Why do superfluous security extensions remain on the Recommended list?

Mozilla says that its Recommended extensions must (1) function at an exemplary level, (2) be safe, (3) offer an exceptional user experience, (4) be relevant to a general, international audience, and (5) be actively developed.

In some cases, Firefox incorporates functionality substantially similar to that of Recommended extensions. This appears to be the situation with, for example, HTTPS Everywhere, Smart HTTPS, Cookie AutoDelete, and perhaps others.

In other cases, Recommended extensions largely duplicate one another. This appears to be the situation with, for instance, AdBlocker Ultimate and Ghostery, and with LastPass and Bitwarden.

In other words, Mozilla recommends that users install extensions that, for most users, will probably add little to nothing to the user’s experience – that, indeed, may conflict with one another.

Many sources recommend not installing large numbers of extensions, for security reasons: each additional extension provides additional avenues of potential system vulnerability.

It appears that the Recommended list is misnamed. Surely Mozilla is not seriously recommending that people use all these extensions.

Be that as it may, there are problems pertaining to the selection criteria (above). If HTTPS Everywhere has been superseded by built-in HTTPS Only functionality, then HTTPS Everywhere no longer provides an exceptional user experience, nor is it relevant to a general audience. Its installation is, at best, a placebo, at worst an avoidable detriment to security.

Cookie AutoDelete appears to be a little different. My understanding is that it offers the option to delete cookies as soon as a tab is closed, as distinct from waiting until Firefox is shut down. Firefox developers presumably had their reasons not to include that functionality alongside the existing option to “Delete cookies and site data when Firefox is closed.” Having decided what Firefox can most appropriately offer a general audience in this regard, why would Mozilla recommend this divergent Cookie AutoDelete functionality to a general audience?

Since Cookie AutoDelete appears to offer only minor improvements to what Firefox already offers, why does Mozilla believe that Cookie AutoDelete meets the requirement of an “exceptional user experience”?

These questions may support several changes:

  • It appears that the Recommended list should be renamed the Tested list.
  • If testing reveals conflicts or other useful information (including reasons for not incorporating certain functionality into Firefox), or if approval is based upon specific features not found elsewhere, the Tested list would be made more helpful if, instead of repeating a summary blurb about each extension, it offered an expandable statement of this additional knowledge.
  • If part of the problem is that the Recommended list is simply not being kept up-to-date, it would help if those statements of additional knowledge included a “Last Updated” date. That, however, would provide ironic commentary on the criterion requiring extensions to be currently maintained.
  • If Mozilla does wish to offer a separate Recommended list, naming highly beneficial extensions cherry-picked from the Tested list, the criteria (above) may be improved by dividing them into those that best suit each list. Worthy extensions might then be added to the Tested list, and thus brought to the attention of a wider audience – even if, for example, their functionality is not particularly “exceptional” – if, that is, they merely do what users want, with safe and exemplary functioning.