Firefox 40 features a new add-on manager with signature verification

Firefox 40, which is available for Nightly users only as of now, comes with an updated add-ons manager with a refreshed UI and add-on signature checking. Let's explore what this feature does.


When you open the Add-ons Manager (for example, with the about:addons command) or by pressing Ctrl+Shift+A, you will notice a completely new interface of the add-ons list in Firefox. It looks like this:

Firefox nightly addons manager

In the picture above, you can see the old UI on the left side, and the updated one on the right. The updated one matches the appearance of the new Settings tab I recently covered. It looks more intuitive and friendly for touch screen devices due to a refreshed color scheme.

Besides the new appearance, Firefox 40 is the first Firefox version which includes digital signature verification. In my screenshot above, you can see that the addons I have installed are "not verified".

Mozilla began requiring all extensions to be signed in order for them to be installable in stable and beta versions of Firefox. Signing will be mandatory for all extensions, regardless of where they are hosted. Extensions which developers submit for hosting on Mozilla's add-on repository will get signed after the review process.
So, if you are a developer of some add-on for Firefox, in the near future, you will need to use Nightly build to test install and run your addon BEFORE it is pushed into the add-ons repository and is verified by Mozilla.

This change is intended to improve the security of the browser. With digital signing and verification, malicious extensions have no chance of being installed in Firefox. However, this change also gives Mozilla exclusive control over the set of add-ons available for the browser. You will be restricted to the add-ons which are explicitly approved and signed to run in Firefox. Some users might consider this as a limitation of their freedom.

What is your opinion on these changes? Do you support signing of add-ons in Firefox?

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!


Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

6 thoughts on “Firefox 40 features a new add-on manager with signature verification”

  1. This is definitely a welcome move from Mozilla. Firefox already has a good security reputation, but add-ons are it’s potential weak point, so this change should see that loop hole closed. I imagine some users and add-on contributors may complain, but at the end of the day it’s the security of everyone that is important.

  2. Кто бы и что бы не говорил о virtualbox, но все же, если хочешь быстро протестировать какой то софт на иной от установленной ОС, после некоторой возни с другими платформами виртуализации всеровно переходят на виртуалбокс. И тут понимаю, что эта платформа, как бы, для “домохазяек”, но в ней, установил и запустил, а не играешься с кучей нюансов и решений их в инных виртуалках.
    Это я так, отошел немного, глянул просто на скриншот в посте.

  3. Jeese, seriously? It’s bad enough that we’re forced to open the add-ons manager in a tab instead of a proper floating pane, but this is too far. It’s only a matter of time before they ban Classic Theme Restorer and Status4Evar and other add-ons that try to fix what Mozilla broke.

    1. Opening Add-ons manager and Options dialog in a tab rather than in a proper floating pane is definitely an evil, just as well as other tries of mimicking behavior of castrated Chromium based browsers. But verification of addons before installing (regardless of source) without any doubts is the right thing to do. It’s useful both for Mozilla and an average Joe user of FX. And my own experience has already shown that.

      The issue with unsigned add-ons was that malware used (and still does) this backdoor for installing itself from local source without any user consent whatsoever. Just recently I was able to see the usefulness of that verification by my own eyes. I was too lazy to build one utility application from sources (YAWD@Codeplex) and downloaded its installer which is bundled with all possible kinds of malware including malicious FX addon which silently installed itself. Luckily, at that moment I was running Aurora (Alpha version of FX, aka ‘FX dev edition’, v41) so malware failed to initialize.

      The other issue is that they could’ve implement some another way of preventing silent installation of alien extensions rather than forcing addon devs to sign their extension but this one was probably best by test or the easiest one. Anyway, advanced users are still able to install unsigned addons. And no, I don’t think that Mozilla will ever ban addons like CTR or S4 (btw, the latter seems to be redundant because the CTR does the same thing, isn’t it).

      Все правильно Мозилла сделала, странно только что так поздно спохватилась. VirtualBox, как и все остальные виртуальные машины, существующие на сегодняшнем рынке — ни разу не “платформа для домохозяек”. Но даже домохозяйке будет проще установить на неподписанном расширении чекбокс “enable”, чем тестировать его на виртуалке.

Leave a Reply

Your email address will not be published.

Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.