A few days ago, I was pointed to a post on the Mozilla forums, in which developers of Firefox extensions designed to circumvent Russian censorship were surprised to find that their extensions were suddenly no longer available within Russia. The extension developers and other users in the thread were obviously not amused, and since they had received no warning or any other form of communication from Mozilla, they were left in the dark as to what was going on.
I did a journalism and contacted Mozilla directly, and inquired about the situation. Within less than 24 hours Mozilla got back to me with an official statement, attributed to an unnamed Mozilla spokesperson:
Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store. After careful consideration, we’ve temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community.
Mozilla spokesperson via email
I and most people I talked to already suspected this was the case, and considering Russia is a totalitarian dictatorship, it’s not particularly surprising it would go after browser extensions that allow people to circumvent state censorship. Other totalitarian dictatorships like China employ similar, often far more sophisticated methods of state control and censorship, too, so it’s right in line with expectations.
I would say that I’m surprised Mozilla gave in, but at the same time, it’s highly likely resisting would lead to massive fines and possible arrests of any Mozilla employees or contributors living in Russia, if any such people exist, and I can understand a non-profit like Mozilla not having the means to effectively stand up against the Russian government. That being said, Mozilla’s official statement seems to imply they’re still in the middle of their full decision-making process regarding this issue, so other options may still be on the table, and I think it’s prudent to give Mozilla some more time to deal with this situation.
Regardless, this decision is affecting real people inside Russia, and I’m sure if you’re using tools like these inside a totalitarian dictatorship, you’re probably not too fond of said dictatorship. Losing access to these Firefox extensions through the official add-store will be a blow to their human rights, so let’s hope the source code and ‘sideloaded’ versions of these extensions remain available for them to use instead.
Quote: “we are closely evaluating our next steps”
If they had any decency left, they would not only restore the affected extensions (the Russian government can manually block the “offending” URL in its DNS) but include those extensions as part of the source code.
totalitarian authoritarian
We get what you meant, but calling Russia a totalitarian state implies a total ideology guiding the state’s actions. That’s not the case.
Soviet Union was a totalitarian state. Putin’s Russia is an authoritarian one.
crap… Thom please bring about the fixing of the comments editor.
“totalitarian != authoritarian” is what I tried to write.
This is EXACTLY the sort of scenario that those of us who harshly criticized Mozilla’s extension walled garden were wary of. Mozilla’s walled garden is no better than apple’s walled garden in this regard. It doesn’t matter that a company claims to have moral standing because the fact that they hold they keys to our property is in and of itself a fundamental danger to our online freedom!
Of course they’ll blame Russia/China/whoever when this happens, but the fact of the matter is that this is entirely predictable and Mozilla are complicit by deliberately designing technology that withholds owner control. As a direct result of their walled garden they are empowering government control over their users. Honestly I’m really conflicted over this because we are in desperate need for viable alternative browsers like FF and google holds the keys in chrome. But at the same time I want to tell mozilla “why the hell have you turned your back on owner rights? This is the exact opposite of what you should be sanding for!” I absolutely hate the fact that mozilla decided to fight this battle against power users.
Maybe some good could still come from this though if mozilla comes out and admits that taking the keys away from owners was stupid of them and harmful to owner rights. I kind of doubt they will though.
I thought you can sideload extensions on Firefox? I understand they’ve made it harder since version 74 to prevent “dropper” applications from installing junk, but is it actually hard?
Doesn’t look too difficult: https://extensionworkshop.com/documentation/publish/distribute-sideloading/
kurkosdr,
The act of “sideloading” isn’t difficult, however the problem is mozilla are deceptively using the term for extensions that remain locked to mozilla. Owners aren’t given the freedom to sideload what they want without mozilla’s say. See my last link.
Yeah, if they require add-ons to be signed by Mozilla before they can be sideloaded, that’s not true sideloading (considering you must still go through a central server to get a given add-on signed).
And as you say in another comment below, whether Firefox’s pretend “sideloading” support helps Russian users install the anti-censorship add-ons that they want depends on whether Mozilla revokes the signature for these add-ons or not, so Mozilla has put themselves in a position where the Russian government can force them to do exactly that.
We live in a weird world when products from Microsoft and Apple (Windows and MacOS) allow sideloading of un-notarized/un-signed apps but Firefox doesn’t. I don’t like this timeline we live in.
kurkosdr,
What mozilla calls sideloading is not what the rest of the world calls sideloading. Say your on android, once you enable sideloading, you can load whatever APKs you want, including those you write yourself. Your house, your rules. However mozilla takes away this right. They always require all extensions to be submitted to mozlla where they approve and sign it. You can only “sideload” extensions that mozilla signed off on..
https://devdoc.net/web/developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Distribution.html
Of course, since there’s no real sideloading, FF extensions are clearly much more vulnerable to government take down than if owners were allowed to sideload.
That’s not true? I’ve written and loaded addons, and used old addons I manually downloaded without going through the Mozilla addon system at all. It pops up a warning, but you can just do it.
FlyingJester,
I swear I’ve tested this before, but just in case I got it all wrong somehow, I tested it again tonight. Now that I’ve done that I will reaffirm that my statements are true. But it does depend on the version of FF you are running (I mentioned this in another comment, but not the one you responded to).
When the addon is not signed, FF displays this error message when trying to load it “This add-on could not be installed because it appears to be corrupt”.
Aside: This error message is incorrect. The plugin is NOT corrupt but merely unsigned. Mozilla should really fix this since the error message is a lie and confusing as heck. I think they’re misleading users on purpose to save themselves from having to answer “how do I make firefox run unsigned extensions”, which users don’t ask because FF doesn’t tell them that’s the case.
Anyway. In the nightly/developer/enterprise builds you can go into about:config and set “xpinstall.signatures.required” to false, after which FF gives a warning that “This extension is unverified” (mozilla should have stated this up front, but whatever). With xpinstall.signatures.required set to false firefox allows you to install the unsigned addon anyway.
I installed the regular versions of FF directly from mozilla’s website on linux and windows and both of them ignore the “xpinstall.signatures.required” setting. The (false) “addon appears to be corrupt” error will not go away in these versions and I haven’t found a way to sideload the extensions in these versions. Mozilla authorization is required to load an extension in the non-dev builds. I strongly feel that mozilla are on the wrong side of this owner rights issue.
Oh, I also tested the version built for debian and it does NOT restrict sideloading. If you are running linux and did not download FF yourself, it’s possible your linux distro’s build does not enforce sideloading restrictions when xpinstall.signatures.required is set to false.
Ah. I think it’s dependent on the version. Nightly, WebDev Edition, and all ESRs (which include many Linux distros’ versions) don’t enforce signing by default or, depending on the configuration (and I think this is disabled for any unofficial build?) an about:config pref.
So it’s absolutely possible to side-load with an official build, it just might take using a specific channel (WebDev is even based entirely on Release), and possibly an about:config pref.
Alfman its more of a mess than one thinks ESR versions of firefox
https://blog.mozilla.org/addons/2020/03/10/support-for-extension-sideloading-has-ended/
“””Enterprise administrators and people who distribute their own builds of Firefox (such as some Linux and Selenium distributions) will be able to continue to deploy extensions to users. Enterprise administrators can do this via policies. Additionally, Firefox Extended Support Release (ESR) will continue to support sideloading as an extension installation method.
Yes ESR version of firefox the one it works. Debian default package of firefox is ESR version of firefox.
“””If you are running linux and did not download FF yourself, it’s possible your linux distro’s build does not enforce sideloading restrictions when xpinstall.signatures.required is set to false.
So this is wrong Alfman. If you downloaded ESR FF then you can sideload unsigned.
Firefox Developer Edition, Nightly, and ESR you can sideload unsigned. Other versions you are straight out of luck.
Firefox ESR is is kind of annoying in enterprise use that you cannot add your own key for in house extensions this would allow the signing to be left on.
Alfman the malware issue allowing any random unsigned to be installed is a problem. Mosilla handling of this has really not been the best. Release and Beta versions locked not to accept side loading of extensions not signed by mozilla does make some sense to protect general users. ESR not allow you to add your own signing certificate as well as the mozilla one is kind of problem. Like really why should you need to switch xpinstall.signatures.required instead why can you not self sign the extension and add key to browser.
Lot of Linux distributions ship with Firefox ESR not all.
oiaohm,
I just tested it, sheesh. You have a funny way of saying people are wrong when there are right, haha.
I agree, mozilla could have done better here but for better or worse they dug their heels in and here we are.
Alfman what wrong is its not the Distto build having any special configuration. Firefox from Debian is ESR based. ESR or direct development branch based have unsigned side-loading enabled once you change once setting.
Debian firefox has patches but none of those patches restore sideloading.
https://sources.debian.org/patches/firefox-esr/115.12.0esr-1/
Yes the following is the only patch that close.
https://sources.debian.org/patches/firefox-esr/115.12.0esr-1/debian-hacks/Don-t-auto-disable-extensions-in-system-directories.patch/
This is system installed extensions being allowed to work.
”’it’s possible your linux distro’s build does not enforce sideloading restrictions when xpinstall.signatures.required is set to false.
This is not the distribution build alteration. Its that the distribution build is ESR, Firefox Developer Edition or Nightly based that it works. Distributions are not adding patches or altering the build to enable this.
“””I agree, mozilla could have done better here but for better or worse they dug their heels in and here we are.
The change Mozilla did locking down extensions was due to anti-virus and other thing shoving extensions into firefox that basically turned out to be harmful to user.
Issue here is balance. In someways I do think a version of firefox should exist that is locked to the mozilla signed items. ESR version that allows unsigned should be simpler to find. ESR version should support user adding their own extension signing keys so that you don’t need to unlock it completely.
Lot of ways ESR with user able to add custom key I would say no need for unsigned at all just you have to self sign and self CA. This way you should be thinking if this extension is safe due to amount of work required.
oiaohm,
Go reread what I said. The ESR version that ships with Debian works exactly as I described and I even tested it again to make sure and it’s still the same result. You must be misunderstanding what I said because you should not disagree with what you quoted from me. Like I said “If you are running linux and did not download FF yourself, it’s possible your linux distro’s build does not enforce sideloading restrictions when xpinstall.signatures.required is set to false.”
All I was getting at was why FlyingJester may not have been using the restricted version of FF that mozilla puts out for regular users.
oiaohm,
Also, just for the record I did not claim distros created the ESR version. Only that it’s different to the normal version a regular user would download from mozilla, which is still true. Thank you for adding more information but it doesn’t actually contradict what I said.
Getting the thread back on track for a moment: Does regular Firefox (Windows or MacOS build downloaded directly from Mozilla’s website, non-ESR, non-nightly) require add-ons to be signed?
To be clear, I mean the build available from the following URL:
https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
(with “Which browser would you like to download?” set to “Firefox”)
Because let’s be real, that’s what most Firefox users will download.
* require add-ons to be signed = require add-ons to be signed before they can be sideloaded
kurkosdr,
I downloaded the browsers from the top of mozilla’s page, which opens up this page, but I think it’s the same download.
https://www.mozilla.org/en-US/firefox/download/thanks/
Incidentally this is extremely easy to test on linux, you can extract it and run it in place. IMHO all software should be this easy to try I really miss this about old school software, our dependency on modern installers sucks. /off topic rant
kurkosdr,
Edit: I forgot to answer your question. The answer is yes.
Alfman
https://www.mozilla.org/en-US/firefox/download/thanks/
Then bottom of that page. is this link
https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
Then you can in the drop down box choose ESR
https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr
Then you can download Firefox ESR from Mozilla. The ESR version is also in the apt provided my mozilla again you have to know it there to install it.
Alfman ESR version of firefox is on the Mozilla website its not in the simplest to find place.
You have ESR from debian and other distributions that have some alterations and you have ESR from Mozilla being ESR equals can side load .
Mozilla provides versions you can side load then hides them.
I don’t think that’s entirely true. Mozilla hasn’t take away Russian’s ability to use these extensions, they have “temporarily” stopped providing hosting services for them. If they have another way of getting these extensions, they can still use them. You can install them manually in the gui. They have not taken any keys from any owners. Is it a crappy situation and do i wish Mozilla hadn’t restricted access to those extensions from the store? Sure is, and yes i do. but they have not taken anyone’s control of their browser away.
BluenoseJake,
Do you know if the addons are still going to be signed by mozilla? I don’t actually know the answer myself, so if you have any news on this I’d appreciate a link.
If mozilla revoke their signature, then would be taking away the ability to use the extensions (in the normal end user version of FF).
Unsurprisingly there is a Russian version of FF here… so another question I have is whether mozilla signatures are implemented regionally.
https://www.mozilla.org/ru/firefox/download/thanks/
Does anyone know? (Preferable with a source).
No link you pointed to yourself.
https://devdoc.net/web/developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Distribution.html
Mozilla does not do regional.
That ru thanks page serves up
https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
Like everywhere else.
https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US
Yes another name for the firefox default release is firefox-latest-ssl .
I do question if some countries the hello page should be straight up offering the ESR version.
Unless you are using a VPN, there is no such thing as a “worldwide web” anymore, most countries block domains (and possibly IPs) that don’t comply with local laws. Of course, the kind of domains (and possibly IPs) a given country blocks tell you a lot about that country.
Mozilla has the dilemma of either seeing their add-on store get blocked in Russia or creating a “regional variant” of their add-on store that complies with local laws (which is also what every company that does business in China does).
This is why some of us were and are preaching to anyone who can’t run fast enough about the importance of sideloading: one of the reasons sideloading is important is that if something isn’t available in your region’s “variant” of a store, you can get it from someplace else and sideload it. Unfortunately, the iJustines and other Apple fluffers of this world have a much bigger social media influence, so there is a good percentage of people out there using freakin’ iOS.
But when it comes to Firefox, Russian users should be able to sideload those extensions from elsewhere.
kurkosdr,
I completely agree with you on this. Sideloading rights are so important! However after reading my other posts about what mozilla are calling “sideloading”, I think you’ll agree that they have failed to protect our owner sideloading rights and that leaves me so disappointed.
True, sideloading that requires signing/notarization is not true sideloading (considering you must still go through a central server to get your app or add-on signed/notarized).
BTW MacOS supports sideloading un-signed/un-notarized apps when you change a setting. So, if regular Firefox (not ESR or nightly) doesn’t do that, does it make regular Firefox more restrictive than an Apple product?
We live in weird times.
Thom Holwerda,
The standard user version of FF blocks 3rd party extensions that aren’t signed by Mozilla. Here are some ways to bypass it.
1) The enterprise and nightly versions do not enforce sideloading restrictions.
2) Since it’s open source, you can build your own browser that doesn’t enforce the restrictions.
3) FF forks may remove mozilla’s restrictions.
4) I don’t know if mozilla uses unique signatures in regionalized versions of FF, but in theory if all they did was remove offending extensions from the store without revoking signatures, then you should still be able to sideload *signed* extensions from a different source.
Alfman,
For (4), they might be using “Certificate Revocation Lists” (CRL) if they want to be really petty about it. But I am not sure they went that far.
sukru,
It’s a good question. It’s possible that mozilla’s infrastructure already has hard coded business rules for automatically revoking certificates for addons that are removed from the store, but I really don’t know.
In my testing it looks like FF verifies the addon’s signature on every execution. so I’m pretty sure IF they revoke the certificate, it will stop loading addons even if they are already installed.
Alfman,
At this point, someone would probably start maintaining a fork of “Firefox (minus) Shenanigans”. The issue is of course finding a reputable for such a task.
Great article and loving the extra steps to verify the story here.
I am now wondering if Mozilla have a list of users who installed said extensions (in Russia) and have used the sync “feature”.
If they have removed the items from the store, will they resist sharing the user data with the state or are the people who used the extentions at risk (or on a list..) ?
In the end, I still keep using the evil Google Chrome, because no other is good (as in not evil).
protomank,
Statements like your tear me up inside. Mozilla cannot afford to lose more market share. They are facing an existential threat and if they disappear the browser situation is going to get worse. On the one hand maybe I should tone down the mozilla criticism, but on the other hand I feel that restricting owner rights is an egregious betrayal of FOSS community values and I feel I can’t stay silent on that.
If you are interested in Mozilla, I would recommend using the Onion Browser instead:
https://onionbrowser.com/
It is not only using the same rendering engine, and extension mechanism, it also has the benefit of being completely secure and private. At least as much as TOR could be.
Everything is routed through TOR, and tracking is disabled by default. There might still be leaks, but they at least try to warn you if you set up such an option (like installing extensions).
Yeah, that’s the kind of browser I want as my daily: a browser that routes everything through TOR, which means everything will be dog-slow and websites will have their CAPTCHAs and other anti-DDoS measures set to 11 (when they see your TOR IP address).
Even when visiting from a VPN (I have a passively-cooled computer connected to a TV seeding torrents 24/7 and I occasionally browse the web with it), the internet feels somewhat different: Google and other websites are more inclined to throw CAPTCHAs at you (when you aren’t logged in), and some websites block you outright (they don’t when visiting without using a VPN). I cannot imagine how visiting from a TOR IP address will be (and then as I’ve said above there is the whole slowness of TOR).
This Onion browser is nice if you want to visit a specific .onion website, but not as a daily driver.
kurkosdr,
That is fair, but it shows the other extreme of everything being as secure and private as possible.
I have not used either of them, but Thorium or Mercury could maybe be an alternative (Chromium and Firefox forks)
https://thorium.rocks/
https://thorium.rocks/mercury
The real lesson learned is that Mozilla MUST always allow installation of extensions from file (.xpi), including on Android, and to leave an option to install unsigned extensions (only possible on Nightly).
j0scher,
Having used the nightly builds in the past, I would say they are only appropriate for developers working on the firefox code base. They just are not stable enough (nor do they claim to be). The ESR versions have the opposite problem, the code and features can be years old, which I’d argue is much better than nightly, however as a web developer I’ve encountered situations where my clients were getting different results to me (the regular version of FF would not play media while ESR did). It turns out mozilla made a breaking change but I didn’t see that because I was on ESR. This experience has taught me the importance of having a browser with the same feature set as your users, unfortunately ESR does not fit the bill there even though distros are using it to remove mozilla’s restrictions.
I thank God every day that the rest of us live inside a freedom machine. Must have dreamt the part where we were locked inside our homes, where we were forced to cover our faces, where we had to close our business, where we had to get tested with long sticks through the nose, where we would be clubbed in the head when protesting on the street, when we would be censored and deplatformed when protesting online, where we had to get injected with the latest pharma product to get a digital pass to travel or to enter a hospital, a pass our freedom-loving politicians made themselves exempt from.
Lots of keyboard warriors here. Firefox is in a weird position.. continue to offer the extension and risk the health and safety of contributors in Russia while getting Firefox banned, or don’t offer the extension in Russia and force users in Russia to side-load the extension (reducing its availability to common folks)
Honestly, I feel like Firefox made the right call. All options suck, but putting Firefox contributors in Russia at a potential direct risk feels inappropriate.
Ouch. Fair point. TBH it hadn’t occurred to me how BS crazy the Russian system could be.
The “powers that be” could just round up anyone in Russia from this list https://www.mozilla.org/credits/ or in fact any of those folk that try to enter Russia or anyone who appears in the git log at Mozilla’s GitHub repo or anyone listed in the FF/Moz repos… I mean, if you’re a tyrant all these things or possible, even desirable.
Yup. It’s a shitty situation all the way down. Mozilla may want to be the hero and tell Russia to pound sand, but they would be doing it at the peril of their own Russian contributors whom may not want to be a martyr for them.
I think the only real solution is to back away, and hope the lack of the plugin adds fuel to the overall dissatisfaction of the Russian people towards their dictator.
With the above said, I draw a line at Tor. The people need empowered to communicate externally uncensored. Tor should be available to every school child.
kallisti5,
I agree with the gist of what you are saying here, but how did you miss that whole long thread talking about the other option mozilla has? Haha. Seriously the narrative that mozilla doesn’t have a choice is the same narrative apple uses when it comes to app store censorship but this narrative is flat out wrong. But companies are complicit in building the technology to restrict users in the first place. They weren’t coerced into restricting end users at all and neither of them deserve a moral pass here.
Edit: But companies->Both companies