With Tuesday’s release of Firefox 40, Mozilla has begun the process of requiring all add-ons for the browser to be signed. The company announced the forthcoming change in February, and Firefox 40 is the first version to warn users about unsigned add-ons.
The goal for the change in policy is to protect users from malicious extensions and add-ons, a problem that has arisen in various browsers over the years. Google has taken the approach of only allowing developers to distribute extensions through its Chrome Web Store.
“However, we believe that forcing all installs through our distribution channel is an unnecessary constraint. To keep this balance, we have come up with extension signing, which will give us better oversight on the add-ons ecosystem while not forcing AMO to be the only add-on distribution channel,” Jorge Villalobos of Mozilla said in a blog post in announcing the change in February.
In the next version, Firefox will have an option that allows users to enforce signatures on add-ons, but users will be able to set the preference themselves. But starting with Firefox 42, signatures will be enforced on all add-ons in both the beta and release versions of the browser. Developers will have to get the signatures through Addons.mozilla.org.
“Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn’t pass review, the developer will have the option to request a manual review, which should take less than two days. This is not the same process that currently applies to AMO add-ons, which has been typically slower,” the Mozilla wiki says.
In addition to the add-on signing, Mozilla also has expanded its warnings about malicious and unwanted software in Firefox 40. Users now will see a special warning dialog when they visit a page that contains unwanted software.
“When downloading a file of a type that usually contains Windows or Mac executable code (for example, .com, .exe, .msi, .app, .dmg) Firefox asks Google’s Safe Browsing service if the file is safe by sending it some of the download’s metadata (file type, name, size, hash, URL, locale). If the file is flagged as harmful by this service, the download manager will block access to the file until the user performs a right-click, and unblocks it manually,” Francois Marier, a security and privacy engineer at Mozilla, said in a blog post.