Hacker News new | ask | show | jobs
by pjc50 4136 days ago
Malicious extensions are apparently the driver for this. So we're back to the problem that any sufficiently flexible platform is a vector for malware. The platform authority then institutes code signing as a checkpoint against this. Thus raising a big barrier to entry for non-malicious extensions.

It's hard to see how to get back into this particular Eden.
1 comments
peri 4136 days ago
Sorry for the rude question here, but is this speculation on your part or based on stuff said by folks at Mozilla (the corp, not just contributors/clients)? Some clearer sources would be helpful this early in the morning.
link
tzs 4136 days ago
From the Mozilla add-ons blog, which is linked to in the article:

    Extensions that change the homepage and search
    settings without user consent have become very
    common, just like extensions that inject
    advertisements into Web pages or even inject
    malicious scripts into social media sites. To combat
    this, we created a set of add-on guidelines all
    add-on makers must follow, and we have been
    enforcing them via blocklisting (remote disabling of
    misbehaving extensions). However, extensions that
    violate these guidelines are distributed almost
    exclusively outside of AMO and tracking them all
    down has become increasingly impractical.
    Furthermore, malicious developers have devised ways
    to make their extensions harder to discover and
    harder to blocklist, making our jobs more difficult.

    We’re responsible for our add-ons ecosystem and we
    can’t sit idle as our users suffer due to bad
    add-ons. An easy solution would be to force all
    developers to distribute their extensions through
    AMO, like what Google does for Chrome extensions.
    However, we believe that forcing all installs
    through our distribution channel is an unnecessary
    constraint. To keep this balance, we have come up
    with extension signing, which will give us better
    oversight on the add-ons ecosystem while not forcing
    AMO to be the only add-on distribution channel.
link
peri 4136 days ago
Thanks, was in a hurry to catch my train.
link