified web pages with the same restrictions and all)
3. Disable unsigned extensions and play the wack-a-mole game in a way that you can actually win it.
The option which works out the best for the vast majority of users is number 3.
My point is that those aren't the only three options.
4. Have the browser executable perform some sort of integrity check on the settings file to detect if it's been tampered with by something that isn't the browser (which admittedly isn't robust, but it's a start and eliminates at least the more simplistic malware).
5. Implement encryption on the settings file so that it can only be read or modified if unlocked with a user-configured passphrase (such as that used for Firefox Sync).
6. Use an additional config file with the same permissions as the browser executable (i.e. requiring administrative privileges to modify) for critical security settings like whether or not unsigned extensions may be installed, thus preventing user-level malware from editing it.
7. Don't sync extensions automatically (as a Firefox user with several machines, extension autosyncing is actually more annoying than it is helpful; I'd really like to be able to selectively sync certain extensions - like Tree Style Tabs and Greasemonkey - while keeping others (like themes) local to specific machines). This solves the problem of malicious addon propagation that you mentioned, since said propagation would require user intervention.
5, 6, and 7 would be much more useful in Firefox than Pocket/Hello integration, builtin PDF readers, or any of the other cruft that's started to creep in. In fact, I'm pretty sure 6 is already possible through that enterprise configuration addon (I know firsthand that it's possible to have settings locked down to administrator-only access through that).
Regardless, my other point is that by default, if malware can manipulate Firefox' settings, it can manipulate other things that are just as bad as malicious extensions (like one's stored passwords). It's already possible to mitigate password storage risks by setting a passphrase on one's password cache, so I see little reason why #5 shouldn't be possible, too.
> I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date
Dev Edition is kept up to date. If you check Firefox Versioning workflow, you will see that Firefox DevEdition replaced aurora which was the version between nightly and beta. Its kept very up to date, there are daily updates on the Dev Edition channel. Also the Firefox UI is fully customizable, just click the menu icon in the toolbar, choose customize and start replacing things you don't like.
Firefox users see through this feel-good marketing nonsense from Mozilla.
They've seen Firefox's UI change for the worse in so many ways, even in the face of wide opposition.
They've seen unwanted bloat, like Hello and Pocket, forced upon them, again in the face of wide opposition.
They've seen their requests for bug fixes and performance improvements go unheeded, sometimes for years.
The easy use of extensions has been the only thing keeping many of these people using Firefox. They've been using many extensions to undo, as much as is possible, the unwanted changes that Mozilla has made.
I use Firefox Nightly, and was recently surprised when, after an update, some custom extensions I had written myself were not loading, and could not be easily enabled. When I found out it was due to this, and I had to start adjusting about:config settings, it was nearly the last straw for me.
I don't want to use another browser, but it's like Mozilla is doing everything in its power to make using Firefox a bad experience for me. I know I'm not alone. We've already seen Firefox' share of the browser market drop from well over 30% to a level of around 10% today, if it isn't actually lower than that.
It's truly sad to see what's happening to what was once such a great browser.
You're being pretty grim. Hello is fucking awesome, and while I don't use Pocket it isn't the end of the world. Firefox isn't Lynx, but even as a Unix guy I enjoy and appreciate it. I also appreciate that they're trying to be more attractive to the masses, which is societally beneficial.
As you do, I have a lot of programs and extensions installed on my machine. How about you install them all on yours? Come on! Don't be grim! They are fucking awesome and if you don't use them it's not like it is the end of the world :^)
It's funny, one of the other top comments here is about how many features Firefox is removing. Vital, core stuff, like setting being able to set custom user agents for specific domains...
I think the real reason many people are angry is that their demographic isn't catered to. I'm part of that demographic, and it does annoy me sometimes. However, unlike Debian/systemd, I find the tradeoff definitely worthwhile.
True. However what I have found in general is that I have been spending more and more time tweaking and fiddling Firefox to make it work the way I want it to, i.e similar to the way it was in the past with no Pocket for instance.
It is really annoying to have to watch the Firefox news and other channels to get this kind of information, reason about it, and then make my choice regarding what to do.
Browsers for me are a tool to get my work done, and I don't want to spend my time shaping my browser every time some people in Mozilla decide to change something.
There are two solutions I see:
1. The cynical/pessimistic one: the web is broken, all browsers fail to various extents, and one needs to pick one's poison - Firefox is the least of evils, hence I will continue using it with increasing dissatisfaction.
2. The optimistic one: Firefox and Mozilla will eventually get back on track, and revisit their old values - I find this harder to believe as time passes by.
> Hello and Pocket are just two buttons in a toolbar which you can remove.
I would have preferred to see bugs fixed, rather than features that undeniably belong in extensions. Even if it'd been issues that don't even affect me.
At least in the case of Pocket, the current browser marketplace seems to disagree: Chrome is the only major browser without a built-in reading list. When it came time to add similar functionality to Firefox, we could either build and maintain our own service and integrations, or we could partner with an established player with sane privacy and data access policies.
We chose the latter. Pocket is already integrated into literally hundreds of applications, and it started life as a Firefox add-on. Embracing that is a reasonable choice in terms of utility and sustainability, as Pocket themselves are already maintaining SDKs and applications on all major platforms.
(Why this is built into the code and not shipped as an add-on was, iirc, an architectural quirk that will hopefully be rectified.)
Im a firefox user on all devices and am fine with the ui and dont know what Hello or Pocket are. It has gone through periods of bad choices and bloat before but has been cleaned up over time. I fully expect this to happen again with more annoyances greater than this one. And i still prefer to use it because i support its aims and it supports mine.
See, therein lies the problem. I use Firefox because of our mutual views (and the extensions) and there is no competition in that field. Chromium is too pared-down (no sidebar is basically a killer) and I don't want to support a webkit-centered internet.
I don't remember Firefox being well over 30%. The highest I've seen them had been 27%.
That said I can see how users don't like Mozilla's attitude. I've actually noticed it as far back as Firefox 3.5. I know users didn't like the changes post Firefox 2.0. It's too bad Firefox wasn't componentized enough to separate UI from the layout engine and JavaScript engine.
I myself like Australis but I'm also someone who's loved Chrome from the beginning. That said I think it was a mistake to turn Firefox into Chrome. They should've released Australis as a separate browser like they did with Firefox in the Mozilla Internet Suite days. That way they wouldn't have alienated so many users and their core user base would've been secure while they experiment with big user facing changes.
These days I'm more disappointed in what they didn't add to the browser like built-in ad-blocking and tracker blocking. I understand they have this view that the web needs ads but that doesn't mean it needs third-party ad networks. Just like popups they degrade the user's experience. More importantly they also compromise the security and privacy of the user. Clearly they are a practice that should be fought against. That they haven't tells me they are no longer an advocate of the user but the site owners.
I don't understand why Mozilla is trying to control the ecosystem. It's an open source product. Why does it need to be locked down like this? Who do they think they are protecting, or even helping, with this?
Users still have control. You can remove plugins you don't like, and if you really want to, use a version of a plugin which allows unsigned extensions.
Arguably this change might give users more control: Trojan horses can no longer secretly side load malware.
Users still have control. You can remove plugins you don't like, and if you really want to, use a version of a plugin which allows unsigned extensions.
You could argue that as long as users can still download a disk editor and change any byte of the disk on their machine they still have control (in fact patching out this signature check could probably be done with a single-byte change to the binary...); the problem is when this control is made more and more difficult.
Ah, feels like they're following Chrome's example, which decreed that it should be exceedingly difficult for Windows Chrome users to install extensions from somewhere other than https://chrome.google.com/webstore/ . This basically killed an internal app we had at work (a fork of a "REST client", with some added request-signing features specific to our internal APIs.) There was no strong reason to keep it secret, but there had previously been no need to put it in the store either, and there was a $5 charge to publish in the Web Store, which I didn't feel like dealing with.
Anyway, they are both measures taken to stop malware, by taking an option away from the user, that most users won't even notice, but many "power users" will be inconvenienced to varying degrees. I'm guessing Firefox's won't be as bad, since the "developer version" that will let you keep doing the old way probably won't differ from the normal version as much as Chrome's does.
This is the exact reason why I moved to Firefox from Chrome back when Google started tightening the noose around developer mode extensions. I had written a few extensions for my own personal use and had no interest in putting them up in the Chrome Web Store. This was fine and good until Google decided it was A Bad Thing and Chrome started popping up annoying warning windows on every startup and then eventually disabled my extensions entirely.
I switched to Firefox since it let me have more control over my own browsing experience (and gave me a good excuse to extract myself just a little bit from the Google hivemind). I'm extremely annoyed to see that Firefox is now going down this route too.
There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS if you're so inclined. You can use: Nightly, Dev Edition, Unbranded Stable and Unbranded Beta. All of which have a switch that you can set to disable addons signing requirement.
In contrast there are only two versions where this is a requirement, Stable and Beta. If you doubt the usefulness of this you haven't seen a browser being hijacked by malware overriding search results, inserting all types of toolbars and more. This will prevent malware from sideloading extensions. And this is good.
The signing process is not the same as the AMO review process. The process takes only seconds and the signed addon is returned to the developer. They can distribute as they see fit.
Now, lets face the fact: Simple signing process that takes only seconds and will help prevent lots of malware, not the most nasty ones but a huge lot of sideloaded crap. Four versions of the browser for those power users who want to disable this.
Now, can someone explain to me without hate why this is a bad thing?
> There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS
While that may be true, requiring that you run a non-standard version of Firefox to be able to use "random" extensions will probably have a chilling effect on the Firefox extension ecosystem.
you will be able to run "random" extension if the developer care enough about it and about the new security procedures to sign it. After all, it takes only couple seconds for the signing to work.
The versions I quoted are not non-standard. They are all versions of Firefox being worked on and with all the relevant teams. All those versions eventually become Firefox Stable and after that becomes outdated and a new release is now current. Versions goes from Nightly -> DevEdition -> Beta -> Stable. Each version has some tweaks, for example DevEdition is where they seed and test new devtools. Which means that for the developers, thats the best edition to develop with (still test on the other versions).
Do you understand that the Unbranded Stable version and Firefox Stable version have the same codebase? You can use that version for testing or if your users don't want signing they can move to that version. They lose the cute icon and branding but the code is the same.
I think you missed my very clear point: now it's not enough to just run Firefox. You need to ask for users to run the "right" version if Firefox.
Telling people what browser to use is user hostile behaviour. Users will not bother. Non-official extensions will get less interest. Authors will see a smaller user base and have less interest in writing new extensions.
How does this policy interact with greasemonkey, an extension that allows running random JavaScript on sites with access to the extension API. You could write your malware as a greasemonkey extension, convince a user to install a signed greasemonkey release, and then convince them to install your malicious extension.
I was only commenting on the "trival build or not" part.
You're right that there are plans to have official "unofficial" release and beta builds without signing requirements, but only for the en-US locale (yes, language packs exist, no, not every developer on Earth speaks English)
I had to flip that setting this morning when dev edition updated and disabled the 1Password extension. It's "xpinstall.signatures.required", for reference.
Did they say why beta wouldn't have this setting? If anything beta is closer to release and developer would target that. Developer edition is still nightly if I'm not correct?
Generally, beta is supposed to be almost completely identical to the release version, to ensure that what gets shipped to release users is tested. This particular pref seems harmless, but you never know.
Developer edition is what used to be known as "Aurora", which is in between Beta and Nightly.
I think they want to encourage wider adoption of the Beta version, so they treat it similarly to the Release. The logic seems pretty questionable to me though. If you can install a Beta version of Firefox, you should be able to avoid consenting to allow malware to run on your computer (this change is primarily targeted at extensions installed by some user action -- like something silently side-loaded by an application installer).
I don't see anything about why the beta, but I did see the following in the FAQ. Maybe this will help:
"There will also be special unbranded versions of Release and Beta that will have this setting, so that add-on developers can work on their add-ons without having to sign every build."
I recently made an update my own Firefox extension, called Tab Grenade. It took them 4 months to review. 4 months. And that's for a (very) minor update.
Because of that, I was definitely considering to start releasing it on my own, instead of through Mozilla's add-on website. It looks like I will be able to do that, but I'll have to use the signed extension process.
I'll believe this system works when I see it. After my experience with add-on reviewing, I am very skeptical.
The review is mostly done by volunteers. Sorry for the delay, I feel your pain. Will check here if we can try to get more people onboard to help review stuff.
Firefox is open source. Disabling the signature check will probably be a one-line change. Yes, it's a much larger barrier to entry (building Firefox is not trivial), but it's not like IE or Chrome where you have no choice in the matter at all.
Yeah?
You at the very least forgot to obtain the source code first somehow. What about build-dependencies, because ./mach bootstrap does not fully handle that?
Now please tell me how to do a Windows release-build with all release features enabled (except for official branding), aka. a ton of configure switches, and also please do it for my language using the official de locale, because neither the source tar.bz2 nor the hg you'd normally clone contains that. I'm starting from scratch of course.
And suddenly it is less easy and trivial..
It's been one month and the new version of an extension I wrote is still waiting to be reviewed. I've since stopped waiting and started using the new version myself rather than download from AMO. I was already very disappointed by the review process and now this.
Tweeted to Chris Beard: "Dear @cbeard, please give your users the choice and control they deserve in @firefox. Allow extension signing to be disabled in FF42."
You want to protect the user, then start making extensions more secure and require permissions to do things. E.g. If an extension can access contents of webpages, pop up a dialog and ask the first time. There are other ways to protect users without going authoritarian on us.
An important point is that the review process before signing takes seconds, according to the article. Considering the frequency of FF updates, it's an important point.
Now, let's just hope that the other side of the coin is a concern for API backward compatibility, so that people don't need nightly versions of addons and a developer edition to keep their addons in a usable state...
I use several small add-ons I wrote myself. Why should I have to get Mozilla's approval before I can install my own damn add-ons? One of them executes processes and I'm 99% sure it'll fail the automated review.
EDIT: It passed the automated review, but my point stands. If I wrote the code, then you can be damn sure I trust it.
> I use several small add-ons I wrote myself. Why should I have to get Mozilla's approval before I can install my own damn add-ons?
Mozilla has to balance the needs of several hundred million users, who are being attacked by malware every day, with the needs of people who write their own add-ons. Is it really that difficult to see it from that perspective? And it's not like you have no options now. You can either use the developer edition or the special release version where this feature is disabled.
They've always catered to the hacker perspective, too. Why take out the about:config flag? How about letting me trust my own certificate, instead of just AMO's? What about running AMO alternatives?
Did you not read the blog post? You can use the dev edition or the special release and beta version that don't have this limitation. Nobody is forcing you to live with this limitation. If this was done as an about:config flag it could easily be changed by an add-on too.
"What are my options if I want to install unsigned extensions in Firefox?
The Developer Edition and Nightly versions of Firefox will have a setting to disable signature checks. There will also be special unbranded versions of Release and Beta that will have this setting, so that add-on developers can work on their add-ons without having to sign every build."
If you want to run a custom AMO I'm assuming you're in a corporate environment or something like that where you can control what browser gets installed on people's machines.
https://addons.mozilla.org is an integral part of Firefox, if you set it up with an alternative you're effectively making your own fork.
It's not an integral part of Firefox, though. You can install add-ons without it by just clicking a link on any page that leads to an XPI, same as how AMO behaves.
And no, I'm not in a corporate environment. I'm talking about decentralization.
Dev Edition is not less customizable... its just Firefox with a new theme and more bleeding edge dev tools which you should be using to develop addons anyway.
But it doesn't! As long as downloading anything is allowed, signing requirements on extensions will not prevent anything.
And by experience supporting users, this is not how bad extensions get installed on the system: they're pulled in by malware which gets installed by other means.
This is only going to irate legitimate extension developers, which already have to wait weeks for AMO to review even the most basic change. I've been distributing extensions separately precisely for this reason.
But ths change will prevent bad extensions pulled in by malware installed by other means.... On systems that require application signing, that should do some good (otherwise I'd expect malware to just switch from sideloading extensions to sideloading a modified version of Firefox).
Idealism and duct-tape- they are holding the world-view together..
Specialisation always was this species strong point. Acceptance that the user might have his strong-point elsewhere and is so nice as to not harass you with his worldview. Imagine if you went into your local bakery, and there behind the counter stands a guy all in white:
"Good morning. Try our donuts today. You could make donuts too. Its easy. Come on ill show you. And then you will be self reliant when it comes to donuts. There are thousands of great recipes online - okay, some are broken, but you dont get to become a expert in donut making - without giving a little bit back..
Sir, Sir - you forgot your Donuts. Maybe he is diabetic and forgot - or evil cooperate donut buyer - or the one dough ring to bind them all is too much of a power.."
With great specialisation comes great loss off understanding on other parts of your life.
There are way too many decisions we need to make in this world to really be informed on every one. Of course, in our world, understanding software and safety is in our scope of knowledge, so we believe everyone should have it. However, not everyone is in our world. I am sure tech people make all sorts of uninformed decisions in other realms that people in those fields would be appalled at. It is OUR job to help protect regular people who don't have the time to learn our world be safe, just as it is the job of those other fields to help keep us safe.
Heaven forbid. The unaware, uninformed user is the bread and butter that the Internet businesses survive on. Tech-savvy users are bad bad bad. Protected, gullible users is what keeps the engines running.
The choice isn't prevented. There is just a small barrier put in place of the choice. Installing a different version of firefox is not difficult, but it makes sure the user is absolutely sure, and helps get an idea across of the ramifications.
This. Most of the people do not care about this stuff and they do not wish to learn it. Also, like with vaccines, it is important that sufficient number of people are protected for the malware/viruses to not spread.
This is disappointing. Everything is becoming centralized, even Firefox extensions. I wish there was an opt out like "unknown sources" in android, but they keep saying we're not smart enough to make or own decisions. They won't even put one in about:config. This change well undoubtedly upset developers and other techy folk, exactly the kind of people you want working with your software.
Fdroid is working on third party repositories, maybe that will catch on to decentralize the mobile world a bit. Something like that for browser extensions would be sweet. Take a look at Fennec Fdroid for a cleaner Firefox mobile experience at least.
The point here is to stop junkware authors (who operate pretend-legally) from trivially installing extensions into Firefox. Right now, this type of software commonly injects javascript into all web-pages a user visits which do things like add adverts or redirect searches.
If you allow a tick box to disable this, then how do you stop the junkware authors from simply checking that box on behalf of the user? Because that's what would happen, the user would click "next" on some random installer (which the junkware authors argue grants them expressed permission to install), and the junkware will claim they tick the unknown sources box to fix a "backwards compatibility issue."
What they're trying to do is make the option to disable the check SO niche that it really isn't a valid option for the junkware authors to use anyway (since most consumers won't have it, only corp. networks which are a hard target for junkware for other reasons).
I wonder how long it will take until adware producers patch out the requirement for signed extensions in the binary when you install stuff from them on your computer.
Isnt chrome already like this? I spent 45 minutes trying to find a way to install a non extension store extension this weekend and gave up after being blocked repeatedly.
I don't think what chrome does is relevant in this discussion at least not in the context of defining what is the the correct way for mozilla to go forward.
It's not really a full fork, but I'm fairly confident that Iceweasel, the patched and no-branding Firefox that ships with Debian, will not have this problem.
(So as I Debian user I don't really care, but it worries me slightly for the future of Mozilla.)
Mozilla has said that this requirement is set by one flag at build time, so building a version without this requirement should not be any more difficult than just compiling Firefox I have never done that, but I think it's slightly non-trivial. The hardest part though would be distributing the fork though, so a Linux distribution like Debian mentioned this change as others have mentioned would be one way to build a popular fork without this requirement.
Well, at least they're paying lip-service to enterprise users who may have internal extensions to deal with:
What about private add-ons used in enterprise environments?
We haven't announced our plan for this case yet. Stay tuned.
In the interim, ESR will not support signing at least until
version 45, which won't come out until 2016.
I have seen several suggestions along the following lines as far back as the original blog post which announced the intention to require extension signing
Allow an extension signing certificate to be place in a directory/store which requires elevated privileges to modify (ie /etc/ or similar).
Extensions in the user's profile signed by this certificate will load as if they were signed with the Mozilla certificate.
If the user has enough privileges to add an extension signing certificate then they also most likely have the ability to modify the Firefox itself, I think this addresses any concerns that this method could be used to load malicious extensions (if the user is willing to run unknown executables with elevated privileges then extensions with apparently valid signatures are the least of their worries).
This allows enterprises to sign and distribute their own extensions, with the additional step of creating and distributing the signing certificate, and could work also work for home users.
Mozilla used to be the best place in the world for extension developers -- it was natural to have your best extension on Firefox because you could release early and often. Active developers made the platform.
When Chrome came along they decided to go in a different direction entirely slowly making it more and more painful to accomplish what used to be easy in the name of security. The review process went from automatic if you were trusted to weeks and then months and then more than a quarter year. They started demanding source code. It became scary to release to addons.mozilla.org because you never knew how long it would be before your next release would be approved.
Mozilla needs to realize they're hastening their own demise - Chrome now offers better features than when Mozilla was the leader including releasing to a percentage of users and faster nearly invisible to the user updates. They should go back to their roots and embrace developers again.
I wonder if this will mean that all the extension version numbers will stop ending in -signed. I'm used to having any build number with -label in its name denote it's a pre-release and isn't stable [0].
I was recently searching for user agent switcher add-ons as part of a blog post [1] and almost all have -signed in the name. To some people it could look like the un-signed ones are more stable and better.
The -signed label was a one time effect to update existing extensions to signed versions (since AMO didn't want to arbitrarily bump the version numbers of all its hosted extensions). Future updates do not have this label.
>>Is this a way for Mozilla to censor add-ons they don't like, enforce copyright, government demands, etc.?
>No, the purpose of this is to protect users from malicious add-ons. We have clear guidelines[1] for when it is appropriate to blocklist an add-on and have refused multiple times to block for other reasons.
Copyright, DMCA, and legal concerns are not listed. So I take that to mean nothing will be rejected from signing for those reasons. Hosting on AMO has stricter rules, so they could sign the extension for you to host, but refuse to host it themselves.
Today, Mozilla doesn't get demands to take down extensions because sending demands would be pointless. If EvilCorp tried to force Mozilla to take down uBlock and friends from addons.mozilla.org they would just get hosted elsewhere and EvilCorp would look like assholes. It's all downside, no upside, so EvilCorp don't even bother to ask.
If tomorrow Mozilla can shut down any extension, the calculus changes. Forcing Mozilla to kill ad blockers still makes EvilCorp look like assholes, but it might be successful. There's a big upside now, so much more reason to try and force Mozilla's hand.
It's little more than a year ago that Brendan Eich was ousted from Mozilla by an ugly orchestrated cabal. When I read Mitchell Baker's vapid blog post [1] on the decision, filled with polite backstabbing and politically correct buzzwordery I understood that Mozilla has been taken over by politicians and that its decline is just a matter of time.
"Liberals" in the US - democrats - are indeed center-right of the rest of the world. Look at Obama, Clinton, Biden. They are very center on some issues and quite right on others.
Probably. I've always considered both US parties to be so far right wrt the rest of the world, that anything even remotely moderate would be labeled "liberal" or "communist". Both terms used with extreme prejudice and disdain, of course.
A U.S. "liberal" is very socially-progressive (pro-gay marriage, pro-choice, pro-environment, anti-racist, mostly pro-regulation and anti-corporate). I think that's the sort of people the parent poster intended to describe. In Europe "liberals" are usually pro-business and socially-conservative.
(Btw, I wouldn't say a U.S. liberal will automatically sit on the right of the European discourse, today. Traditional socialism has virtually disappeared as a political choice in Europe as well, so really there is very little disagreement today between a U.S. liberal and a European with mainstream social-democratic sensibilities -- except maybe on foreign policy.)
There is no equivalent of a European left in mainstream US politics. You see bits and pieces in some small-time candidates like Bernie Sanders, but nothing serious. The red scare did its job.
I have been looking at https://input.mozilla.org/ now and then for a long time, and I am still astounded at how it's typically around 90% unhappy, 10% happy.
I know that some Mozilla supporters will justify that huge difference by saying, "but unhappy people will always complain and happy people won't say anything", but I don't think that's necessarily the case. Here we have Mozilla's own stats saying that a lot of their users are extremely unhappy with Firefox.
Clearly something is very wrong for the disapproval rating to be so high, and the satisfaction rating to be so low. In other situations, such a high disapproval rating would be met with extreme concern, immediate retrospection, and panic.
Even in the case of US presidents, where people don't have an immediate alternative like they do with web browsers, and where people's emotions run rampant, it's very rare to see an approval rating under 40%. The very worst approval ratings still are around 25%.
So something is seriously wrong for Mozilla's products to consistently have an approval rating of only 10%, or even 20% if we're being generous.
Take a look at the platform statistics there. Nearly half of the feedback (46%) comes from Android users. Reading the comments, they seem like the (very uninsightful) reviews you typically see in the Google Play Store where the "unhappy people will complain" seems to be quite true.
Firefox for Android is a fundamentally different beast from the browser on Windows/Linux/MacOS. I am quite happy with the desktop version, yet I find the mobile experience quite underwhelming.
If you limit the selection by platform, on Android it will even show "100% sad, 0% happy" -- Mozilla has some work to do there. On Windows 7 you get "81% sad, 19% happy". Still bad, I agree, but don't just dismiss the inherent bias of a feedback system. And compare them to the stats for competitors, too.
I had never seen input.* before so I checked it out. I was pleasantly reminded of the variety of user-cases when I read this comment:
"I accidentally installed a prank addon/script (can't remember the name or which one, though it did come with a clear warning). Now my Facebook comments are garbled (scrambles text (makes it worse when I use punctuation-multiplies it). Please use and add some malware cleaner in some future update to get rid of this nasty prank script/addon. I use Stylish addon and I'm guessing I got it from this! Makes using Facebook defunct and troublesome!"
Those approval ratings you speak of are usually reported as a part of representative studies. What do you think is the approval rating of Obama, if you only ask people who support Jeb Bush's campaign?
Input is anything but representative, it's not meant to be. It's there to catch things as early as possible.
"I have been looking at https://input.mozilla.org/ now and then for a long time, and I am still astounded at how it's typically around 90% unhappy, 10% happy."
I've been reading Mozilla's bug system for 17 years and the bug numbers keep going up. That can't be a good sign.</sarcasm>
It's disappointing to see Mozilla's leadership respond with sarcasm and denial when faced with the fact that 80% or more of their users are not happy with recent versions of Firefox.
That should be 80% of the users who have some reason to be poking around in Firefox's Help menu and are motivated enough to click "Submit Feedback". That group does not include many people who have a perfectly good experience with Firefox.
You know, there was something beautiful about users being able to pick up a tutorial and extend their browsers, if they wanted. There was something very empowering about being able to write extensions even in a corporate environment.
I've written Firefox extensions for personal and business use, and Mozilla are preventing that from every happening again. Why? Cui bono?
I'll mention, again, that they completely broke the security of Firefox Sync: it's no longer a trustworthy place to store passwords. Why? Cui bono?
Didn't Chrome take this same approach? I suspect that if multiple major browser vendors are pursuing it, it's probably to address some issue. It's not like Mozilla just thought, "let's limit people more, that will make them happy." This doesn't make it the right approach, but it does make it understandable.
So I suspect it's to the benefit of the "average user" if that's what you are asking.
I'm going to step outside of HN for a minute and say that in my work I work with people who rely on the Internet, but have no concept, and I mean none, how it works. They do not understand that when they create a Yahoo email account that no one can help them when they forget their password. They do not understand that if you type "yaho com" that you are not going to get anywhere (until auto search came along, that is). I've come to realize that Internet safety is not a simple set of rules, it's a complex understanding of the whole ecosystem that can't be readily taught in the time I have with these users (and never taught to some). I can't explain why I click on links in some emails and not others, so I just say "don't click on links". I can't explain why you shouldn't use the same password everywhere to someone who needs to reset their password literally every time they log on, so I just tell them to use the one their friend or child has written down for them. It's terrible, but I get it when vendors draw a line in the sand and say "this is to protect those users."
That said, as a user who does understand, there's an element of frustration. Hopefully they bury an override option somewhere, or maybe just add it to their ESR but I doubt I would ever use it.
If your extension has been fully reviewed by AMO, you can upload beta versions that only have to pass the automated signing review to be posted to AMO.
Please don't assume all extensions have a reason to be on AMO. There are plenty of extensions which are developed in-house for in-house use only.
Also, as a developer, I never cared to run the "nighties": I don't want an unstable browser, and I don't want fancy new features. I always ran the stock version, also to ensure compatibility with the user base, and never needed anything else.
Maybe Mozilla should also remove the developer tools from the stock version, because clearly it's too dangerous in the hand of people that could cut&paste code with full privileges into it, and it's only a keystroke away!
This is a giant slap in the face, frankly.
I don't see a difference between a walled garden such as google play and this.
not sure yet, but as soon as there's something I'm making the switch.
Too many extensions are required to try to make firefox into something usable, mainly reverting changes or fiwing broken or missing features: ad blocking, sidebar, download manager, bringing back the add on bar, putting back the ability to disable javascript, session manager, cookie manager ability to take screenshot, mouse gestures, tab manager, …
I like the fact that a security issue is being tackled. What I absolutely hate is the fact that there are no ways to turn this option off.
Just like HSTS I can't turn this off and it leaves a bad taste in my mouth. Were originally I considered firebox to be a browser for power users, now I'm not too sure any more.
I'm mixed on the general issue – an option to turn it off is an option which is certain to be used to social engineer millions of people – but this is somewhat different from HSTS:
HSTS allows a site owner to set a security policy for access their own servers. There's no downside to using it, it doesn't affect anyone else, and in any case if you choose to use a service you're subject to their security policies. The fundamental choice is unaffected: use their service or go somewhere else.
In contrast, this is more controversial because it involves telling the user that they cannot do something they want to do. I think there's a strong argument that this is a pragmatic choice in the current security environment but it really does undercut user choice unless you reach the point of saying that the users who want to do this should know how to compile Mozilla.
I really, really disagree. If your data is on my computer I should have a say in what happens to it. If I want to tunnel your hsts connection through a proxy I should be able to do so.
You can't imagine how frustrated I was when I found out that I couldn't use my proxy any more, because some guy somewhere decided that it'd bee too hard to hard to add the following lines to firefox:
if (user_doesn't_want_hsts) { dont_do_hsts(); }
I can't even bend my head around how someone thought it was acceptable to totally take this option away from people. I understand that such an option should be hidden deep inside a config somewhere so as to prevent a normal user from compromising his/her own security. But please don't presume that you did everyone a service by taking this option away. I can't express how angry and frustrated I become when I even think about it.
As for your 'no downside', as I said, perhaps not for normal users. But I most definitively am not. And I probably need to jump though a lot of hoops to tear this "feature" out of my own firefox build.
> I really, really disagree. If your data is on my computer I should have a say in what happens to it. If I want to tunnel your hsts connection through a proxy I should be able to do so.
You need to read more about how HSTS actually works:
It does nothing that a site could not do by having their webserver redirect all HTTP requests to HTTPS with the exception that it prevents the browser to never make an insecure request to prevent a man-in-the-middle attacker from tampering with it.
Of particular interest, note that it does not prevent you from using a proxy if you choose to configure one. The only thing it prevents is a transparent proxy intercepting all traffic on the network, which is a class of MITM attack, and a frequent source of security or privacy issues.
If you need to use a tampering SSL proxy you would, of course, need to configure it to generate certificates using a CA which you trust, which is a well-documented feature and something which has already been a requirement for many, many years.
> As for your 'no downside', as I said, perhaps not for normal users. But I most definitively am not. And I probably need to jump though a lot of hoops to tear this "feature" out of my own firefox build.
Or learn how to configure your proxy so that it works with the security mechanism rather than unnecessarily exposing you to attacks. Your argument is a perfect example of why this is a good move: most people will simply hit whatever button causes the page to load without thinking through the security implications.
You... really don't understand HSTS or how proxies work. Any actual secure proxy configuration would still work just fine with HSTS. Its only ones that specifically downgrade HTTPS connections to HTTP ones that break.
An automated review which takes seconds? What will it be looking for exactly? Seems to be something that will either break every extension out there or will be so easy to bypass that it won't do much.
"This is not the same process that currently applies to AMO add-ons, which has been typically slower."
Also the fact that you can't seem to be able to disable it even with some "debug/developer" mode in FF seems to be a bit over the top.
What happens if you are tied to an older FF extension that isn't signed? What happens when you want to develop an extension? yes beta extensions will be signed also but what happens before the BETA what happens when i just want to make hello world and to learn what i can do?
This is going to be an annoying change me since I use the 1Password extension which isn't signed as far as I know. So, it's likely I'll switch over to Chrome (which I've had performance issues with in the past) or Pale Moon. Seriously, it's my browser. It's fine if you want to make users white list extensions but to completely block unsigned extensions is a bit over zealous. Unless Mozilla makes the signing process automatic (since it seems some extensions on addons.mozilla.org can go months before being updated to the current version) I don't see this working out at all.
Hi. I'm Eva and I work for AgileBits, the makers of 1Password.
I wanted to reassure you that we are working with Mozilla on getting our Firefox extension signed. That will allow you to continue using Firefox as your default browser while still using the 1Password browser extension.
The security problem that this "fixes" is not really an issue on Android due to Android's own app sandboxing, so maybe the Android build will allow unsigned extensions? It's not mentioned in the FAQ.
Who wants malware affecting all of the naive users on the internet? I don't. I think you can all put your pitchforks away and take a deep breath knowing that Firefox is trying to improve the experience for people who are not like yourselves. The process is automated and takes little time. Stop acting so entitled.
Firefox disabled HTTPS Everywhere with no warning to me whatsoever. I use Dev Edition. I always just assumed it would always work, but apparently I can't rely on that anymore. Wasn't Mozilla pushing for non-encrypted HTTP to be deprecated? They should wait for that to happen before disabling HTTPS Everywhere.
Epic fail. Mozilla should be making the browser subsystems more secure, not saying 'Trust us, we'll ensure your add-ons are secure'.
Will the add-ons source code be reviewed by a CISSP skilled in the languages used within the add-on? Will the add-on be tested with the top 1000 add-on combinations out there? If the add-on provides an API, will it be tested using fuzzing? The list of these questions, and the others to which your answer is likely 'no', goes on. If you are not doing these things then you are providing a false sense of security. You may catch the bottom 60-80% of malware and unstable add-ons, but the most dangerous 20% will likely slip through, in my opinion.
This does not make sense from a UX perspective, as MANY others here have pointed out, so I won't go into that further. I will point out that it doesn't make sense from a business perspective either. If you are saying your add-on signing program improves security, and you let an add-on through that has malware, then you might be sued (I am not a lawyer, this does not constitute legal advice, etc.).
So to recap and summarize, with brevity, and with accuracy...
You're right about law, I know little - I am not a lawyer.
I suspect there will be someone who blames their corporate data breach on Mozilla's policy, if they can make even the flimsiest case. Mozilla might win, at the cost of money, time, and bad PR. I suspect it more likely that they'd settle out of court. I'd love to hear a lawyer weigh in.
I also love how I posted on here (I seldom do) about an issue I felt passionately about, in an area that I do know a bit about, and you responded with a personal attack.
Ask yourself this, what is it you hate so much about the world, yourself, me, or my post that compelled you to personally attack a complete stranger who was donating time and thought to the discussion? Did it make you feel better? Stronger? Isn't that the very behavior you've campaigned against, elsewhere on the web?
That's because plugins are going to need to be white-listed (modifiable via about:config). The win64 (beta) edition of Firefox only allows the Flash Player Plugin, for example.
isn't this still vulnerable to the attack reported up-thread where whatever malware just goes and changed about:config before installing their plugin? (and the reason that the addon opt-out is being removed from ff42)
yup, and that's what i don't get. statistically, plugins like java and flash are a bigger security threat than addons. i don't even remember an addon going rogue.
I think at this moment it's fair to say that switching to Pale Moon is the next obvious step for power-users in need of fiddling with their browser as they please.
This is very frustrating. Made worse by the fact that they just replaced their packaging tool with a new jpm tool that doesn't yet match the functionality of the old tool.
I very much doubt Pale Moon will, based on their reaction to previous restrictions and removals of features. I know that it would be hypocritical if they did.
There are number of things we believe the e10s project will give us:
...
2. Improved performance, especially on multi-core machines.
3. Better memory core stats."
That seems to directly contradict your concerns. However, these are stated goals and may not align with practical reality. I'd be surprised if, when these are numbers 2 and 3 on their list of priorities, the reality would be so very different.
Those 3 months can make a world of difference. I'd like to see it in action before I decide whether it is a good or a bad thing.
Also, I'd be very surprised if the numbers in this little test are more than anecdotal. Performance will depend heavily on the kind of content you're viewing and I'd wager that the IPC calls make up a very small minority of the runtime profile for a tab process. Also, not everything is so performance-critical. For instance, if response to a mouse click went from 1 to 7 milliseconds, would anybody notice it? If everything in the browser just slowed down by a factor of 2, would Mozilla really ship it?
> if response to a mouse click went from 1 to 7 milliseconds, would anybody notice it?
Considering that a frame at 60fps is ~16.7ms, YES. That's 42% of your total frame budget!
And it's not just IPC calls, either. There are many things that are less efficient when you segment things between multiple processes.
Also, you're completely ignoring / missing the point of memory use. FF (or rather, Pale Moon) is currently using >1/4 of the RAM on my laptop. And swap is (really really really really really) slow.
The exaggerated response time example was for a typical usecase. The amount of situations where there is actually 60fps rendering going on and necessary are few and far between. Most browser usage is of fairly static content. Especially in the case of a mouse click, when you expect something to change on the screen and almost everything in that change will depend on something much slower than the simple IPC call (if that even happens) of tranferring the mouse click event. Splitting things up between multiple processes can slow things down if done badly, and can also bring tremendous speedups if done right. I assume the folks at Mozilla know what they're doing.
And yes, I'm ignoring memory usage for now. Mostly because it is a horribly complex thing, especially in multi-process situations. The numbers are notoriously difficult to interpret between working set, commit charge, shared memory, memory mapped file IO. Unless you're actually debugging the code or an expert, it's basically just guesswork. Mozilla have improved Firefox's general memory footprint significantly these past few years and they're not going to throw those advancements away easily. Again, I trust them to know what they're doing.
As I said before, I'll reserve judgement on e10s until I get to experience it in daily use. All I will say in advance is that the premise and the stated goals make a lot of sense to me and it seems like a highly desirable technology.
I share your sentiment, but Google Chrome is better only in terms of performance [1], it fares worse in both privacy and extensibility (no ad blockers/addons on mobile Chrome).
For people like me, who want:
* a free software browser
* android/desktop sync
* adblock and other addons
it is pretty much a binary choice between two evils.
[1]: Possibly, of course -- but that is a debate for another time.
The nice thing is that they're doing for "security", although they're absolutely fine pulling insane amounts of crap into their browser to improve the "web experience" and incidentally increasing the attack surface [which is how you get most of the malware actually].
Pale Moon is decent. Or would be, except for the frustrations with addon compatibility. (Suffice to say, the Australis update pushed breaking changes to add-ons, in such a way that you cannot easily support both pre-Australis and post-Australis)
Ad-blockers have finally reached a point that the financiers of the major browsers are setting the groundwork for tightening the screws on them. Not right now, but in a couple years when earnings start trending down. Google and Yahoo -- driven by ads -- fund Chrome and Firefox, over half the browser market.
Nobody innately wants to be evil; these are still * mostly * engineer driven companies. But when it comes to an extensential crisis of revenue vs freedom, there is no real choice.
So thanks guys. We had a good run with open browsers, but it is quickly drawing closed because you just couldn't stand the ANNOYANCE of seeing ads next to your content. It's been fun, and now back to the darkness we go.
> Ad-blockers have finally reached a point that the financiers of the major browsers are setting the groundwork for tightening the screws on them.
You speak with such confidence about things you obviously have no idea about. This change is driven by the massive amount of malware that threatens users of all browser with a sufficiently strong add-on API.
Can you please point me to any evidence that would suggest that this change was made even just in parts at the request of Yahoo?
Also, Firefox is free software, the only thing that belongs to Mozilla is the name. If it ever became difficult to block ads with Firefox, that brand would lose its value pretty quickly and somebody else would offer Firefox+adblocking under a different name.
Sure. It will be a fork that falls behind master without funding or support. Get enough momentum and push it far enough and Chromium and Firefox will stop being OSS altogether.
This is indistinguishable from the conspiracy theories people used to circulate about a magic carburetor design which got 85MPG and was killed by Detroit automakers for unknown reasons.
Just look at the chain of unsupported assertions which have to all come true for this to make any sense: Mozilla will prevent you from installing ad-blockers, and that this will bother enough users to matter but somehow that won't lead to enough volunteered developer time to maintain even an almost unmodified “fork” which changes only a build flag (or a signing key)?
Or that somehow if that proved popular enough to attract a large number of users they'd react not by reconsidering such policies but instead push everyone over to Edge/WebKit? Microsoft and Apple are not primarily advertising companies and at least Apple is marketing actively on the idea of respecting your privacy – it's hard to imagine anyone working at a browser vendor not realizing that such a move is simply going to push users to switch.
I created and maintain an extension that is used by visually-impaired people around the world (it has been translated by volunteers into Dutch and Chinese, for example).
Occasionally a Firefox update breaks this extension. OK, fine, that's the cost of doing business. Of course, the automated compatibility report that Firefox creates is utterly useless; it almost never catches the breakage. But that's a side rant....
There can be a decent turnaround lag (sometimes on the order of a few days) to get a new version of an extension reviewed by addons.mozilla.org. In the meantime, I have made a habit of building a new version of the extension and giving it to anyone who asks. Some people rely on it to use the web and can't wait for Mozilla to do their thing (another side rant: I once stupidly forgot to check in a key resource. I've since changed my development process to keep this from happening again. But the non-functional extension that I pushed passed Mozilla's review just fine. Makes me wonder how much value the review process is really adding.)
If I want to be able to continue this process, I will need to sign the extension myself (and who knows what histrionics Firefox will throw if a user tries to replace an extension with one that has the same UUID but a different signature!)