[onli]

The problem here is not the signing.

It is a perfectly valid reasoning: Addons can be like malware, and that is something Mozilla should protect its users from. Reviewing and then signing extensions is an ok way to do that. But the focus here is not the signing, it is the reviewing.

The problem is not the reviewing either. That may take time and is unpleasant, but it offers something good in return. The problem is the "we will do it this way and make it not configurable". There is no need for that. Users don't change defaults, it would be perfectly valid to go the android route: Disallow the installation of unreviewed addons by default, but add an option in the settings to override this behaviour for users who know what they are doing.

That way, you still protect users in general, and you don't anger the other users who want to install addons from github or whatever. It was completely unnecessary to make it this controversial by forcing it on all users, by taking freedom away.

[wsha]

Actually, the point of this change is that there is no opt out. The main target of this change is to prevent grayware from silently sideloading bad add-ons onto users' systems. Up to this point, such grayware could hide behind the argument that some user action implied consent to the add-on installation. With this new change, that is no longer possible. It is almost as easy for such grayware to silently modify the Firefox binary directly, so from a security standpoint this change does not really contribute much. However, such modification to the Firefox binary (or a similar action) is much more obviously malware than side loading an extension is. So Mozilla is trying to gain leverage against bad actors who are trying to pose as legitimate actors. The problem with an opt-out is that grayware could silently activate the opt-out and claim that such an action was implied by the installation of the grayware.

That said, Mozilla has also said that they will release an unbranded version of Firefox that does not include the add-on signing restriction but is otherwise identical. Hopefully, that "identical" promise holds true and users who do not want to deal with the signing restriction can use this unbranded version.

[nsgi]

Not to mention that if the greyware enabled the option, this would also make it possible for other unsigned addons to be installed.

[acdha]

Microsoft already disproved this belief with Window’s UAC mechanism. Unless you have an unusually savvy user-base, you have to assume that a non-trivial percentage of people will approve any prompt which is claimed to give music, games, coupons, porn, etc.

Just to illustrate how unworkable this is currently, Facebook had to include a huge warning in the developer console telling you not to XSS yourself because people would follow instructions to open the developer tools and paste in a blob of JavaScript: https://www.facebook.com/help/246962205475854

[Lawtonfogle]

In which case they will also download and run SomethingSagaCheats.exe without second thought. Should Firefox disable exe downloads without a setting to turn them on? What about users who download SomethingSagaCheats.jpg and rename it to exe before running? We should disable all downloads then, no?

In general I do not like restricting rights to protect people. Now Mozilla is no government, but the same basic idea is going on here. Removing (instead of disabling or discouraging) features in the name of safety. At some point you have to tell someone they are responsible for their own online safety, give them the resources to educate themselves, and let them face the consequences if they choose not to.

[userbinator]

give them the resources to educate themselves

Exactly. Instead of encouraging an environment of healthy suspicion and "I don't know what this does, maybe I should find out more first; else I shouldn't run it" type of attitude, we've gotten into a situation where people are seemingly loathe to educate themselves - and have been conditioned to trust whatever some piece of software says about whether something is malware or not.

As this comment a few days ago mentions:

https://news.ycombinator.com/item?id=9032087

Exposure to malware helps build the "immune system" in users. This is similar to the biological concept too:

http://en.wikipedia.org/wiki/Hygiene_hypothesis

[danielweber]

I appreciate your desire to improve user security, but it is a huge uphill battle, and many things that you imagine will help will just make users switch to something that nags them less.

Teaching users to be safe -- assuming that's possible -- is a battle that has to be won in very very small steps.

[Lawtonfogle]

>make users switch to something that nags them less.

Or perhaps even worse, conditions them to bypass any nags automatically without thought as to if they should or not.

[acdha]

> At some point you have to tell someone they are responsible for their own online safety, give them the resources to educate themselves, and let them face the consequences if they choose not to.

If you follow the Mozilla security blogs, they've spent the last couple of years removing the ability of not-quite-malware to alter the browser without both the user opting-in and having an easy way to disable anything if they change their mind. That doesn't stop outright malware but it removes one of the legal fig-leaves which ad-ware vendors rely on and exactly supports your stated goal above by allowing a user to learn how to manage add-ons and remove something annoying without having their decision reset by the adware.

The real problem, however, is that it's currently fantasy to assume that any has enough information to make these decisions because a) the permissions models are still basically all-or-nothing and b) the halting problem has not yet been solved. Unfortunately, it's not just a question of tweaking the permissions models – as Android has shown, all that does is train users to approve blindly because every single app requests access to just about everything. That's not something we can fix overnight because it involves both things like better permissions models and changing the structure of the environment to be closer to something like WebIntents where many classes of add-on are only executed in response to specific user actions.

Until we reach that promised land, however, I don't see the big deal to Mozilla requiring you follow a free signing process for an extension so add-ons can easily be killed if needed and publishing something deceptive will require you to burn a developer account. It's not like they're talking about anything based on the content of the add-on.

[sp332]

In this case, the opt-out is to download the unbranded version of the browser. It's identical to the normal version but it doesn't use Mozilla's trademarks (logos etc) and won't require signed extensions.

[sonnyp]

true but if Malware.exe ships with an addon, it could tweak Firefox user profile to allow the addon install

[tokenizerrr]

It could also patch firefox.exe to allow it. Or, just run in the background in its own process because malware.exe is already running. Once you have malicious binaries running on the user's computer all bets are off.

[acdha]

This is partially true – code-signing defeats it on modern operating systems – but don't forget that much of the problem isn't outright malware but rather ad-ware like the ask.com toolbar where the companies try to claim that users chose to enable it to avoid prosecution or lawsuits.

This is a relatively minor change but the automated checks prevent some of the more blatant abuse and, more importantly, the fact that you can't just anonymously upload code forces shady companies to leave more of a paper-trail.

[tokenizerrr]

My windows box will still happily run unsigned binaries, so I don't see how code-signing would help it there. Unless you were not referring to regular windows/linux as modern. I'm not sure if there's anything special with regards to replacing signed binaries with unsigned ones, but if so you could just put the binary elsewhere and replace the shortcuts.

With regard to the ad-ware like toolbars, is that really reason enough to lock everyone into a walled garden? I'd rather deal with the occasional toolbar than only being allowed run blessed extensions.

[acdha]

> My windows box will still happily run unsigned binaries, so I don't see how code-signing would help it there. Unless you were not referring to regular windows/linux as modern

Close: it's not the OS flavor so much as the security configuration. All of the major operating systems can be configured to restrict execution – whether that's mandatory code-signing, only running code from white-listed restricted directories, etc. this can be used by a security-aware admin to prevent whole classes of attacks or escalation for successful attacks.

That's the default on OS X but can also be enabled if you're willing to break with tradition on most other operating systems. That certainly has a compatibility cost but much of that cost is born by users who don't benefit from it.

> With regard to the ad-ware like toolbars, is that really reason enough to lock everyone into a walled garden?

First, the nakedesecurity writer used a click-bait headline to troll for clicks but that hinges on a redefinition for the accepted meaning of “walled garden”. It's highly misleading since Mozilla isn't charging for signatures or deciding which companies are allowed to publish add-ons.

Second, millions of people are affected by dishonest software. I'm not terribly enthusiastic about needing to sign things now but I'm not cavalier enough to dismiss the argument that a minor inconvenience for a few developers is worth more than improving the average user’s experience. Any time I look at my front-end JavaScript logs, I'm reminded of just how many people are browsing the web with untrustworthy code injected into every page.

[sonnyp]

Not if it is signed or doesn't have write permissions.

[tomp]

You argument is basically: "if a user installs the virus, the virus will make sure that the user will install the virus". Nonsense.

[barrkel]

Malware.exe doesn't need Firefox to do its dirty work.

[sonnyp]

No but it degrades Firefox user experience and that's bad for Mozilla.

[mbel]

Theoretically Malware.exe could be able to replace (or alias, or provide a convenient shortcut on Windows' desktop) the Firefox binary with one, that does not perform a certificate check. It is hard to protect user from something that is already running on their computer.

[Lawtonfogle]

In which case, for the user's safety, we need to remove the ability to download exe's. Disabling won't be good enough; they may follow steps to enable it not knowing what they are doing.