My Write-Ups

Mozilla addon signing policy

Browser extensions are wonderful. Nearly every day I come across a new Firefox extension that customizes my browser in some creative way I’d never even considered. Some provide amusement for a short time, while others have become indispensable to my work and life. Extensions are a real-world manifestation of one of Mozilla’s core principles — that individuals must have the ability to shape the internet and their experiences on it.

Mozilla’s policy ensures that no unreviewed code is ever loaded into the browser, and enforced signatures prevents reviewed code from being altered after release. – mozilla blog

Something has scared me about Mozilla’s addon signing policy ever since it was first announced: extensions that are designed specifically to let users write their own addons, such as Greasemonkey, Violentmonkey, Tampermonkey. They seem to blast a gaping hole in Mozilla’s addon review process. I’ve used the various monkey addons (currently preferring Violentmonkey) to write countless little scripts over the years to fix little things (or big things) with websites that irritate me. I’m scared that one day Mozilla will decide that script addons are “dangerous”, since they provide an addon platform within an addon platform, and outlaw them. And then what will I use? Bookmarklets? Or will they ban those too?

Mozilla sold the addon signing requirement as a way to stop malware, but I never understood how it could help, because malware that can edit someone’s Firefox profile to install an addon can do unlimited other malicious things to undermine it. I worry because I don’t quite understand how far Mozilla will go to try to lock down the browser.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.