Add-ons behaving badly: the challenges of policing the Firefox ecosystem

Discussion in 'other software & services' started by ronjor, Feb 28, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    http://arstechnica.com/business/new...llenges-of-policing-the-firefox-ecosystem.ars
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Isn't it like.. 98% of Firefox extensions use incredibly powerful APIs that they have no reason to be using? Can't remember the stats.
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Mozilla needs to take some "unpopular" decisions quickly. Tip-toeing around isn't going to help.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://webblaze.cs.berkeley.edu/2010/secureextensions/

    There it is.

    Mozilla has long said that the biggest factor in page-slowdown etc is faulty extensions. And we've seen toolbars that load up non-ASLR binaries allowing exploits.
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I remember Google pushing its 'free' toolbar when I first ran Firefox 2. :eek:
     
  6. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    more scare tactics :rolleyes:
     
  7. BrandiCandi

    BrandiCandi Guest

    So what I take away from that is don't install the Ask Toolbar or McAfee Site Advisor.

    Interesing- that article was dated 2009. I wonder if Mozilla has changed anything since then... or taken Berkeley's advice.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I haven't heard anything about changes like that to their system.
     
  9. guest

    guest Guest

    Then I recommend you to fully read the changelogs of recent versions (v4 and beyond) and every article in the Mozilla blog since 2010. There were many changes in the correct direction.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    "firefox extension security changes" "changes to firefox extension system" aren't really showing anything.

    Ctrl + F for the word extension all the back to the FF4 beta gives 1 results not relevant to security.

    If you have a link talking about changes to their extension system, provide it please. I hate digging.

    edit:
    http://www.security-assessment.com/...eeman_abusing_firefox_extensions_defcon17.pdf Another older link I believe - I hope they have made things better.

    EDIT2: https://developer.mozilla.org/en/Extensions/Updating_extensions_for_Firefox_4

    I have only glimpsed at it atm but I see no security changes. Same for 3.5's page.

    edit3: http://www.cs.berkeley.edu/~afelt/felt-extensions-leastpriv.pdf A omre recent paper saying the same thing. I think this one was 2010.
     
    Last edited: Feb 29, 2012
Loading...
Thread Status:
Not open for further replies.