Keeping Add-Ons Safe for our Users

When I started at Mozilla in 2008, I landed my dream job, as the Director of Add-ons for Firefox. I believed then, as I do today, that one size doesn’t fit all with Firefox.

Fast forward to 2019

We’ve seen many changes in the tech landscape since we launched addons.mozilla.org (AMO) in 2005. A few add-ons have millions of users, while there are many add-ons that have smaller audiences with specific needs. One add-on I really like is AddToAny, which lets me share on social networks. It is similar to a feature we used to have in Firefox that we removed due to lack of use, and I’m sure the 5.000 Firefox users of AddToAny are happy to have it. Unfortunately, the same system that allows privacy and security extensions to work can also make people vulnerable to data mining and malicious activity. While our users love how they can make Firefox theirs, they also look to us to maintain their safety and privacy on the web.

Now more than ever, we need to deliver on the trust our users place in us and the expectations we place on our users to understand the choices they make with regards to the software they install. In many ways, we’ve mitigated risks by adopting WebExtensions as our means for extending Firefox, but as more and more functionality migrates to the cloud, policing this ecosystem through code review and policy is impractical.

Fulfilling our brand promise of security and privacy

We’ve been discussing ways to secure the extension ecosystem to better fulfil our brand promise of security and privacy for Firefox users. Finding the balance between openness and security is an extremely hard problem to solve, but we are going to tackle it by making a few changes to the ecosystem now and through 2020. In the spirit of iterating towards a reasonable set of changes that are intended to reduce risk to Firefox users as well as reduce the burden placed on smaller add-on developers, we’re exploring the following:

  • Helping users discover through Mozilla properties a curated set of extensions that we believe are useful and valuable.
  • Investing in helping users better understand the risks extensions can present, and giving them the tools to assist in managing those risks.
  • Reducing the risk of showing potentially malicious extensions through our products and services. This requires an ecosystem-wide approach, and there are a number of unknowns to address in regards to discovery and publication platforms (including Firefox and addons.mozilla.org).

Stay tuned

As we explore the future of add-ons we will continue to make users’ security and privacy a priority. We will test and try different things, and work with the Firefox developer community to find a good place where we are confident that our users will be safe whenever they use Firefox.