As I read the responses here I think the biggest problem with the
current add-on sighing plans is that developers will be inconvenienced
too much. There were already developers writing here how important it is
for them to send test builds of their extensions to their users for
testing, one of them even said they lost almost all of their Chrome
testers after Google enforced a similar mechanism. I think these are
very serious problems because this will hinder add-on development
process and as a result the whole Mozilla ecosystem will suffer.
There needs to be a way to run unsigned add-ons in a regular release.
There are a couple of options:
1. Use a secure vault provided by an OS to store permissions for running
each unsigned add-on. These systems are already used by some
applications for storing passwords in an encrypted form, for example:
- Netbeans FTP passwords:
http://wiki.netbeans.org/FaqMasterPasswordDialog
- SVN passwords:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache
Firefox could use the OS secure store to save the permission to run a
particular extension. In other words, unsigned extensions are always
disabled by default. The only way to run then would be to open Fx
Add-ons Manager and choose to run an unsigned extension - Fx would then
save the permission flag (probably in a form of a hash of the add-on ID
and/or XPI digest) into the OS vault. On Windows this would be by means
of logon authentication and the permissions would be non-transferable
across systems or OS accounts and would be lost on OS password change -
that would be fine.
It's possible this could be circumvented by a malicious application but
would be much more difficult than without any protections now. This
would not be 100% undefeatable but I don't think it has to be - if
malicious installers find it too hard to circumvent Mozilla signing
requirement then if they are determined they will simply move to other
points of attack. An installer runs with administrative rights and it
can manipulate applications in all kinds of ways and change Firefox
behaviour without having to side-load add-ons. This can't be remedied
and no air-tight signing mechanism will prevent it.
Other solutions:
2. Require a master password and use it to allow running unsigned
add-ons. A user would have to enter the master password when choosing to
run an unsigned extension in the add-ons manager and then the permission
to run would be saved in an encrypted form (the master password being
the encryption key, of course). On every new Firefox starup the user
would have to provide the master password to run the unsigned
extensions. The extensions could even be encrypted with the master
password! No installer would be able to bypass the mechanism without a
clear user consent and requiring to enter the master password. This
would make it relatively pain free for regular users to test extensions
sent to them outside any official channels. The master password could be
combined with the current master password in Fx so as not to require two
separate passwords for different things.
3. Extension of the previous idea: apart from master password allow
using a secure key that could be loaded by Fx from a USB drive, network
drive, etc. allowing to skip the need for entering the password.
However, this could be too easy to set up the system drive for the key -
that would need to be further discussed.
4. Provide an option (on installation) to get the unbranded build to
install with a name similar to the official Firefox, preferably having
the word "Firefox" as part of the name and a similar icon. Then
people/companies really needing full freedom could switch to these
builds without introducing uncertainty among the users as to what
browser this really is. The about: page could describe how the build
differs from the regular Firefox.
I think the current proposal is too restrictive and will make Firefox a
walled garden. The price for that is very high and it's both problematic
for users and for developers. Remember that malicious software will
always find a way to mess up with installed browsers and you can't
prevent that with a strictest add-on signing mechanism. Therefore, it
doesn't make sense to make it too strict because you will never achieve
the ultimate goal of preventing malicious manipulations and when it's
too strict many developers will cease to contribute or will contribute
less - because the whole process will become too cumbersome.