Mozilla reveals Firefox add-on lockdown

Mozilla has detailed plans to require Firefox add-ons to be digitally signed, a move meant to bear down on rogue and malicious extensions

mozilla firefox san francisco
Al Sacco

Mozilla yesterday detailed plans to require Firefox add-ons to be digitally signed, a move meant to bear down on rogue and malicious extensions, and one that resembled Google's decision years ago to secure Chrome's add-on ecosystem.

Some Firefox users called out Mozilla for disregarding its own long-and-often-expressed ethos of the need for an open Internet.

"We're responsible for our add-ons ecosystem and we can't sit idle as our users suffer due to bad add-ons," said Jorge Villalobos, the add-ons developer relations lead at Mozilla, in a blog post Wednesday.

Firefox, which celebrated its 10th-year anniversary last November, has long been known for its laissez-faire approach to add-ons, one of the features that propelled it to a 25 percent share of all browsers in 2009 and helped revitalize the browser market.

As of January 2015, Firefox owned a 12 percent user share of all browsers, according to analytics company Net Applications.

Add-ons have gotten out of hand, said Mozilla's Villalobos and the rules must be tightened. "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites," he said, citing reasons for the digital-signing requirement.

An earlier attempt to stymie bad add-ons with a list of developer guidelines didn't work, in large part because Firefox add-ons can be hosted anywhere -- much like Android apps -- not only on AMO (Mozilla Add-On), the browser's official mart. One option Mozilla considered but discarded was to mimic Chrome by requiring all Firefox add-ons to be downloaded from AMO. "We believe that forcing all installs through our distribution channel is an unnecessary constraint," Villalobos said.

Instead, Mozilla will require all add-ons to be digitally signed. Those approved for hosting on AMO will be automatically signed by Mozilla, but others intended for distribution outside AMO must still be submitted for review, and thus, signing. Mozilla will run automated checks for malicious content or operation on all extensions submitted to AMO, with manual review as a backup.

A third option for add-ons that will never be publicly distributed -- ones crafted by a business, for example, for use only by its employees -- will exist. "We'll have more details available on this in the near future," Villalobos promised.

Once the new policy takes effect, unsigned add-ons will not be installable on Firefox's Release and Beta builds, the most stable, most popular of Mozilla's four channels. Unsigned extensions will be able to be installed on the other two channels, Aurora and Nightly.

Mozilla plans to use a two-cycle transition period -- each cycle is six weeks, the interval between Firefox version numbers -- to ease users into the new policy. During the transition, unsigned add-ons will only trigger an on-screen warning.

Villalobos said that Mozilla aims to debut the warning-only transition with Firefox 39, now slated for release on June 30. If it makes that schedule -- Mozilla often pushes back changes to future release cycles -- that means only signed add-ons would be allowed as of Firefox 41, which has a Sept. 22 launch date.

Mozilla's current Release build is Firefox 35; the next, Firefox 36, is scheduled to launch Feb. 24.

The Firefox add-on changes are reminiscent of those Google has pursued for Chrome since mid-2012, when the search company gradually began applying controls over extensions. Like Villalobos yesterday, Google cited rogue add-ons --particularly those that changed the browser's home page and sneaky criminals, who silently installed malicious extensions onto unwary users' copies of Chrome -- for its lockdown.

In May 2014, Google crippled almost all add-ons that had been installed from sources other than the Chrome Web Store, the browser's official distribution market.

While Mozilla won't go that far, Villalobos' announcement was met with skepticism by many who appended comments to his post.

"This is contrary to all of Mozilla's values," asserted Daniel Miranda in a Thursday comment. "All the talk of openness and then turning the browser into a walled garden is unacceptable. It is not compatible with anything Mozilla has stood for. It is a political solution masking over a technical failure of Firefox to properly sandbox its add-ons."

"So Mozilla principle #5, 'Individuals must have the ability to shape the Internet and their own experiences on it,' is now a misnomer," said AnonCoward. "They only have this ability IF approved by Mozilla."

AnonCoward's reference was to the fifth of 10 principles that Mozilla touts as its "manifesto."

"This is a very bad idea," Mike said yesterday. "Making the browser yet more Chrome-like will not help regain users, and will not help your goodwill. Someone should hire some people with a better sense of the Firefox community at Mozilla. Really, this is getting dire."

Mozilla also solicited comments and questions about the new policy in a new discussion thread on one of its add-on forums.

This story, "Mozilla reveals Firefox add-on lockdown" was originally published by Computerworld.


Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform