Make sure you trust it before installing :Scaring off users

Hi,
Our add-on has been published since 2017 and got 4.4 stars. Even though our FF user base is not as large as our Chrome user base, they are important and this add-on is essential to them.

Mozilla displaying “This is not monitored for security through Mozilla’s Recommended Extensions program. Make sure you trust it before installing.” on our add-on. I understand the necessity of recommended add-on promotion by Mozilla in order for keep their user safe.

But this language itself implying that if it isn’t recommended it isn’t safe Which is scaring general users as they are simply not going to next page via “learn more” link. Perhaps Mozilla team should prominently display “Recommended” instead of using negatively impacting wording, which hurting add-on developers like us, with loyal users. Its damaging our brand and image.

Also what are the clear guidelines to be “Recommended”? During new version submission perhaps moderators should say if you submit this you will be flagged or something like checklist?

The Learn More link points to an article that explains what Recommended add-ons and what the selection criteria are.

As for the language being somewhat negative and suggesting an extension isn’t necessarily safe, that’s kind of its purpose. Only Recommended extensions are regularly reviewed, so we can’t make guarantees about the rest. We have to make sure users understand the risks and don’t install things without warning, since they deposit some trust in the Mozilla brand.

We’re looking into ways of expanding the number of add-ons that are reviewed so we don’t have to show the warning as much, but it’s a complicated resourcing problem since manual inspection is involved.

Maybe also change the warning depending on permissions required by addon?

The difference between addon requesting no permissions and addon that has access to all pages data is huge.

Isn’t there some statistic about permissions used by malicious addons that could be used as guideline?

It’s hard to imagine malicious addon that has only “activeTab” permission… I mean, even if it would steal all your data from the active tab, there is no way it would be able to submit it to attackers server. Right?

Some of the most common add-on permissions are also the most risky. Most add-ons are capable of sending web requests to external servers and exfiltrate user data. While we could suppress the warning for add-ons that definitely can’t do this, they would be a minuscule portion of what we have, and it’s possibly not worth the effort adding that distinction.

Hi Jorge, I get it. But we’ve been building add-ons since 2004 as developers. Your nasty warning message (it is nasty) was brought to my attention by Rey Bango, the manager for AMO back in 2009 - he told me that if he didn’t know MetaCert he would refuse to install our software as a direct result of that warning.

Your warning is the reason for our low numbers. We have 4 times as many Opera users - which is insane given the market share.

If this is all about trust, allow me to provide context about the developers behind this security software…

Our COO, Ian Hayward, built and maintained spreadfirefox.com - he started and built the Firefox Developer Evangelist community. He and his engineers who work at MetaCert, contributed to Firefox code and they built the official browser extensions for:

digg, Delicious, Yahoo!, eBay, Google, PayPal and Microsoft.

I hosted the biggest Firefox birthday party in the world - in Ireland as an early evanglist - I was buddied with Chris Hoffman in Whistler where there was agreement to integrate the MetaCert API inside Firefox until one engineer said he didn’t like the idea.

You can see one of my first Firefox add-ons formally endorsed by the W3C - where I’m one of the original founders of the W3C Mobile Web Initiative and I’m one of the two people who co-instigated the creation of the Full Recommendation for URL Classification that replaced PICS in 2009. I was also the first person to re-write Tim Berners-Lee’s vision of the “One Web”. https://www.w3.org/2001/sw/sweo/public/UseCases/Segala/ Segala was the first company I founded.

So, with all of this knowledge, can you please review our software (which is open source) and remove that message? If you’re not going to do that for us I have absolutely no idea who you would do it for.

Paul Walsh
MetaCert Founder & CEO

Brave had a similar message until I asked Brendan to have it removed - they did it that day because they know us and recommend us within the crypto world.

We currently don’t have the ability of removing that message for individual add-ons or developers, even if we were willing to do so.

I know Ian (I was one of the engineers who worked on those add-ons you listed, long ago) and most of the engineers who have worked on your add-on. This isn’t a matter of trusting individuals or even companies. Add-ons can become unsafe or malicious from version to version, either intentionally or accidentally. Add-ons can be sold to new owners who don’t have the users’ best interests at heart. These are all things that have happened enough times for us to be extra careful about this kind of thing.

Like I said before, we’re working on some ways to make it possible to remove this message without putting users at risk. It’s probably going to take a few months before any results are visible, though.

I’m so sorry Jorge, but your response is contradictory at best. It’s all about the developers and the trust that you and end-users put in them. An add-on can’t become unsafe or malicious from version to version unless that’s the intent of the developers. If you trust the developers, then you will know that our add-on will not go from being a very trusted add-on to a malicious one.

“Add-ons can be sold to new owners who don’t have the users’ best interests at heart.”

Yes, this can happen to literally, 100% of the add-ons that you recommend, so I’m not sure how this makes a difference.

I’m sorry but this is a very unsatisfactory response. You actually know the people behind the software and it’s designed to protect people in a way that Firefox can’t. And you’re still saying you can’t remove that message?

In that case, how do we end up “recommended”? I wasn’t even asking for that. I was only asking for the removal of a nasty warning message that literally turns people off.

Given our contributions I’d expect a little more love here. This is not the Firefox that we once fell in love with.

On your homepage you “Recommend” a Google add-on - this is one of the most creepy tech companies on the planet - proven to destroy user trust. If you really care about users and their privacy, why would you recommend a Google add-on?

I went through the list and my mind is blown as to why you would recommend some of them and not MetaCert. Now that we’ve brought it to your attention, surly this can be looked at by other members of the team?

If there was a good definition of trust, maybe. And that still overlooks add-on problems that were unintended by the developer, another very common issue.

All versions of Recommended Add-ons are reviewed to ensure their safety. That’s where it makes a difference.

The Learn More link in the message explains how it works.

As far as I can tell there are no recommended add-ons authored by Google. There are a few that work on Google pages and mention “Google” in their name, but that’s it.

Since 2004, have I or any of my people done anything to give anyone the impression that we might all of a sudden introduce code/software unintentionally? It might be a common issue but can we stick to MetaCert here and my team? 2004 to 2020 is 16 years. There are very few people in the world who have been building add-ons as long as us. So let’s stick to MetaCert rather than general observations.

Can you please review MetaCert’s? It’s the very least you could do given our contributions to industry and our end-users and Mozilla.

The fact that the major image above the fold made me think it was from Google is telling in itself - surly that’s a red flag? But I digress. And I’d like to request that you speak to other members of the team to see if you can have people review our software. I can’t believe we’re debating this for so long.

Hi all
This is my first visit and post…still not quite sure if this forum is primarily for developers but here goes…
The title of this post caught my eye mainly because I have just updated to FF 77.0.1 and have found a few of my goto add-ons seem to be either not available or have the “scary warning”.
I started using FF and “recommended” add-ons many, many years ago in an attempt to “keep safe” while using the internet. However over the years I have found more and more of the so-called “recommended” add-ons have been removed or have had trust/security warnings added.
I am not a power user be any stretch of the imagination, however I research as much as I can to try broaden my knowledge. Everything associated with the internet seems to have become more complex and sophisticated including those that wish to scam, take advantage of or just make a nuisance of themselves.
I have found the “make sure you trust it” advice more of a hindrance then help. Instead of providing actual relevant information they appear to be more of a “blanket” indemnity statement, that may or may not be relevant.
I am more unsure today than I was as a complete novice all those years ago which add-ons will do the best job and are also safe to use.
If a developer is a long standing provider, with genuine unbiased positive reviews by users and organisations who monitor web security, then their “security” status could be assessed by FF and an advice indicating the developers security / reputation rating added to the developer profile and each of their add-ons.
Consultation between FF and a cross selection of developers and users could establish whether a simple (e.g "traffic light"or “flag” style) or comprehensive (e.g ratings per category such as security, privacy, efficacy) format would of the greatest benefit.
Thank you for your efforts to provide a safe internet environment.