No, it does not. David, this is just wrong. Existing add-ons do not become suddenly insecure.
What it does is allow you to install add-ons not signed by mozilla. Essentially the same thing as installing software not originating from the iOS and/or Mac AppStore, or the Ubuntu/Fedora/etc distro repositories, or the Windows Store, or the Play Store.
The signing stuff might protect some less tech-savvy users from installing "You need this codec to play this porn video" malware add-ons, same as the other walled gardens I listed do too (tho most I listed have still a door in the wall that you can unlock and open yourself, unlike Firefox Desktop).
But that's it. It is a "seal of approval" scheme saying that mozilla reviewers decided something is secure enough and has an OK quality (and wasn't forced to remove by US laws/authorities courts yet), implemented using DRM. It reduces the chances that users will install something malicious by accident/incompetence.
If users still run their add-ons from AMO, then there is no difference. Unless a bad actor can either MITM AMO connections or compromise the AMO servers. At which point the users has a lot more problems already than potentially malicious browser add-ons.
And what's the problem with not having that? Does it suddenly make my installed extensions insecure?
I (somewhat) get it for the standard windows user who gives admin rights to everything, but I think this crowd is a bit more aware of what they install.
Last I checked Firefox still gives at least a warning + confirmation dialog if you try to install an unsigned / improperly signed extension with xpinstall.signatures.required = false, no?
Disabling all add-ons doesn't help security either.
So far I have neither an update on ubuntu-desktop nor on android (with default package managers) so without this option I'm supposed to use the internet without adblock & umatrix? lol no thx
The only "security" it provided was to prevent people from installing add-ons that Mozilla didn't approve of, ostensibly ones it thinks are malicious, and I'd bet that on Android (which has its own app isolation features anyway) that's even less of a problem.
Not exactly. You can install add-ons from outside of Mozilla add-ons site.
The extra certificate is more of Mozilla's seal of approval.
This is why quite a few of my add-ons were not disabled - they were installed with trust from another site and this intermediate certificate was never in chain.
You could even manually sign these add-ons you trust with custom imported CA key for your personal or corporare vetting.
My add-ons are more important security features, that are needed right now, whereas the signing thing only protects when you install a new add-on from an unreliable source. (EDIT: it actually only applies for add-ons installed from the Mozilla add-on store website ... silly me for trusting that place)
Come to think of it, why did my add-ons get disabled, given that they already had been checked against the signing key when they got installed? Why is this (literally, it seems) being checked constantly instead of only when something about the add-ons changes?
