Firefox Add-on Certificate Expiration

The recent Mozilla hiccup with an expired add-on signing certificate was revealing. In one respect this episode was little more than simple human fallibility. Conversely, the event exposed some glaring problems with Firefox development and attitude.

  • A bunch of developers and engineers had not implemented any kind of auto-renewal or reminder.
  • Apparently all Mozilla-sanctioned add-ons are packaged with the certificate.
  • A certificate expiration disables all add-ons without user consent or knowledge.
  • User were not warned or given any options after the certificate expired.
  • The certificate means all add-ons have an expiration date.
  • Disabling add-ons affected containers.
  • Without necessarily being fully informed, the shield study program can be used to push anything to all users with that option enabled.
  • Many users who depend solely on add-ons to block ads saw web sites infested with energy sucking idiotic ads.
  • The unannounced loss of privacy-protecting add-ons might have exposed some users in a detrimental way.
  • A temporary hotfix opened a huge can of privacy related worms.
  • Users on an ESR version who had add-on signing disabled through xpinstall.signatures.required did not have any add-ons disabled.

Signed add-ons is a sane idea. Not letting users disable signing is a bad idea. The spirit of free/libre software implies users have the final say. Most if not all users who install add-ons are not clueless lowest common denominator type users. A GUI control is not required — just allow users to decide through about:config.

The real lesson is developers often act as though they know best rather than letting users decide. Will humility or arrogance prevail?

Posted: Category: Commentary, Usability Tagged: General, Firefox

Next: Migrating a Business to Linux — 19

Previous: Using VirtualBox With Raw Disk Access