Sign your Code

Firefox Add-onsJust recently the new Firefox version 3.5 was released with many new features, whistle and bells….native video and audio support being one of them. Porn private browsing mode and super fast rendering just another. If you haven’t updated and tried the latest and greatest from the house of Mozilla, I highly recommend to do that now.

Another feature, albeit a lot less reported and modest is the addition of the Code Signing trust bit to the StartCom CA root. This means that applications and other code signed by a StartSSL code signing certificate are automatically trusted by Firefox. Since however applications and programs are typically installed at the operating system level instead the browser, this doesn’t sound to be such a useful feature, doesn’t it?

One of the clear advantages of the Mozilla Firefox browser is its huge repository of third party extensions, called “Add-ons“. They are mostly developed by third party developers and provide an easy way to customize and extend the browser according to specific needs. Those additions may be automatically updated like the browser itself, making their maintenance fairly easy and convenient.

One of the critical issues with installing additions to the browser are obviously security related. How does one know that the piece of code added to the browser isn’t tainted, modified during transit or otherwise problematic? You don’t want to install a key-logger stealing your passwords, right?

One way to secure code is by having the developer sign the extension with an authenticated certificate such as StartSSL™ Verified. This protects against tampering and modification, but also provides some details about the developer who signed the program. Of course it’s recommended to download and install programs or additions only from reliable sources. For Firefox extensions that means only those listed at the Mozilla Add-ons web site, because Mozilla asserts a certain control over its repository.

Just recently I ranted about the The Geek Factor, but apparently some developers get it nevertheless simply right. So has for example Wladimir Palant, the developer of the highly popular Adblock Plus Firefox extension, announced that the web site, including his EasyList subscriptions, will serve its content SSL secured from now on. More than that, he soon intends to sign the probably most popular Firefox extension with his new StartSSL™ code signing certificate.

Perhaps Mozilla should consider facilitating code signing certificates for its developer community in order to improve security, by providing them as a distributor without charge. But even without such an effort, the costs for code signing certificates aren’t prohibitive, should other developers like Wladimir decide to take security seriously. For a modest fee*, one doesn’t receive only a code signing certificate from StartCom, but also an unlimited amount of server certificates supporting the popular wild card feature. Compared with any meaningful offer by the competition, this is a fraction of the price one usually has to spend for any one of them.

And the best of all? Most software vendors already support or will support within a short time all certificates issued by StartCom, including Mozilla, Apple and Microsoft amongst others. StartCom clearly enables developers and software vendors to obtain digital certificates supported by the major platforms for reasonable fees. And by signing their code and securing their web sites, developers will be able to provide better security and protection for the benefit of their users and with it, add more value to their products. Did you sign yours already?

* US$ 29.90 Class 2 Validation

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts
Competition Spurs Innovation
Securing a Revolution

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Eddy, before you get too enthusiastic you should let people also know about Wladimir Palant’s post on the difficulty of getting code signing certs to actually do anything useful with respect to signed extensions. (I know you’re aware of this issue, because I see your comments in bug 372980, but your readers may not be.)

That’s what we found out together after actually attempting to use it ;-)

After all it appears that Mozilla is making progress on the open issues and code signing is going to be a useful tool eventually.