|Fear And Loathing In the App Store 10 - Firefox Gets A Walled Garden|
|Friday, 20 February 2015|
Security is important. However the steady creep of the walled garden limits programmer freedom. Now Mozilla has announced that Firefox extensions will have to be signed - by Mozilla.
Browser extensions aren't as vital to the developer economy overall as standard apps, but if you are thinking of creating one for Firefox you need to know that the terms and conditions are about to undergo a big change.
As of the second half of 2015, all Firefox extensions will have to be signed by Mozilla to work.
Previously Mozilla ran Addons Mozilla Org, or AMO, an app store for extensions and, to get into AMO, your extension had to conform to a set of guidelines. In addition any malware extensions that are installed from other websites, i.e. not from the safe AMO site, can be blocklisted. This means that Mozilla can disable any malware extensions remotely.
This would seem to be enough to make Firefox safe.
However, it now seems that finding and keeping track of malware extensions is too much for Mozilla, which also points out that developers have devised ways of hiding their malware and increasing the workload.
Google solves the problem by only allowing extensions that have been installed from its own website to work. Mozilla plans to solve the problem by signing extensions on the following terms:
So in the future Firefox will only work with extensions that have been signed, no matter where they come from. This raises the question of what happens to a non-public extension and what happens while you are developing one? So far there is no news on how this will be handled.
Unsigned extensions will work for 12 weeks, but will generate a warning.
The really draconian part is:
If you want to try out your unsigned extension it seems at the moment that you need to run the Nightly or the Developer Edition. So testing on the production version is very likely not going to be possible.
On the plus side, Mozilla says that the user install experience will be improved.
As I said at the start, security is important, but so is freedom and this particular mechanism has no opt out clause.
It doesn't matter how much you know, you can't opt to install an unsigned extension.
What is also very clear is that it won't take long for malware programmers to work out ways around the safeguard. While we are kept out of the walled garden, the malware programmers will simply spend the extra time and find a way to tunnel under it.
Notice that the validation step is automatic, which means that the extension is simply scanned to see if it does things that are known to be potentially risky. However, in the right hands we all know that "potentially risky" is another way of saying "definitely powerful". So if you want to build an extension that does something amazing it will probably trip the wire and send your extension for a long manual examination - like that is going to reduce Mozilla's workload.
It is sad that one of the biggest icons of open source is closing things down with such inflexibilty. It is simply adding to the list of organizations from whom we have to ask permission to run our programs.
Fear and Loathing In The App Store
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 20 January 2016 )|