view the rest of the comments
Firefox
The latest news and developments on Firefox and Mozilla, a global non-profit that strives to promote openness, innovation and opportunity on the web.
You can subscribe to this community from any Kbin or Lemmy instance:
Related
- Firefox Customs: !FirefoxCSS@fedia.io
- Thunderbird: !Thunderbird@fedia.io
Rules
While we are not an official Mozilla community, we have adopted the Mozilla Community Participation Guidelines as far as it can be applied to a bin.
Rules
-
Always be civil and respectful
Don't be toxic, hostile, or a troll, especially towards Mozilla employees. This includes gratuitous use of profanity. -
Don't be a bigot
No form of bigotry will be tolerated. -
Don't post security compromising suggestions
If you do, include an obvious and clear warning. -
Don't post conspiracy theories
Especially ones about nefarious intentions or funding. If you're concerned: Ask. Please don’t fuel conspiracy thinking here. Don’t try to spread FUD, especially against reliable privacy-enhancing software. Extraordinary claims require extraordinary evidence. Show credible sources. -
Don't accuse others of shilling
Send honest concerns to the moderators and/or admins, and we will investigate. -
Do not remove your help posts after they receive replies
Half the point of asking questions in a public sub is so that everyone can benefit from the answers—which is impossible if you go deleting everything behind yourself once you've gotten yours.
I know it says the extension is not available from the Firefox addon site if using Russian IPs, but I wonder if they have also gone so far as to make the browser itself not be able to install them in other ways. I would guess they have not, since that would mean a complicated setup in terms of the signatures, like they would have to have a separate FF version and set of signatures per country, or use a central server to authenticate things rather than client validation of signatures. In that case it would be easier to find the addon file somewhere other than the store and install it, since using unsigned addons requires installing a whole separate version of Firefox.
Even if that's how it is this whole thing still illustrates that prohibiting unsigned addons from being installed is user-hostile, because on an ideological level Mozilla probably would use that power to advance state censorship if it came down to it.
Ah yeah, true, getting just the signed XPI should work as well.
And well, it is tricky. The signing requirement allows them to block malicious add-ons, which could also be used for state censorship.
I think, offering a separate path for people to install unsigned extensions, if they need it, while blocking them for the majority and therefore making them inviable for malware to target, that's in principle a smart compromise.
Also, side-note: Folks who are on Linux likely don't need to install a separate version of Firefox. Linux distros tend to compile with the unsigned extension support enabled (just need to toggle the flag in about:config).
I guess in this case the malware angle means it's probably better to require signing, since maybe Russia could successfully distribute malicious fake versions of these extensions otherwise. Still, the centralization here is worrying.