Skip to main content

Firefox Add-on Signing criticized for being ineffective

Mozilla announced back in the beginning of 2015 that it would require Firefox add-ons to be signed before they could be installed in release and beta versions of the web browser.

The idea behind the move was to make the Firefox add-on landscape a safer place for users by protecting them from invasive or outright malicious add-ons (since those would either not be submitted at all, or if they were, blocked by the signing scanner).

It turns out though that the process may not be as effective as Mozilla hoped it would be. Dan Stillman, a developer working on the Zotero add-on for Firefox criticized Mozilla's add-on signing plans heavily in a recent blog post.

Add-ons that are not hosted on Mozilla's official add-on store need to be submitted whenever they are updated, and they are signed if they pass automatic inspection, or need to be submitted for manual review if they don't pass the automatic test.

These reviews take up to seven weeks for preliminary reviews which means that a new version of Zotero could not be released while still under review, and that is not only problematic because of the time between submitting a release and getting it signed, but also because it makes it impossible for the developer to react quickly when time is of the essence (think security or stability fix).

amo validator bypass

If that would not be bad enough, Stillman points out that the AMO validator script is not effective as it can be bypassed easily.

What this means? Malicious add-ons will be signed if they pass the automatic validation, and since they are not reviewed in this case by Mozilla employees or volunteers, can be offered on third-party websites or via software installers, and will install just fine in release Firefox or beta Firefox.

A quick proof of concept add-on was created to proof the point. It monitors HTTP(S) requests for Basic Auth Credentials, and posts them to a HTTP server. It furthermore runs an arbitrary local process when a given url is loaded, and will download arbitrary JavaScript code from a remote server and run it with full privileges when another is loaded in Firefox.

Mozilla's response? According to Stillman, Mozilla's Add-ons Developer Relations Lead stated that "most malware authors are lazy" and that the scanner would "block the majority of malware".

That was back in February and nothing seems to have changed in this regard since. Mozilla did however add the proof of concept add-on to the Firefox blocklist (not the code used by it though), Stillman then went ahead and added a random ID to the add-on which meant that it would once again pass add-on signing validation with flying colors.

One thing that Mozilla considers currently is add whitelist exceptions to add-ons under certain circumstances. This is discussed on the Mozilla Add-ons User Experience group currently.

According to the information posted there, exceptions could be made if add-ons meet certain requirements such as a 1-year solid track record with no serious review issues, and more than 100,000 active daily users.

Implementation would help popular extensions get releases out quickly to users, but it won't fix the underlying issue that add-on signing is not effective in preventing malicious extensions from being installed in Firefox.

Now You: What's your take on add-on signing?

 

 

This article was first seen on ComTek's "TekBits" Technology News

HOME