Warning: "This extension isn’t monitored by Mozilla" displayed for 16,000 extensions?

juraj.masiar · September 7, 2019, 2:08pm

Hello,

Why is there now 16,428‬ extensions marked with yellow warning that the extension is not being monitored by Firefox?

This extension isn’t monitored by Mozilla. Make sure you trust the extension before you install it.

Screenshot 2019-09-07 16.07.15.png940×545 41.3 KB

What is the point of this? Should people avoid these and install only those 86 recommended?

Isn’t there a better way?

Why not introduce instead some new badge called “Trusted developer” - this extension is made by developer who creates extensions for 2 years and has overall rating 4.5 from 10,000 users.

Normal users has 0 chance telling whether the extension they are about to install is malicious or not, so instructing them to “Make sure you trust the extension before you install it.” has no point, because they just can’t.

Instead, make it more about developers!
Each developer should have a serious account linked with his/her personal ID (driver license), phone number, any social account link, company link, etc… Then provide some of these information to the users, so they can check who is behind this extension.
And if there are issues with the developer, ban!

Having extensions made by anonymous developers will never be safe. And those that want to be anonymous, let them, with this nice yellow warning.

Best regards,
Juraj Mäsiar from Slovakia
Author of 1 recommended and 7 “not monitored” extensions!
homepage: FastAddons.com

PS: (some useful links)

jscher2000 · September 8, 2019, 6:07pm

I wonder if the “not monitored” message explains the following recent support thread?

Is Grammarly recommended -and if not, accepted and reasonably safe, for Firefox?

jscher2000 · September 8, 2019, 9:52pm

Definitely seems to discourage some people from installing extensions:

Note the confusion: “I disabled it for know.Maybe it will be approved in the future.”

jorgev · September 9, 2019, 3:41pm

The notification is currently part of a test, so not all users are seeing it. It’s not a permanent part of AMO yet. We want to gauge the reaction users have to it and decide if it should be kept, modified, or dropped.

Having said that, the message is accurate. Most extensions on the site aren’t being regularly code-reviewed, so we can’t guarantee their safety. We believe this is something users should understand. That a developer has been contributing for X years, has positive reviews, or has provided ID to us is not enough to assess safety (though it helps). We’ve had incidents in the past with long-standing add-ons and “reputable” developers. Additionally, having the ability to ban after the fact doesn’t help users who have already been impacted by a bad add-on.

We’re trying to draw a line between add-ons that are being closely monitored and those that aren’t. At the moment that’s limited to a small set of Recommended extensions, but that can change in the future depending on the success of the program.

jscher2000 · September 10, 2019, 2:45am

I think the problem with the phrase “isn’t monitored” is that people need to read a precise meaning into it to put it into context. Mozilla doesn’t just allow any old XPI to be distributed on the site, but we know that automated code screening misses things, and issues like the sufficiency of a privacy policy probably can’t be screened by software.

It’s so difficult to convey the right nuance, I certainly have sympathy for the AMO team. It’s hard for users to understand that software is not a binary world of safe and unsafe. There are lesser and greater risks to their security and privacy, shades of gray, trade-offs. Can anyone really understand the implications of host and API permissions? And developers may make errors such as accidentally leaking private browsing data. Even people who can read the scripts in an extension are challenged to determine (and find time to determine) whether an extension is safe enough for them to use. And then it updates.

As hopeless as it may sound, I think we need to try to give more guidance. Education is part of the mission. I don’t know what form it should take, or whose bailiwick it’s in, but we must keep fighting the good fight for web literacy, including web browser literacy.

juraj.masiar · September 10, 2019, 11:55am

Maybe we can look for a better solution on some other places, to see how other companies are handling this, for example:

Chrome Web Store (Opera Addons store)
Apple Store
Google Play Store
Amazon Appstore for Android

I just refuse to believe that marking everything as “insecure” is the right choice here.

craig · September 12, 2019, 7:26pm

Completely dumb and unfair business practices by Mozilla flagging some extensions and not others. It shows you how out of touch they are with users and best practices across app stores and business portals.

jscher2000 · September 13, 2019, 4:37am

What are the best practices? Please share.

craig · September 13, 2019, 6:34am

Hi Jefferson, I don’t know if you work for Mozilla but you are certainly welcome to shoot me an email and schedule a time to review best practices, and what’s worked and not worked over the past 10 years across iTunes, Google Play and Amazon app stores, plus the ones that have failed. Many people at Mozilla know me and have known me for years. I have visited your team in Toronto, met with executives at Mozilla and I’ve been involved in many projects related to desktop Firefox, Firefox Focus, Google Autofill and many others. We even developed an app for the Firefox Phone OS device… hah!

When it has benefited Mozilla, we’ve always been there for you. We have built apps for your platforms, created integrations, provided input and even supported you when you screwed things up (like when you disabled all extensions…). So it’s quite disturbing when you decide to randomly start putting warning labels on extensions (as a “test”). Or when you start randomly “recommending” apps while not recommending others with absolutely no criteria based in terms of measurable or educated decisions.

I’d be very happy to help Mozilla figure out the best way to rate the security, quality and trust levels of your 3rd party browser extensions. I can also help you design your app marketplace so it’s fair to ALL high quality app developers and all extension creators, not just a few. It’s like you guys are designing this without doing any research or talking to any developers. It’s crazy.

If you keep abusing the developers of extensions for Firefox, you will just force us to stop supporting your platform, and we’ll simply encourage our millions of customers to just use Chrome, Edge or Safari.

-Craig

jscher2000 · September 13, 2019, 12:37pm

Hi Craig, I don’t work for Mozilla. I volunteer in support and have a few extensions on AMO. So unfortunately, I’m not authorized to engage consultants. However, if there is such a thing as a list of best practices, this would be an opportunity to share it.