Mozilla’s Add-On File Registration System has Serious Consequences for Some Developers

Given the potential for Apps riddled with malware and Apps that are just poorly designed, this move was more-or-less inevitable …

If you are a developer you have two options currently to distribute your add-on to the Firefox community. You can either go the official route, create an account over at Mozilla AMO, upload your add-on to the official site and distribute it through it, or avoid this altogether and distribute the add-on via third party sites or software installations exclusively. Most add-ons as far as I can tell are offered on the official website. Some popular ones are not, like HTTPS Anywhere for example which is only distributed via the EFF site directly.

The main problem with these third party hosted add-ons is that they have not been tested for malware or other code that may impact the user in a negative way.

For Mozilla, the situation is even more complicated. It is sometimes difficult to get hold of these add-ons, if they are mentioned in bug reports for example, as there is sometimes no direct way of downloading and installing them.

This is for instance the case when add-ons are distributed solely in installers, for instance in wrappers that many download portals use these days to generate extra revenue.

Add-on File Registration System

mozilla amo addons

The Add-on File Registration System is part of the larger AMO Squeaky project which aims to improve the user experience surrounding add-ons.

Note: AMO refers to the official Mozilla Add-on repository.

The main idea behind the project is to make it mandatory for add-on developers to submit their add-ons to the registration system before they can be installed in the browser.

There is no change involved for developers who distribute their add-ons via the official add-on repository on the Mozilla website, as it will be just added to the process.

Developers who do not use the official site to distribute their add-ons on the other hand will have to submit it to the index by uploading it to the Registration System. If they do not, Firefox won’t install their add-ons. The add-ons that they upload won’t be published on AMO or anywhere else.

Doing so ensures two things:

  1. Mozilla has access to all Firefox add-ons regardless of how they are distributed.
  2. All add-ons are checked for malicious code.

Files that are uploaded this way are scanned for malicious code and then hashed twice (once packed, once unpacked) if found clean. It is likely that Firefox will use the hash to determine whether add-ons can be installed in the browser or not.

On the user side of things

When users try to install unregistered files, they will receive a message informing them that the add-on cannot be installed. Mozilla plans to use a transition period for that. In the first phase of it, errors are only displayed in the Browser Console but the add-ons will be installed as before. The notification message is displayed in the second phase, with an option to override it so that the add-on can be installed regardless of it.

Once the transition period is over, only the message will be displayed but without options to override it. If extensions are side-loaded, a message about the integration will be displayed in a tab in the browser informing users of the same consequence.

Add-ons will be installed if connection errors are encountered during validity checks. Mozilla plans to run periodic registration checks for all add-ons so that extensions that should not have been installed are discovered this way.

Add-on developers do not have to register their test versions. Mozilla is currently considering two options:

  1. A startup switch that overrides the registration check
  2. A whitelisting approach to whitelist specific add-ons based on ID.

Closing Words

The proposal tries to create a registration system for all add-ons created for the Firefox web browser to improve the user experience by scanning all add-ons available for the browser and making them available to Mozilla for further investigation and reference.

This should in theory reduce the chance that malicious extensions are installed in the browser. A positive side-effect of this can be that some companies who like to distribute add-ons via third party software installations may not do so anymore because of the new requirement.

It is however also likely that some add-ons that are currently offered via third party sites won’t be uploaded to the new system, for instance if they have been abandoned by their developers or if the developer does not want to go through that process every time the add-on is updated.

Link to Original Content

Tags: , , , ,

Comments are closed.