More about Extension Signing

Back in February we mentioned Extension Signing Coming Later in 2015. Recently the Mozilla Add-ons Blog posted a follow up The Case for Extension Signing. There is a lot of interesting information in this article, including this very shocking statistic which puts into prospective just how badly broken the current Mozilla Firefox add-on system is:

The Web experienced by tech-savvy developers, however, is not the Web experienced by most people. While only fourteen add-ons hosted on our site have more than a million users, and only two of those have more than 3 million, many tens of millions of users have non-hosted add-ons that were installed without their informed consent. Users run the risk of picking up unwanted extra add-ons and other software every time they download software over the Internet. Even updates of software that many users find indispensable or software from download sites run by trusted news organizations come bundled with these unwanted extras. Their Internet experience is being shaped by these third party add-ons in ways they did not choose and that benefit third parties and not the user. Most of these unwanted add-ons are advertising related in some way, tracking user actions and altering content. These add-ons are not created with user security in mind and can break fundamental browser security. These violate another of Mozilla’s basic principles: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Many of the complaints I see at Go Firefox! are about these unwanted advertising/tracking add-ons (extensions/toolbars). The users can’t understand how these add-ons get installed. In almost every case it was something else they were installing which secretly added the add-on. Most of these software developers bury the option (usually under Custom Install) to install or not install the add-on. Then they try to protect themselves by disclosing (usually buried) in their End User License Agreement (EULA) or their Terms of Service about this optional (in that you need to choose NOT to install it) extension. Worse yet though are the updates for Anti-Virus programs, content plugins such as Flash and Java almost always are trying to sneak some type of add-on into Firefox. In the case of Adobe Flash, the option to opt-out is in plain site, but many users just keep clicking ‘next’ and not paying attention to the prompts.

This is not the first time Mozilla has tried to get a handle on the installation of unwanted add-ons. Almost three and half years ago in November 2011 with Firefox 8, Mozilla had introduced a couple add-on control features. One of these features was to ensure that an add-on installed outside of Firefox, would only be enabled if the user choose to do so. The user would get a pop-up message the next time they started Firefox following the installation of the add-on asking if they wished to authorize this add-on. It looks like that mechanism is still there, but I guessing like so many other safe-guard systems Mozilla as added over the years, it has been circumvented by these malicious developers.

Many developers have asked why we can’t make this a runtime option or preference. There is nowhere we could store that choice on the user’s machine that these greyware apps couldn’t change and plausibly claim they were acting on behalf of the user’s “choice” not to opt-out of the light grey checkbox on page 43 of their EULA. This is not a concern about hypotheticals, we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons.

While the Extension Signing may put a developers who don’t host their add-ons on AMO, I think it is one of the better options. Some extension developers have asked about getting their own (code-signing) certificates.

The other common question is why developers can’t have their own certificates and sign their own add-ons. This would require Mozilla to function as a Certificate Authority which is currently not in our expertise. It also means we would not be able to run security scans on the add-on code. The only thing preventing a malicious add-on in that case would be the strength of our contracts requiring non-malicious code and our ability to bring legal action should those contracts be breached. This approach would favor established companies in jurisdictions where we have offices and would be extremely unfair to individual developers, especially those outside those regions. We feel the community would be better off if we put our resources into the review and scanning process that can treat everyone equally rather than setting up a certificate issuing infrastructure.

Two problems I see with this scenario right off the bat. First a code-signing certificate runs about $200 USD per year per extension. For many of these extension developers it is a side project. They saw something that could be changed with Firefox they felt would be beneficial to the users. Developers are already burdened with the costs of the space as well as the bandwidth for hosting their extension(s). Most developers don’t charge for their extensions, simply they ask for a donation. So to add another $200 per year (again per extension) would make it too costly for these developers to self-host their extensions (though I not sure of their reasoning for not hosting through AMO). Second and more importantly, Mozilla (unlike Microsoft and Google) is a non-profit organization. I could foresee Mozilla taking “legal actions” as a major burden on their finances which could result in them having to cut or even stop funding on other projects.