1. 16
  1.  

  2. 9

    Firefox 42 and beyond:

    The Beta and Release versions of Firefox based on 42 and above (Beta 42 will be released at the same time as Firefox 41) will remove the preference that allows unsigned extensions to be installed, and will disable and/or prevent the installation of unsigned extensions.

    I hope Mozilla reverses course on this decision. Put it behind an about:config setting that only advanced users will know about, behind a big scary dialog warning if they have to, but I should be allowed to run my own extensions in my own browser if I really want to. Even OS X allows you to run unsigned apps if you bypass the normal method of running them.

    The Nightly and Developer Editions of Firefox based on 42 and above will retain the preference to disable signing enforcement, allowing the development and/or use of unsigned add-ons in those versions.

    I never understood this idea of web developers using a different browser than everyone else, based on newer or different functionality than the users they’re developing websites for. If Mozilla changes how a particular feature renders in their developer branch and I see it one way, all of my users that aren’t running the developer version will see it another way. So now I need to test in both versions? Why not just run nightly builds at that point?

    Unbranded versions of Firefox based on releases will also be made available for developers, and are expected to be in place for Firefox 42 for release (and potentially beta).

    Releasing a separate, different build of Firefox for every release is easier than just leaving one stupid setting in the main line version?

    I wonder if these branded/unbranded versions are meant to replace things like IceWeasel and what basically every other OS builds as a port/package. Firefox retains their official versions that they build for supported platforms and retain control over, and everyone else builds unbranded/Firefox-like browsers that aren’t actually Firefox. I guess like Chromium/Chrome.

    1. 6

      Firefox 42 and beyond:

      The Beta and Release versions of Firefox based on 42 and above (Beta 42 will be released at the same time as Firefox 41) will remove the preference that allows unsigned extensions to be installed, and will disable and/or prevent the installation of unsigned extensions.

      I hope Mozilla reverses course on this decision. Put it behind an about:config setting that only advanced users will know about, behind a big scary dialog warning if they have to, but I should be allowed to run my own extensions in my own browser if I really want to. Even OS X allows you to run unsigned apps if you bypass the normal method of running them.

      Others have suggested this as well. Unfortunately the pref system is easily alterable by malware (it’s just a text file) and XUL-based add-ons have enough control of the browser UI that they could remove any warning dialog or notification that altering the pref would present.

      It’s definitely an unfortunate situation. I strongly agree that users should be able to run whatever add-on they wish, so I am sad to see a system like this limiting user choice.

      It’s possible there’s a good solution out there that hasn’t been considered. A good place to discuss this would be the addons-user-experience mailing list.

      1. 1

        How about a runtime flag that enables running (or just installing) unsigned addons?

        1. 5

          First, here’s a bit more context on the problem.

          The typical form of malware in question here is some form of installer (usually on Windows) that bundles an add-on without telling the user.

          Since an installer typically needs admin privileges to complete its tasks, building a meaningful defense here is hard.

          With a runtime flag (I am assuming this means a CLI argument to the Firefox process), the malicious installer can edit the user’s Firefox shortcut to add the new argument.

          Under the current signing approach, malware would have to go as far as modifying the Firefox binary to complete its work. That’s something that is clearly bad, which anti-virus vendors can check for and block when detected.

          1. 3

            Then won’t the malware authors just switch Firefox with the version than can run unsigned addons? Grandma’s not going to notice that she’s running the developer version as long as her Gmail still works.

            1. 2

              I don’t recall discussion of this variation in the past. I’ve written to the mailing list about it and will update when I know more.

              I have not been directly involved with the signing work, so it may be that this avenue has already been considered.

              1. 3

                It seems like Mozilla is trying to secure a browser in a post-root exploit scenario. While certainly noble, it seems like it will ultimately be futile in the long run. My original question was based on the assumption that the system had not been compromised.

                1. 2

                  The add-on team believes this scenario would also be detectable by anti-virus vendors.

        2. 2

          Put it behind an about:config setting that only advanced users will know about, behind a big scary dialog warning if they have to, but I should be allowed to run my own extensions in my own browser if I really want to.

          I’m surprised that they didn’t do this to start with. Surely even if the user changes the setting they would be in no worse position than just running an earlier version of Firefox that didn’t require signing?

          1. 2

            Put it behind an about:config setting that only advanced users will know about, behind a big scary dialog warning if they have to, but I should be allowed to run my own extensions in my own browser if I really want to.

            I’m surprised that they didn’t do this to start with. Surely even if the user changes the setting they would be in no worse position than just running an earlier version of Firefox that didn’t require signing?

            The main reason that’s been deemed insufficient is that malware can toggle about:config just as easily as the user can. If it’s trivial for malware to disable the signing check, it is assumed by the add-ons team that malware would just adapt to trivially disable signing (you only need to edit a text file to change about:config settings), and it would be just as if no protection was ever added.

            The Developer Edition and Nightly builds do allow signing to be disabled via about:config to support add-on developers in testing their own add-ons, so what you are describing does exist, but is not available to Release and Beta users because of the above assumption that malware will adapt.

          2. 1

            Even OS X allows you to run unsigned apps if you bypass the normal method of running them.

            For the moment. I’m sure that will change as soon as they think they can get away with it. Then in the release after that you will only be allowed to install from the Mac App Store.

          3. 4

            Mozilla is being great by giving folks 12-18 months for a totally crucial change. Plenty of time for developers to experiment with the new API and ask Mozilla for the things you need when you run into them.

            The browser is the most used app with the most secret and personal data flowing through it on any system. Stoked.

            1. 4

              Am I the only person who thinks stop changing my browser!!?

              Really thinking about not updating with as much dedication anymore. I dislike most recent changes like moving preferences to a webpage, the recent ui customization method, and now this. Firefox is still my #1 browser but with every update I feel like my preferences are shat on more. Political statements in my Android browser, all kinds of trivial changes I don’t want, but real issues like modifying permitted certificates on mobile are still not here. A windows user can be suckered into installing an extension by some installer, but don’t they already get an “are you sure you want this extension” tab when they open the browser? And what about non-Windows users like me? I use Linux, now I can’t use the extensions I prefer unless they are signed? Fine, maybe I’ll stop updating, the fun is not much there anymore anyway.