Browser Plug-ins and Security Considerations

Discussion in 'other security issues & news' started by Dermot7, Feb 11, 2011.

Thread Status:
Not open for further replies.
  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    "Firefox is an ideal browser platform for creating add-ons. Firefox plugins have access to the entire browser, without any restriction. This allowed me to release two plugins to improve the security of Firefox users (Search Engine Security, and BlackSheep), and a third one is in the works, but the power of Firefox plugins can also be used with malicious intent."

    http://research.zscaler.com/2011/02/browser-plugins-and-security.html
     
  2. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    True...Convenience vs. Security.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Articles like this are what you should link to people that moan about ActiveX being the reason they don't use IE.
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I agree.

    c/o p2u in this thread... -http://ssj100.fullsubject.com/t15-firefox-add-on-noscript#2462-

    Abusing Firefox Extensions (PDF document; 1.82MB)

    Some highlights:
     
    Last edited by a moderator: Feb 11, 2011
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Very informative article, thanks for posting.
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Thank you for your replies, and thanks trismegistos..very interesting.
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    As far as possible, I try to avoid using add-ons. Some are very well known, like AdBlock Plus or Stylish, and I'd guess (and hope) that the risk there is minimal to non-existent.

    Anyway, the downside of add-ons has been known for quite some time now.

    And pointing out the vulnerabilities of add-ons to justify the use of ActiveX is "interesting" ;)
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    The only difference is the name.
     
  9. katio

    katio Guest

    Oh noes, Firefox is doomed110!!
    Another chrome fanboi? Just look into the Android security model which Chrome is based on and see how that worked out
    http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
    http://threatcenter.smobilesystems.com/

    Alright, not so fast.

    The article is right, there is a security and trust issue involved and it's good to raise awareness but:

    (@funkydude) This is not like ActiveX, not close. Back in the glorious days of IE6 the browser would happily execute code from any website without much warning or nagging around. Firefox addons work much more like actual standalone programs:
    1) obligatory warning about, do you trust the author...
    2) install
    3) execute

    That's so naive I don't even have to comment on that.

    If you install software you grant a 3rd party access to your computer, to all the files, to everything. It can be a standalone exe, a dll, a script, java applet or an addon or extension for another program. With the current state of application security and patch policy we can even extend that to data files!

    In any of these cases you need to trust
    1) the developer is trustworthy
    2) he's competent and secures his development environment (tampering with the source code? yes it happens, sf got hacked, remember proftpd)
    3) trust that the file you got is the file he wrote

    How do we go about solving that?
    1) Don't install from anonymous sources, only install known software.
    AMO makes that very easy, read the comments, only install software that got a few thousand or more users and most importantly: don't install "experimental" addons on your production system.
    This isn't a theoretical problem, there have been malicious addons but they all where (to my knowledge) in the experimental session which comes with additional warnings. If there is a problem users will be warned, the code will be stopped from being distributed and it's likely a legal investigation will have success because not anyone can upload to AMO.
    Open source helps too, especially with small addons with limited complexity that are actually understandable and realistically to check for backdoors.
    2) files are uploaded to a secure datacenter before distribution (not sf...;))
    check, Mozilla has a lot of experience and a good track record
    3) that's easy sign the files or use TLS
    check

    In conclusion: There are better targets for you criticism, AMO is a good model and its track record shows that it's much more secure than Active X or random exe file ever where.
    If you want to attack something, why not lobby for making app stores and repositories mandatory or at least how it's more secure to use them instead of your favourite download site (or, as widespread probably, warez sites)?

    The security model of Chrome OS is a new direction. It changes the whole trust issue from above. The OS is from the ground up designed to run _untrusted_ software ("webapps"). This will improve security for the average joe tremendously. But it comes at the high cost of freedom. That's for another thread though :)
    If you are interested in making 3rd party software untrusted I also recommend you to look into Qubes OS, L4 and similar projects.
     
  10. tlu

    tlu Guest

    About a year ago a new Add-on Review Process has been implemented by Mozilla - worth reading. Moreover, in the Jetpack project security improvements are planned - see here and here.

    Quote from https://wiki.mozilla.org/Labs/Jetpack/Design_Guidelines:

     
    Last edited by a moderator: Feb 13, 2011
  11. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  12. tlu

    tlu Guest

    Here's an overview of the AMO Review Process. Particularly interesting is this comment. More details can be found in the AMO Editors Guide which includes, among other things, an automatic validation also available for the add-on developers and detailed here.

    In a discussion about Firefox extension security, Giorgio Maone, the developer of Noscript, recently wrote about the new AMO Review Process:

    All in all this means that security has a high priority in the AMO Review Process contrary to some sensationalist claims.

    As already mentioned, Jetpack will bring more improvements. The first beta of the Add-on SDK was released in last December.
     
  13. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Good links. There really shouldn't be much to worry about for add-ons that pass the Full Review (though that queue is reportedly quite long currently).

    The author of AdBlock Plus has some comments on his blog:
    http://adblockplus.org/blog/changes...w-version-isn-t-available-on-addonsmozillaorg
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    And here's a blog from quite a few months ago dealing with a couple of add-ons that were yanked "toot-sweet" once their potential for misuse came to light:
    http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

    It's a bit unfortunate that the add-on review backlog is coinciding with the "need" to push Fx 4 out the door.
     
  15. tlu

    tlu Guest

    Yes, that was discussed here on Wilders some months ago. It highlights the risk of using unreviewed extensions - which is, according to Giorgio Maone, the normal situation for Chromium extensions ...:thumbd:
     
  16. tlu

    tlu Guest

    Here's an interesting comment by Wladimir Palant which also shows that AMO is becoming stricter.
     
Loading...
Thread Status:
Not open for further replies.