Mozilla starts signing add-ons for future Firefox versions
Mozilla has started signing add-ons for Firefox. Future versions of the browsers will only allow installation of add-ons signed by Mozilla, but it will still be possible to release add-ons outside of the addons.mozilla.org site.
Currently, rogue add-ons can nestle in Firefox because no checking process is applied to effectively check the operation of an extension. As a result, malware makers, among others, have put add-ons into circulation that, for example, change the start page or even inject advertising or malware. Mozilla previously tried to counter this phenomenon by blocking such add-ons via a blacklist, but according to the browser builder, this method can no longer be sustained because the list can be circumvented and there are now too many rogue add-ons in circulation.
To curb the spread of malicious add-ons, Mozilla has decided that future Firefox versions will only accept add-ons that have a signature. On the portal addons.mozilla.org, all checked add-ons will be automatically signed in the coming weeks. In about 12 weeks, Mozilla will release new Firefox versions that accept only signed add-ons; no command-line options will be available to disable this check.
Developers who want to offer add-ons outside of Mozilla’s portal will not be banned. The browser builder consciously says that it does not want to become a ‘walled garden’ such as the App Store or the Chrome App environment, but the developers concerned must from now on have their creations signed by uploading them to Mozilla’s signing servers. To develop and test add-ons, they can use the nightly and developer versions of Firefox that do not include a signed add-on control mechanism. Developers who want to install add-ons via sideloading in Firefox will now have to submit a request to Mozilla for manual approval.
Mozilla believes full implementation of the new control mechanism will be completed in the second quarter of this year. There are currently no plans to adopt the system among the Thunderbird developers, who develop the email client within the separate Mozilla Foundation.