Mozilla to require add-ons to be signed in the future

I published an article just yesterday about unique Firefox extensions praising the extension API of the web browser.

Mozilla announced today that it will introduce extensions signing later this year which changes several processes for extension developers and many users of the browser.

Before we look at the reasoning behind the move, lets take a look what extension signing means, how it is implemented and what impact it will have.

Extensions that developers submit for hosting on Mozilla's add-on repository get signed if they pass the review process once the system is in place. Existing extensions that are already published on the site will be signed automatically.

Extension developers who don't host their extension on the add-on repository will need to create an account on the site and submit the extension to Mozilla for review if they want to make it available for Stable or Beta versions of Firefox.

The extension that is submitted this way does not need to be listed publicly and if it passes all checks, will be signed just like any other extension.

Mozilla is working on a third option that it wants to offer for extensions that are not offered publicly at all but did not reveal the process for these extensions yet.

Unsigned extensions cannot be installed in Firefox Stable or Beta anymore after a period of two release cycles where warning messages are displayed to inform users and add-on developers about the new process. According to Mozilla, there won't be an override switch or config parameter to bypass this once the blocking is in effect.

Developer and Nightly versions of Firefox are not affected by this, these versions will support unsigned extensions just like before.

Only add-ons are affected by the change. Themes and dictionaries are handled just like before.

Impact

Little changes for add-on developers who upload their add-ons to Mozilla's add-on repository already.

The only change for them is that they may need to use Developer or Nightly versions of Firefox for testing as they won't be able to use stable or beta versions anymore.

The situation is different for add-on developers and companies who don't publish their add-ons on the official website. If they want to continue offering the extension to the majority of Firefox users, they need to create an account on the site and go through the upload and review process each time they create or update extensions.

It is theoretically possible to limit the extension to Developer and Nightly users only and nothing would change in this case.

Firefox users who run stable or beta versions of the browser won't be able to install unsigned extensions. The impact may be low but there is one caveat that users may run into: previous versions of extensions on the Mozilla site won't be signed.

Another issue is that modified extensions cannot be installed anymore unless you go through the same signing process as add-on authors.

The Firefox installation process will change as well. When you click on the add to Firefox button will check if the extension is verified. If it is it will make available the install button which you need to click to install it. You see a mockup of the process above.

Members of the Seamonkey and Pale Moon development team mentioned that they won't implement the feature.

When will this take effect?

Mozilla plans to display warning messages in the second quarter of 2015, likely with the release of Firefox 39 which, according to the Firefox release schedule, will land June 30, 2015.

Warnings are displayed in the next two release cycles (12 weeks from the release of Firefox 39) after which the permanent blocking of unsigned extensions will take effect.

What is the reason behind the move?

The main reason behind the move is to improve the security and privacy of Firefox users. The current process is impracticable, as it relies on Mozilla's blocklist feature to block malicious extensions in the browser.

To block an extension, Mozilla needs to know about it first.

The organization hopes that the new process reduces the number of malicious extensions for Firefox and the impact that these extensions have.

Assuming that malicious extensions won't be signed by Mozilla, these extensions can not be installed by Firefox users in stable or beta versions of the browser.

The impact is therefore reduced to Developer and Nightly versions which make up only tiny percentage of all installations.

Mozilla's approach is different from that of Google. While Google has a similar process in place, it requires that extension developers host their extensions on the Chrome Web Store. There is virtually no option to not host it there while Firefox developers still have options to host it on Mozilla AMO or on their own sites.

Now You: What do you think, how big of an impact will that change make?