> At some point you have to tell someone they are responsible for their own online safety, give them the resources to educate themselves, and let them face the consequences if they choose not to.
If you follow the Mozilla security blogs, they've spent the last couple of years removing the ability of not-quite-malware to alter the browser without both the user opting-in and having an easy way to disable anything if they change their mind. That doesn't stop outright malware but it removes one of the legal fig-leaves which ad-ware vendors rely on and exactly supports your stated goal above by allowing a user to learn how to manage add-ons and remove something annoying without having their decision reset by the adware.
The real problem, however, is that it's currently fantasy to assume that any has enough information to make these decisions because a) the permissions models are still basically all-or-nothing and b) the halting problem has not yet been solved. Unfortunately, it's not just a question of tweaking the permissions models – as Android has shown, all that does is train users to approve blindly because every single app requests access to just about everything. That's not something we can fix overnight because it involves both things like better permissions models and changing the structure of the environment to be closer to something like WebIntents where many classes of add-on are only executed in response to specific user actions.
Until we reach that promised land, however, I don't see the big deal to Mozilla requiring you follow a free signing process for an extension so add-ons can easily be killed if needed and publishing something deceptive will require you to burn a developer account. It's not like they're talking about anything based on the content of the add-on.
