[lnkForumImage]
TotalShareware - Download Free Software

Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.javascript

FYI: Mandatory extension signing in Firefox

Stefan Weiss

3/8/2016 1:46:00 AM

In case somebody missed the announcement:
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-e...

Summary: starting with Firefox 46 (two versions from now), all
extensions will have to be signed by Mozilla, through addons.mozilla.org
(AMO). There will be no user override to allow the installation of
unsigned extensions, with the following exceptions:

1) running a test release of FF (Nightly, Aurory, Beta)
2) running an extended support release (ESR) - for now
3) running an unbranded version that has been modified to disable
this feature and re-enable the relevant setting in about:config

Users of the standard ("release" channel) version have no way of
circumventing the restriction.

The primary reason for the change is that unwary users may download and
install malware, which then adds extensions to Firefox and changes
settings (start page, etc). This is currently particularly easy with
Firefox, since most config files are just text or structured database files.

To get an extension signed, you need an AMO account and submit your
extension for automated checking. If the automatic validation fails, you
can request manual validation.


~~~~~ end of FYI, the following is my interpretation ~~~~~


There has been a lot of debate about this, for example in this thread:
https://groups.google.c...!topic/mozilla.addons.user-experience/slaKs943n4c[1-25]

Personally, I'm very disappointed that they're actually going through
with this, after all the negative feedback. They acknowledge that most
malware installers run with administrator privileges on Windows, and
that in this scenario there's nothing at all that can prevent the
compromise of installed software, but they still want to make it "harder
to exploit".

There have been numerous complaints and counter-arguments:

- You can no longer write and run an extension locally.

- You can no longer simply share an xpi with friends or coworkers.

- If you rely on beta testers for your extension, they can no longer
run an unreleased extension.

- It doesn't solve the problem: if the system has been compromised
that badly, it cannot be protected by requiring signed extensions.

- The requirement for external validation and signing is particularly
troublesome in corporate environments, where the extension code may
be proprietary or contain confidential information. Not all users in
such environments will run the ESR version.

- Mandatory external signing (with an arbitrary delay) is hard to
integrate in automated build systems.

- Extensions like HTML Validator release pre-built versions for
non-Windows platforms on their website instead of addons.mozilla.org.
These builds are not signed nor will they be in the future.

Users can still use one of the alternative versions mentioned above, but
that's not always feasible:

- You can't just ask all of your beta testers to run an off-brand or
experimental release.

- Experimental builds may be buggy and insecure.

- If you're writing an extension, but can only install it in
non-standard FF versions, you cannot test it where it will actually
be used.

- Non-standard versions often have no convenient upgrade methods.


As you can see, I'm not a fan of this development. IMHO, this is more
than just a small inconvenience for developers, for very little benefit.
I think Mozilla should take a good hard look at who is still using
Firefox in 2016, and WHY we're using it.
At least they currently have no plans for mandatory signing of user
scripts (GreaseMonkey).


I would be very interested in getting feedback from this group... Are
you affected by this in some way? What do you think about the problem
they're trying to solve? Do you think their solution is adequate?


- stefan
2 Answers

Florian Weimer

3/8/2016 7:46:00 AM

0

* Stefan Weiss:

> Users can still use one of the alternative versions mentioned above, but
> that's not always feasible:
>
> - You can't just ask all of your beta testers to run an off-brand or
> experimental release.
>
> - Experimental builds may be buggy and insecure.
>
> - If you're writing an extension, but can only install it in
> non-standard FF versions, you cannot test it where it will actually
> be used.
>
> - Non-standard versions often have no convenient upgrade methods.

I think the Adobe DRM only runs in the original Firefox, so if you
install an alternative version, you won't be able to get access to
some online content.

I don't know to what extent add-ons an circumvent DRM. Perhaps
Mozilla is worried that without mandatory add-on signing, Firefox will
lose users because users can't access restricted online content
anymore?

Thomas 'PointedEars' Lahn

3/12/2016 3:51:00 PM

0

Stefan Weiss wrote:

> [â?¦]
> There has been a lot of debate about this, for example in this thread:
> https://groups.google.c...!topic/mozilla.addons.user-experience/slaKs943n4c[1-25]
>
> Personally, I'm very disappointed that they're actually going through
> with this, after all the negative feedback. They acknowledge that most
> malware installers run with administrator privileges on Windows, and
> that in this scenario there's nothing at all that can prevent the
> compromise of installed software, but they still want to make it "harder
> to exploit".
>
> There have been numerous complaints and counter-arguments:
> [â?¦]
> I would be very interested in getting feedback from this group... Are
> you affected by this in some way? What do you think about the problem
> they're trying to solve? Do you think their solution is adequate?

Well, I can say this for them: At least they are consistent. This is only
the next in a long line of bad decisions at Mozilla that started in about
2003 with the irrational removal of MNG support. So in my experience,
Mozilla Drivers have stopped thinking like and listening to hackers (!=
crackers) a long time ago. As a result, hackers like me have stopped using
Firefox/Gecko as primary development platform and target shortly after. The
developer tools in Firefox are unusable compared to Chrome DevTools; itâ??s a
bad copy at best, and the 3D view does not mitigate that (you still need
Firebug). Off the top of my hat, to me Mozilla is only good for two things
nowadays: MDN, for reference, and its â??uncoupledâ? e-mail/news client,
Thunderbird/Icedove. Oh, and they are the only ones with decent MathML
support.

Everything that Mozilla has been doing in recent years is claimed to be to
the advantage of *users*. What they either fail to realize or do
intentionally (to keep their users docile) is that it is mostly to the
advantage of *lusers*: clueless, stupid (Windoze) users. Useful
functionality is rather made *harder* to use or *stripped* from products
than improved and developed (in a secure fashion). Reiterating an argument
in the cited discussion, they just do not seem to realize that there are not
going to be users where there is nobody writing the software for them.

The record shows:

<http://gs.statcounter.com/#all-browser-ww-monthly-200812-...

[
Market share for all browsers, all platforms, worldwide, in %

2008-12 2012-05 2016-03
-------------------------------------
IE 67.27 28.87 7.65
Firefox 25.16 22.98 8.73
Opera 2.90 3.81 5.35
Safari 2.49 8.68 12.55
Chrome 1.25 29.15 47.36
]

Opera is the new Netscape (after the AOHell takeover), Apple is the new
Microsoft [1], Mozilla is the new Apple, and Microsoft with its newly found
sense for free software (which I think we have Nadella to thank for, but it
does not seem to help IE) is something in-between those. As concerning as
that is, the real Web innovation happens at or close to Google now instead,
in V8 and Chromium/Blink.

Node.js is based on V8, not *Monkey. My fully customizable editor, Atom, is
based on Chromium, not Gecko. And despite its resource hunger, my primary
Web browser is Chromium/Chrome; it is not Iceweasel/Firefox anymore because
if I would do the things with Iceweasel/Firefox that I do with
Chromium/Chrome (I need a lot of tabs open simultaneously), it would be even
more resource-hungry to the point of OOM. At least with Chromium/Chrome,
one crashing tab does not take the whole browser with it, and I can kill
(but not close) tabs if necessary, as they run as separate processes.

Screw Firefox.

[1] <http://nolanlawson.com/2015/06/30/safari-is-the-n...

--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.