This is not a Recommended Extension. Make sure you trust it before installing

Hello! I am one of the many developers of extensions who are currently faced with the spectre of the message “This is not a Recommended Extension. Make sure you trust it before installing.” on my extension’s page - along with a warning triangle.

While I appreciate Mozilla’s desire to help protect users, I was wondering if this could perhaps be approached a bit differently. I tried placing myself in a potential user’s shoes tonight and here was my thought process:

  • “Hmmm, not recommended. That’s not good. I’ll look for a different one.”
  • “Hey, I’ve seen a similar message to this before! I’ve gotten warnings kind of like this for pages not using HTTPS! I bet this developer just isn’t into security. I should stick to someone who is more trustworthy.”

Importantly, here are some things that I did not think:

  • “That Learn More link will have something I find useful as a non-technical person so I should click it.”
  • “Recommended Extension - that must be some special program that Mozilla has to protect me as a user.”

While the linked page is quite explanatory, I think most folks will never even go there. I believe they will assume that as a developer I am not doing something I should be doing and have agency to do. I think a warning message of some sort is fine, but I think we don’t want to bury the lede regarding the scope of developer responsibility in the process.

How about something like this for addons with low numbers of users:
“This addon is not yet eligible for the Recommended Extension program because it does not have enough users. As such, it passes automated security scans but hasn’t gone through an extra expert-based security audit that happens when an addon is selected for curation. Keep that in mind and let the community know if there any concerns.” (with an appropriate link to the forums to report security concerns, etc.) And then of course, include the “Learn More” button.

Similarly in the case of addons with lots of users but that are not recommended yet:
"“This addon is not yet part of the Recommended Extension program. As such, it passes…” etc.

I know it’s a bit wordy, but I think something like that would help better explain the true state of affairs and help new addons from developers like me find pioneering users rather than scaring them away.

What do other members of the community think? Are my concerns unfounded? How has new user adoption fared in light of the messages as they currently are?

4 Likes

I agree that the Recommended Extension system that Mozilla have introduced needs to be more clearly explained to end users. I have created several extensions and none of them qualify as Recommended Extensions but I do my best to make my extensions secure.

I think you have good cause for your concerns and, I expect, plenty of other developers feel the same way (I certainly do). So, Mozilla, please improve how Recommended Extensions are explained to end users. Thank you.

2 Likes

Hello, I am also an add-on developer and in the same situation.
I find it unfair to introduce suspicion in user’s mind with such qualifier as “not recommended”.

Plus the fact that I find “recommended” a bit pretentious = who are the mozilla guys to decide for me as a user what I should install or not, or to know better than I ??

And last, how could a user “trust” something that he doesn’t know ? The “Make sure you trust it …” is just introducing more fear or uncertainty in the user’s mind.

Rather than 2 values, “recommended” and “not recommended”, my suggestion would be 3 values:

  • Elected -> for those happy few who can get the label
  • Not screened -> for the majority
  • Not recommended -> for those who have been caught to have a bad behavior, and in such a case, a report of the bad behavior should be exposed at the same time, to inform users so that they can decide.
    Then, there should be a process for the developer to allow her/him to correct those things, and to prove to Mozilla they are no more in there in a follow up version, so that her/his addon can get out of that status.

By the way, this status should be linked to the addon version, and show in history for each version, as it can change from version to version …

I see revised, gentler wording for the yellow alert:

:warning: This extension isn’t monitored by Mozilla. Make sure you trust the extension before you install it. Learn more

The currently linked section of text:

What are the risks of installing non-Recommended extensions?

There are thousands of extensions and the vast majority are built with honest intent to provide people with useful tools and features. But even extensions built with the best intentions may inadvertently expose or otherwise compromise sensitive data.

Also, unfortunately, there are a few bad actors out there intent on stealing user data. One method of mining information can be through tricking users into installing malicious extensions. (Here are tips for assessing the safety of an extension.)

Due to the curated nature of Recommended extensions, each extension undergoes a thorough technical security review to ensure it adheres to Mozilla’s add-on policies.

The subheading might be harmonised with the gentler wording of the yellow alert, i.e.

For extensions that are not monitored by Mozilla, what are the risks?


The third paragraph – about recommended extensions – belongs in a different section of the page. Also the paragraph can offer more reassurance to readers by including this key point (from last month’s 2019 Add-ons Community Meetup in London | Mozilla Add-ons Blog):

… Participating developers agree to … have each new version undergo a code review. …

– words to that effect.

I assume that each review at version update time is as thorough as the review through which recommendation began.


Side note: you can use the Editing menu to reveal the history of a knowledge base article. In this case:

https://support.mozilla.org/kb/recommended-extensions-program/history

– from Rotating featured extensions:

Mozilla and the featured extensions advisory board regularly evaluate and rotate out featured extensions. …


Side note: some outdated links at both pages. I aim to make corrections at the first page (probably unable to edit the second).

1 Like

@caitlin hi, some outdated links at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Featured – please can you, or a colleague, make the necessary updates? Thanks.

1 Like

Thank you, this would indeed look gentler, while passing the necessary messages of attention and precautions.

@grahamperrin The yellow alert text would be a great change! However, I unfortunately still do not see that on my plugin’s page. I still see this:

Any thoughts on why I might be seeing that versus the yellow alert version?

Changed from yellow to grey a few minutes ago, for me here in the UK. Around the time of your post, @zephyr.

It is, I think, unusual for the front end to visibly change at a weekend. IIRC, I may be mistaken, changes go through some routine that involves Tuesdays and Thursdays, typically reaching production service – i.e. visible to the public at addons.mozilla.org – on a Thursday.

Toning down from yellow to grey seems non-contentious (to me) so I imagine that an unscheduled change was made, although I see nothing relevant at https://github.com/mozilla/addons-frontend/commits/master … I might be looking in the wrong place for such things. See postscript.

Any change of wording should probably be translated before go live.


Looking back, relevant A/B tests included:

8760 opened with this paragraph:

Following up on #8137, we want to run a new test to try out a more subtle UX. We also want to test a smaller population in order to reduce the backlash.

HTH

Postscript

Whilst I can’t find a matching open A/B test in GitHub, I do see two concurrent approaches. A screen recording:

For convenience, although your eyes might bleed, here’s a frame from the first recording:

  • foreground window (semi-transparent) Firefox 71.0, grey alert
  • mid-ground Waterfox Classic 2019.10, test profile, grey alert
  • background Waterfox Classic 2019.10, everyday profile, yellow alert

I wondered about translation. From a subsequent recording, here’s the grey in Russian:

I prefer the yellow alert. I also prefer the not monitored phrase that is (coincidentally) in the yellow. The wording is non-ambiguous.

The not recommended phrase is too easily misinterpreted, and its grey surrounding is not suitably attractive (attention-grabbing) for an alert:

2019-12-08%2005%3A27


Hey @grahamperrin thanks for posting that - it’s interesting to see it both ways. Thanks for taking the time to try that out.

I’d be curious to see what impact this is having on folks’ plugin downloads. Without knowing the exact A/B pattern regime it’s hard to say but downloads have gone down significantly since my original post. I have such modest downloads anyways, it’s hard to say if it’s just coincidence but I’d be curious to see if this is possibly a cause here. Don’t laugh at my numbers here. :slight_smile:

@caitlin Do you know if this message has been having an effect on overall downloads, particularly for new/small user base plugins? Or perhaps @bsilverberg?

2 Likes

Thanks, @grahamperrin! Yes, I’ll put in a request to get this updated. :slight_smile: (It should redirect to https://extensionworkshop.com/documentation/publish/recommended-extensions/)

1 Like

Hey @zephyr! We’ve seen an increase in the installation of Recommended Extensions. As mentioned in this blog post from earlier this year, we do want to find the balance between openness and security, so we are keeping an eye on installation rates for non-Recommended extensions.

1 Like

Great! I appreciate that something like Recommended Extensions exists - it does help make my life as a Firefox user safer. You had mentioned that you’re keeping an eye on installation rates for the non-Recommended extensions (presumably in part from the A/B tests above) - well, are they holding steady?

Overall, they are – while install rates for Recommended Extensions have increased, install rates for non-Recommended Extensions have remained stable.

1 Like

Great! Then I think the data is speaking, here.

amo-info

– is the grey alert (in the screenshot) Install button warning2?

@grahamperrin I do not know. Was there a specific person you had in mind to answer this? With this thread having been marked as solved, it is likely to get less traffic now so it might be worth a notification.

I was checking my addon’s page tonight again and saw the gentler wording “This is not monitored for security through Mozilla’s Recommended Extensions program. Make sure you trust it before installing.” I appreciate the team taking our requests into consideration! Thank you!

2 Likes