Add-on signing in Firefox
Revision Information
- Revision id: 113357
- Created:
- Creator: jdc20181
- Comment: Needed Version that is impacted
- Reviewed: No
- Ready for localization: No
Revision Source
Revision Content
This change is coming in Version 43.0
Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons add unwanted toolbars or buttons, change your search settings or inject ads or malware into your device. This article explains how add-on signing makes it harder for malware to be installed by default.
Table of Contents
What is add-on signing?
Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.
Add-on signing targets only malware and browser hijacking. It does not control or censor the content that you choose to see.
What can I do if Firefox disables an installed, unsigned add-on?
If an installed add-on is disabled because it hasn't been signed, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed. Another option is to visit addons.mozilla.org to see if there's a signed version of the add-on you can install.
How does add-on signing protect me?
Firefox protects you against malware and browser hijackers by making it harder for them to install their add-ons on your browser.
Firefox protects you against malware and browser hijackers by warning you about third-party add-ons that are not digitally signed by Mozilla.
Newer versions of Firefox add protection against malware and browser hijackers by warning you about and (starting in Firefox 43) blocking third-party add-ons that are not verified and digitally signed by Mozilla.
While Firefox currently has a blocklist system, it is increasingly difficult to track and block the growing number of malicious add-ons. The new add-on signing process requires developers to follow Mozilla Developer guidelines and ensure that their add-ons are safe to install. Firefox warns you when an add-on did not complete the signing process. For now you can still install the unverified add-on at your own risk, but starting with Firefox 43, such add-ons will get deactivated as well.
What types of add-ons need to be signed?
Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.
Where would I encounter unsigned add-ons?
Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed.
When you install an add-on through another website, Firefox checks to make sure that the add-on has been digitally signed before you can install it.