(Firefox) Extension Security

Jan 28th, 2007

Comments: 0
Category: General Security

(Firefox) Extension Security

Here’s one that I think will be a growing problem… 3rd party extension security. I’ll use Firefox as an example as it uses this kind of system, but I don’t think that the problem is limited to Firefox.
So you’ve got a piece of software from an organisation you trust (whether you should or not’s a different question), in this case the Firefox browser. You download it and install it from the main site (hey if you’re good you even check the MDS5SUM to make sure it’s as packaged)
Now one of the best features of Firefox is the extensive range of extensions that are available to add useful functionality to the browser. things like noscript or web developer are real handy things to have and I definitely install them every time I install Firefox.
Now here’s the problem… do you trust the people that wrote those plug-ins, or an even wider question, do you trust the security of the environment that those plug-ins were developed in? Do you even know who the person who wrote the plug-in is?
Some people may say “why do I care it’s just a browser”, yeah but do you do E-Commerce and put your credit card details into webpages? Do you do on-line banking? do you use a browser for it?
A very brief read uncovered one instance of a rogue plug-in last year (more here and here ) but I doubt it’ll be the last.
One thing I’ve not read up on yet is what security model there is for what actions a plug-in can take when installed… my instinct says that in this case there’s not too much restriction, but worth investigating anyway.

Add a comment

Your email address will not be shared or published. Required fields are marked *