New policy turns Firefox into a walled-garden, and no one is safer for it.

Recently Mozilla announced they will soon require all Firefox add-ons to go through AMO review and code signing, even self-hosted add-ons outside of Mozilla’s Add-ons site. Mozilla reasons that this change will improve the security and performance of Firefox add-ons, and prevent malicious add-ons from being distributed. Unfortunately, mandatory review does nothing to address the underlying security problems that plague add-ons in the Firefox browser; it needlessly inconveniences (and possibly endangers) both developers and users, and ultimately violates the core principles set forth in the Mozilla manifesto and the spirit of Free Software.

According to Mozilla’s Jorge Villalobos:

Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.

This is true, but there’s a root problem that they’re failing to address, and which locking down their platform does nothing to mitigate: the Firefox add-on security model is completely broken (well, non-existent). Add-ons execute with full control over the browser, and no meaningful sandboxing exists to prevent an add-on from behaving maliciously, including accessing the file system or stealing data from other add-ons.

A year ago, my brother and I had to abandon plans to release a Firefox version of Turtl, our encrypted storage app, because it is impossible to prevent another add-on from stealing the user’s encryption keys and spying on their activity. This same issue applies to anyone using Firefox extensions implementing OpenPGP.js or other encryption protocols.

Mozilla’s AMO review requirement is a non-solution to the problem of their non-existent add-on security, akin to a Band-Aid over a shotgun wound. We are forced to trust that their volunteer reviewers will find all possible hidden attack vectors in all add-ons, an unrealistic proposition given the volume of submissions and the sophistication of modern malware.

Other browsers, such as Chrome and Safari, have succeeded in sandboxing add-ons away from each other and the browser through the use of smartly-designed APIs, or showing the user what permissions an add-on needs in order to run. As the years have dragged on and Mozilla has released numerous breaking changes to their Add-on SDK, I’ve held out hope that they would eventually retrofit the Firefox browser with meaningful extension security. Now, with Mozilla’s latest announcement, I’m pessimistic this will happen.

Developing extensions for Firefox has never been fun. You have to install their SDK on your computer and run commands in the console to develop and test (compared to Chrome and Safari, which are easy and let you develop in-browser). And I mentioned breaking changes. In the two years I’ve been maintaining my Flagger extension for Chrome and Firefox, there have been zero breaking API changes on the Chrome side, and numerous on the Firefox side. And you have to keep up with these with each browser release, or your add-on will cease to function.

But the worst, most frustratingly obtuse part of developing for Firefox has always been their AMO review process. If you actually want to have an add-on listed for download in the Mozilla store, and your add-on doesn’t pass their automated tests (which it won’t, if it does anything useful), you have to wait weeks for volunteers to review your code. And if they have any questions, they’ll bump you to the back of the review queue.

I actually worked for a large antivirus company that got so fed up with AMO that they gave up on the signing and review process and self-hosted their Firefox extension. They couldn’t rely on Mozilla’s reviewers to work fast enough if they needed to release a critical update to the code, and the ability to self-host and push out updates via SSL, without any third-party review, gave them the flexibility to self-manage their extension security. Now Mozilla is taking that away.

By forcing developers to go through a lengthy review process to get an extension approved or to release critical security updates, Mozilla risks alienating developers and making extensions less secure when they can’t be patched in a timely manner.

Mozilla is abandoning their core principles.

Protecting users is a noble goal, but Mozilla shouldn’t compromise the spirit of Free Software, and their own core values to get there. According to Mozilla:

Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Mozilla’s extension review process does nothing to address the fundamental security problems in their browser, and making it mandatory will only instill a false sense of security in the users it is meant to protect. In this day of sophisticated weaponized malware, a well-crafted malicious add-on could slip through the review process, and—once installed—the non-existent security model in Firefox could place users under increased risk of surveillance or government retaliation. For political activists, and others relying on encryption add-ons, a false sense of security is worse than no security.

And, potentially a more esoteric concern: mandatory code signing puts politically-dissident developers at risk. Previously, it has been possible to release extension code anonymously, allowing developers to make political statements with their extensions. Forcing developers to create a developer account with a third party, (even a “trustworthy” third party like Mozilla) exposes them to risk from hostile governments if Mozilla’s service is compromised.

The effectiveness of the Internet as a public resource depends upon interoperability (protocols, data formats, content), innovation and decentralized participation worldwide.

“Decentralized participation” is impossible if Mozilla has veto power over any extension for their browser. This goes against the spirit of Free Software. Mozilla has long stood against companies like Apple, who create walled gardens around their application ecosystems. Now it seems to be joining their ranks. It’s a shame their users won’t be any safer for it.

It doesn’t have to be this way.

Mozilla doesn’t have to abandon their core principles and alienate the Free Software community to protect users. They need to look at what other browsers have been doing for years, learn from it, and do some hard work. In particular:

Security sandboxing for the Mozilla Add-on SDK is long overdue.

Add-ons shouldn’t run with full God-mode authority over the entire browser. They should be confined to a sandbox and not allowed to pull data from the user or other add-ons without going through established APIs. Using the SDK should be mandatory for extensions targeting newer versions of Firefox. Add-ons should report what permissions they need. Users should be able to review and approve this conditionally.

If an add-on wants to see my browsing history, or inject content onto pages I view, they should explain this to me, the user, and let me approve or deny it. This is one thing iOS apps do well. Add-ons should only be able to install via express user permission.

Malicious software running on a computer should not be able to sideload add-on installations into the browser without the user’s knowledge or consent. Add-on activity should be more transparent to the user.

Users should be able to know when an add-on sends data to a third party server, or injects cookies or scripts onto a page. A bit of transparency could go a long way in helping people decide for themselves whether the add-ons they have installed are really helping them. Improve the AMO review experience.

AMO review is not the silver bullet for add-on security, but the process is so difficult to get through right now that many developers just give up. Mozilla should prioritize reviewer support to improve transparency and turnaround time. If nothing else, make code signing optional for experienced users.

People should be able to install any software they want on their computers, and experienced users should be given the option of disabling the signature check. Right now, Mozilla is saying there won’t be an option. It’s not their place to protect people from themselves.

Please, Mozilla. Don’t be Apple.

Update 2015-02-12: I’ve posted a proposal on Mozilla’s newsgroup for a cryptographically secure method of opting out from extension signing requirement. While this doesn’t fully address my concerns about adding DRM to the Firefox browser, I see it as an acceptable compromise.