The Case for Extension Signing

Daniel Veditz

5

Mozilla’s  recent announcement that mandatory extension signing is coming to Firefox this summer generated a lot of feedback from our developer community. Most of them were concerned with the burden this puts on developers who don’t host their add-ons on AMO as well as the centralization of add-on oversight. I would like to add more insight into why we are making this change. In our last post we mentioned the difficulties of tracking down add-ons and blocking them, but there’s much more behind the decisions that were made to come up with this plan. This post should give you a better idea of why we think extension signing is necessary and how we are still honoring our principles of openness and user control.

The power of add-ons

We love add-ons and wouldn’t want to browse the Web without the enhanced experience they offer. I myself have 22 active add-ons at the moment, with another seven disabled but on hand just in case. Firefox add-ons aren’t restricted to a limited API for manipulating Web content and parts of the browser. Add-ons can use, manipulate, or even replace just about any aspect of Firefox internals. Add-ons are one manifestation of a freedom so important to us that we have enshrined it in our Mozilla principles: Individuals must have the ability to shape the Internet and their own experiences on the Internet.

The adware scourge

The Web experienced by tech-savvy developers, however, is not the Web experienced by most people. While only fourteen add-ons hosted on our addons.mozilla.org site have more than a million users, and only two of those have more than 3 million, many tens of millions of users have non-hosted add-ons that were installed without their informed consent. Users run the risk of picking up unwanted extra add-ons and other software every time they download software over the Internet. Even updates of software that many users find indispensable or software from download sites run by trusted news organizations come bundled with these unwanted extras. Their Internet experience is being shaped by these third party add-ons in ways they did not choose and that benefit third parties and not the user. Most of these unwanted add-ons are advertising related in some way, tracking user actions and altering content. These add-ons are not created with user security in mind and can break fundamental browser security. These violate another of Mozilla’s basic principles: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Signing Add-ons

The solution we are pursuing, as described in our last post, is for the builds used by the majority of Firefox users to require that add-ons be signed by Mozilla. It is heartbreaking that there are so many malicious developers in the world intent on taking advantage of others, but we’ve reached the same conclusion as other similar ecosystems that there needs to be a referee looking our for the user’s interests. Firefox users will still be able to shape their online experience through installing add-ons created by others: for the vast majority of them nothing will have changed in that regard. This does, unfortunately, place an additional burden on add-on developers: they will have to develop against an unbranded but otherwise identical version of Firefox that we will provide.

Many developers have asked why we can’t make this a runtime option or preference. There is nowhere we could store that choice on the user’s machine that these greyware apps couldn’t change and plausibly claim they were acting on behalf of the user’s “choice” not to opt-out of the light grey checkbox on page 43 of their EULA. This is not a concern about hypotheticals, we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons. By baking the signing requirement into the executable these programs will either have to submit to our review process or take the blatant malware step of replacing or altering Firefox. We are sure some will take that step, but it won’t be an attractive option for a Fortune 500 plugin vendor, popular download sites, or the laptop vendor involved in distributing Superfish. For the ones who do, we hope that modifying another program’s executable code is blatant enough that security software vendors will take action and stop letting these programs hide behind terms buried in their user-hostile EULAs.

The other common question is why developers can’t have their own certificates and sign their own add-ons. This would require Mozilla to function as a Certificate Authority which is currently not in our expertise. It also means we would not be able to run security scans on the add-on code. The only thing preventing a malicious add-on in that case would be the strength of our contracts requiring non-malicious code and our ability to bring legal action should those contracts be breached. This approach would favor established companies in jurisdictions where we have offices and would be extremely unfair to individual developers, especially those outside those regions. We feel the community would be better off if we put our resources into the review and scanning process that can treat everyone equally rather than setting up a certificate issuing infrastructure.

More Info and Discussions

The previous blog post on this issue generated a lot of feedback and discussion – we anticipate you will want to discuss this again. The most effective place for these discussions to take place is on the Add-ons User Experience newsgroup.

We created a wiki page about Extension Signing where we will post all of the information we have about it. It includes an FAQ that offers answers to many of the questions the community has posed, as well as some questions that are still pending a definitive answer. We will also continue posting updates on this blog.

Add-ons Update – Week of 2015/04/08

Jorge Villalobos

3

I post these updates every 3 weeks to inform add-on developers about the status of the review queues, add-on compatibility, and other happenings in the add-ons world.

The Review Queues

  • Most nominations for full review are taking less than 9 weeks to review.
  • 216 nominations in the queue awaiting review.
  • Most updates are being reviewed within 4 weeks.
  • 56 updates in the queue awaiting review.
  • Most preliminary reviews are being reviewed within 8 weeks.
  • 198 preliminary review submissions in the queue awaiting review.

If you’re an add-on developer and would like to see add-ons reviewed faster, please consider joining us. Add-on reviewers get invited to Mozilla events and earn cool gear with their work. Visit our wiki page for more information.

Firefox 38 Compatibility

The Firefox 38 compatibility blog post is up. The automatic AMO validation will be run soon.

Firefox 39 Compatibility

I expect to publish the Firefox 39 compatibility blog post in the next week or so.

As always, we recommend that you test your add-ons on Beta and Firefox Developer Edition (formerly known as Aurora) to make sure that they continue to work correctly. End users can install the Add-on Compatibility Reporter to identify and report any add-ons that aren’t working anymore.

Extension Signing

We announced that we will require extensions to be signed in order for them to continue to work in release and beta versions of Firefox. If you’re an extension developer, please read the post and participate in the discussions. We will be posting a followup expanding on the reasons behind this initiative.

Electrolysis

Electrolysis, also known as e10s, is the next major compatibility change coming to Firefox. In a nutshell, Firefox will run on multiple processes now, running each content tab in a different one. This should improve responsiveness and overall stability, but it also means many add-ons will need to be updated to support this.

We will be talking more about these changes in this blog in the future. For now we recommend you start looking at the available documentation.

April 2015 Featured Add-ons

Amy Tsay

1

Pick of the Month: Google™ Translator Lite

by Arthur Polinsky

Google™ Translator Lite is a powerful tool to translate words or sentences to a wide range of supported languages.

“It’s a Google Translator portable :) everything needed for don’t leave the page.”

Also Featured: Copy As Plain Text

by mehtuus
This extension gives you an option to copy text without the formatting. And unlike the keyboard shortcut (Ctrl+Shift+V), you can even customize how it will copy & paste.

Featured Complete Theme: Simple White

by Louis Chan
Paint your firefox white. Make it look simpler, nicer.

Featured Mobile Add-on: Clean Links

by Diego Casorran
Converts obfuscated or nested links to genuine clean links. Use it on your Firefox for Android!

Nominate your favorite add-ons

Featured add-ons are selected by a community board made up of add-on developers, users, and fans. Board members change every six months, so there’s always an opportunity to participate. Please follow this blog to find out when we are selecting a new board.

Each quarter, the board also selects a featured complete theme and featured mobile add-on.

If you’d like to nominate an add-on for featuring, please send it to amo-featured@mozilla.org for the board’s consideration. We welcome you to submit your own add-on.

Your design, printed on our next t-shirt!

Amy Tsay

4

Screenshot 2015-03-23 16.27.34

Mozillians love their t-shirts. And Firefox users love their add-ons. Add-ons let you completely customize your browser, from the way it looks to the way it behaves. To celebrate the community of add-on developers from all over the world who make this possible, we’re creating limited-edition t-shirts to send as thank-you gifts.

To make this celebration more participatory, we are taking submissions for the design. If you’d like the chance to have your artwork featured on this special shirt, please submit a design!

THEMES

Your design should be an artistic representation of the following themes, so be creative! (Your artwork should not be a reinterpretation or alteration of a Mozilla or Firefox logo, although an original representation of a fox or red panda would be ok.) Branding will be added to the back or arm of the t-shirt by our Creative staff.

  • Personalization — a browsing experience unique to you
  • Openness — anyone can make an add-on and there are thousands to choose from
  • Productivity — be more productive by customizing your browser to help you work better

Here are some resources to help:

REQUIREMENTS

  • Artwork must be submitted in EPS (vector art) format – if file size is over 10MB, please upload to Dropbox and send a link
  • Email your submission, along with your name or alias, to amo-tshirt-contest@mozilla.com

If you have a particular t-shirt color in mind, please include it in your email as well. We can’t guarantee it will be printed on a shirt of that color, but it will help to know what the artist intended. Limit 3 designs per entrant.

DESIGN SELECTION

  • A panel of judges will select three designs, and community voting will decide the final design.
  • The judges will consider:
    • How well the design represents the contest themes
    • Visual appeal
    • Uniqueness
    • Whether the design would look good on a t-shirt
  • The judges are:

IMPORTANT DATES

  • Deadline: submit your design by Thursday, April 30, 2015 at 11:59PM Pacific Standard Time
  • Finalists announcement: the three finalists will be announced on or about May 18, 2015
  • Community vote: community voting will close on or about June 2, 2015
  • T-shirt printing: t-shirts bearing the winning design will be printed on or about June 23, 2015

FINE PRINT

Employees of Mozilla are not eligible to participate.

All designs submitted must be your own work. Do not include artwork or logos belonging to others.

Your designs remain your exclusive property. By submitting a design, you grant Mozilla, and its designees, the right to edit, publish, copy, display, and distribute your design, alone and in combination with other material, without compensation. This includes, but is not limited to, displaying your design on a website for public voting, and reproduction on t-shirts for distribution.

Your designs may not: (i) contain vulgar, offensive, obscene, lewd, or indecent language, behavior or imagery; (ii) defame, libel or otherwise violate the rights of any third party; (iii) violate or facilitate the violation of any federal, state or local laws or ordinances; or (iv) target anyone because of his or her membership in a certain social group, including race, gender, color, religion, belief, sexual orientation, disability, ethnicity, nationality, age, gender identity, or political affiliation, or contain a symbolic representation of any group that targets anyone because of his or her membership in a certain social group. Designs that are, in Mozilla’s sole opinion, inappropriate, objectionable, harmful, inconsistent with our image, or otherwise not in compliance with these rules, may be disqualified, and we may remove any design that has been posted for any of these reasons.

All designs that are uploaded and made available for viewing by the general public will be deemed posted at the direction of the person who submitted the design within the meaning of the Digital Millennium Copyright Act and the Communications Decency Act.

The designs selected by the judges will be posted on a website and the community will be invited to vote for the best design. The design receiving the most votes will be the one that Mozilla uses on the limited edition Add-ons t-shirt. If there is a tie in the community voting, the judges will select the overall winner.

We ask that you not employ any means that is inconsistent with getting an honest picture of the community’s genuine opinion of your design to obtain votes. Examples of inappropriate activities include automated reviews, use of contest services, payoffs or promises to others in exchange for votes.

Any personal information you provide in connection with your participation in this project will be used only for purposes relating to this project, and will not be communicated to third-parties without prior permission or as otherwise specified in our Privacy Policy located at https://www.mozilla.org/en-US/privacy.

You agree to hold harmless Mozilla, its officers, directors, employees, divisions, affiliates, and subsidiaries, from any claim by any third party relating to any intellectual property or other rights in the design you submitted.

Add-ons Update – Week of 2015/03/18

Jorge Villalobos

4

I post these updates every 3 weeks to inform add-on developers about the status of the review queues, add-on compatibility, and other happenings in the add-ons world.

The Review Queues

  • Most nominations for full review are taking less than 8 weeks to review.
  • 153 nominations in the queue awaiting review.
  • Most updates are being reviewed within 4 weeks.
  • 61 updates in the queue awaiting review.
  • Most preliminary reviews are being reviewed within 6 weeks.
  • 161 preliminary review submissions in the queue awaiting review.

If you’re an add-on developer and would like to see add-ons reviewed faster, please consider joining us. Add-on reviewers get invited to Mozilla events and earn cool gear with their work. Visit our wiki page for more information.

Firefox 37 Compatibility

The Firefox 37 compatibility blog post is up. The automatic AMO validation will be run this week.

Also, if you host your add-ons outside of AMO, give this update a look. It affects the way the domain whitelist for add-on installation works.

Firefox 38 Compatibility

The Firefox 38 compatibility blog post was published yesterday. The automatic AMO validation will be run next month.

As always, we recommend that you test your add-ons on Beta and Firefox Developer Edition (formerly known as Aurora) to make sure that they continue to work correctly. End users can install the Add-on Compatibility Reporter to identify and report any add-ons that aren’t working anymore.

Extension Signing

We recently announced that we will require extensions to be signed in order for them to continue to work in release and beta versions of Firefox. If you’re an extension developer, please read the post and participate in the discussions. We will be posting a followup shortly, expanding on the reasons behind this initiative.

Electrolysis

Electrolysis, also known as e10s, is the next major compatibility change coming to Firefox. In a nutshell, Firefox will run on multiple processes now, running each content tab in a different one. This should improve responsiveness and overall stability, but it also means many add-ons will need to be updated to support this.

We will be talking more about these changes in this blog in the future. For now we recommend you start looking at the available documentation.

Add-on Compatibility for Firefox 38

Jorge Villalobos

3

Firefox 38 will be released on May 12th. Here’s the list of changes that went into this version that can affect add-on compatibility. There is more information available in Firefox 38 for Developers, so you should also give it a look.

General

XPCOM

New!

Please let me know in the comments if there’s anything missing or incorrect on these lists. If your add-on breaks on Firefox 38, I’d like to know.

The automatic compatibility validation and upgrade for add-ons on AMO will probably happen early next month, so keep an eye on your email if you have an add-on listed on our site with its compatibility set to Firefox 37.

Firefox 37 – Domain whitelisting disabled for non-HTTPS pages

Jorge Villalobos

5

If you have installed add-ons from sites other than AMO, you might be familiar with the domain whitelist. When you try to install an add-on from a third party site, you’ll see a doorhanger notification asking you if you want to allow that site to install software. The domain whitelist in Firefox allows you remove that notification for specific domains, which is useful if you install add-ons frequently from those domains.

A recent security bug fix in Firefox changed the way the whitelist works. Starting with Firefox  37 (to be released on March 31st), the doorhanger notification will always show up if you try to install an add-on from a page that is loaded with a plain HTTP connection. In other words, the domain whitelist will only work if the page the add-on is installed from is HTTPS. The URL to the XPI can still be plain HTTP, but the page that triggers the installation must be HTTPS.

The “extensions.install.requireSecureOrigin” preference can be set to false in order to revert this change. Also, this doesn’t affect automatic add-on updates in any way, even if they happen over plain HTTP.

March 2015 Featured Add-ons

Amy Tsay

6

Pick of the Month: Toolbar Buttons

by Michael B.

Toolbar Buttons adds toolbar buttons to the Customize Toolbar window in several programs including Firefox, Thunderbird and SeaMonkey. Some of the buttons make commonly preformed actions quicker, and others add new functionality.

“These buttons are colorful and smart!”

Also Featured

RequestPolicy by Justin Samuel

Be in control of which cross-site requests are allowed. Improve the privacy of your browsing by not letting other sites know your browsing habits. Secure yourself from Cross-Site Request Forgery (CSRF) and other attacks.

Nominate your favorite add-ons

Featured add-ons are selected by a community board made up of add-on developers, users, and fans. Board members change every six months, so there’s always an opportunity to participate. Please follow this blog to find out when we are selecting a new board.

If you’d like to nominate an add-on for featuring, please send it to amo-featured@mozilla.org for the board’s consideration. We welcome you to submit your own add-on.

JPM Replaces CFX For Firefox 38

Erik Vold

5

The Python based command line tool, CFX, was what we’ve used to build, run, and test add-ons which used the Add-on SDK in the past.  Last August, we released CFX 1.17 and there are no plans to release a new version.  We are replacing CFX with JPM which is a NodeJS based equivalent that works on Firefox 38 and higher and will be accepted on AMO.

For now, you can continue to use CFX as AMO will still accept those add-ons but it is recommended that you start using JPM tool as it is the only one receiving updates.

Why We Switched

We’ve made the new tool for a number of reasons: For one, the Python tool supported a number of features which we wanted to deprecate.  Also, building the tool with JavaScript instead of Python so that it may eventually be used in Firefox with the WebIDE and finally we wanted to replace the old third party module system that was invented for CFX with NPM.

If you are familiar with CFX then this guide on switching to JPM should prove useful.

Advantages

  • JPM is easier to install, especially on Windows.
  • JPM is easier to release, because CFX is Python based and is distributed as a zip file. JPM is Node-js based and is distributed through NPM.
  • JPM produces smaller XPIs, because no extra files are produced*.
  • JPM supports NPM packges.

We hope you enjoy JPM!

Find the source on github! and the issue tracker too!

*JPM produces an install.rdf and minimal bootstrap.js for now, in future versions it will not.

Add-ons Update – Week of 2015/02/25

Jorge Villalobos

11

I post these updates every 3 weeks to inform add-on developers about the status of the review queues, add-on compatibility, and other happenings in the add-ons world.

The Review Queues

  • Most nominations for full review are taking less than 8 weeks to review.
  • 115 nominations in the queue awaiting review.
  • Most updates are being reviewed within 2 weeks.
  • 57 updates in the queue awaiting review.
  • Most preliminary reviews are being reviewed within 6 weeks.
  • 85 preliminary review submissions in the queue awaiting review.

If you’re an add-on developer and would like to see add-ons reviewed faster, please consider joining us. Add-on reviewers get invited to Mozilla events and earn cool gear with their work. Visit our wiki page for more information.

Firefox 37 Compatibility

The Firefox 37 compatibility blog post is up. The automatic AMO validation will be run in the coming weeks.

As always, we recommend that you test your add-ons on Beta and Firefox Developer Edition (formerly known as Aurora) to make sure that they continue to work correctly. End users can install the Add-on Compatibility Reporter to identify and report any add-ons that aren’t working anymore.

Extension Signing

We recently announced that we will require extensions to be signed in order for them to continue to work in release and beta versions of Firefox. If you’re an extension developer, please read the post and participate in the discussions. We will be posting a followup this week, expanding on the reasons behind this initiative.

Electrolysis

Electrolysis, also known as e10s, is the next major compatibility change coming to Firefox. In a nutshell, Firefox will run on multiple processes now, running each content tab in a different one. This should improve responsiveness and overall stability, but it also means many add-ons will need to be updated to support this.

We will be talking more about these changes in this blog in the near future. For now we recommend you start looking at the available documentation.