One of the things that makes Mozilla’s Firefox browser so powerful is its support for third-party add-ons and extensions that can change the look or behavior of the browser. But some extensions could also pose risks or hijack your browser.
Earlier this year Mozilla announced plans to phase out support for unsigned extensions. Among other things, the move is designed to prevent extensions that you never meant to install from taking over your browser. And now we’re getting closer to the implementation of that plan.
The latest version of Firefox (version 40) will now show a warning when you attempt to install an unsigned browser extensions. Firefox 42Â won’t let you install unsigned extensions at all.
Firefox 42 is currently available as an “aurora” pre-release build. When the beta launches on September 21st, it will no longer support unsigned extensions.
Firefox 42 is scheduled for a full release on November 3rd. That’s when it will roll out to all users.
Generally speaking, the move is designed to help keep Firefox users safe from unwanted browser extensions that install themselves in order to make money through affiliate links, redirect website requests to alternate pages, or spy on users.
But the updated behavior could also have unintended consequences. While Mozilla will review and sign extensions submitted to addons.mozilla.org, some developers might want to distribute their add-ons through different channels, and older extensions may no longer be supported even if they’re safe.
Mozilla isn’t the only company to make this kind of move though: Google no longer allows installation of Chrome browser extensions from outside of the Play Store. But at least Chrome offers exceptions for developers and enterprise users.
via Mozilla and Hacker News
Dammit Mozilla, your main advantage over Google is being more “open”. Guess that’s going to change now…
I don’t think this is going to effect most people at all.
According to the FAQ here:
https://wiki.mozilla.org/Addons/Extension_Signing
“We automatically signed reviewed versions of all add-ons currently
hosted on AMO. All new versions will be signed automatically after they
pass review”
AMO is the Mozilla Add On site:
https://addons.mozilla.org/en-US/firefox/
That is where 99% of users get their Firefox Add-Ons from. As I read that even older no longer updated but still functioning extensions should be signed and working if they had been reviewed. And most have.
I guess we’ll see.
The link to the Moz wiki is broken, I suspect it should point to
https://wiki.mozilla.org/Addons/Extension_Signing
The discussion when this was initially unveiled was… heated, I guess you could say:
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
Unfortunately it has broken my Gnome 3 and Ubuntu extensions, so I will dig around in about:config to see if there really is a kill switch… looks like xpinstall.signatures.required=false
Its open source, right? Just build it without the check. (I’ve never built FF from source, so i’m not sure how hard it is.)
I agree there should be some user override. Let people use and test malware if they want.
It isn’t too hard to build on Linux, OSX is tougher (I haven’t tried in a while). No idea about Windows, but I would think it might be a little tricky.
Im sure someone will release a modified version. I trust my own choices and have not had any issues with noscript by my side. I dont use any unsigned extensions but would definitely be seeking a modified install if possible just to avoid any speed bumps if the need does arise. Thanks for the info
The Mozilla Wiki states:
If Moz forbids me from installing an extension I want to install I will replace it with a browser from a source that doesn’t think it knows more than I do. Protect the users by default, don’t assume they are all just sheep.