There are some differences, though, between extensions and plugins in regard of security:
- Extensions which are found to be unsafe can be promptly disabled worldwide by Mozilla admins using a remote centralized mechanism. This is true for plugins too, but I’m very dubious that Mozilla would abruptly kill Flash (or even worse, Java) on all its users in reaction to a zero-day vulnerability disclosure…
- Extensions enjoy a safe and very effective update mechanism, which allow security updates to be deployed almost instantly. The same can’t be said for most, if not all, the most popular plugins.
- The vast majority of Firefox extensions are open sourced. Those hosted on AMO,
which is the only place where you can to safely install add-ons from* where Firefox sends you to safely install add-ons, must allow per-policy code reviews, therefore even in those rare cases where native executable code is included, this must comes with its sources, no matter the license. This allows manual screening against malicious extensions (all the hosted add-ons are also automatically scanned by anti-virus software anyway), or more focused security code reviews like the one Wladimir Palant performed recently.
Coming to “Security Advisers”, Roger A. Grimes (a CPA, a CISSP, a CEH, a CHFI, a TICSA, and an MCSE: Security, which in plain English means more or less “security consultant with a strong Microsoft background”) recently wrote a serie of articles comparing security features of all the major browsers.
The one about Firefox contained, among others, a quite disturbing (for me at least) paragraph (emphasis is mine):
Although add-ons such as NoScript, and plug-ins such as Adobe Flash, bring many useful capabilities to Firefox, at the same time they come with problems and security issues of their own. Firefox has a built-in add-on manager that allows you to browse available extensions, install and uninstall them, and enable and disable them, but again, they can’t be enabled or disabled with per-site granularity.
So I decided to send Roger an email, sparking a pretty intense exchange (in the meanwhile, I was implementing PoC X-Frame-Options compatibility for Firefox with my left hand).
Yesterday I noticed he published a synthesis of our discussion. Even though he cut some logic passages, making our reasoning a bit hard to follow, I have been positively impressed by his openness and I’d like to rectify just two little things:
- Roger introduces his report of our thread with these words:
I indicated that browser add-ons (or plug-ins) could bring additional risk to a browser. One browser add-on provider, Giorgio Maone of Firefox’s NoScript, wrote me to strongly disagree.
As this very post of mine demonstrates, I couldn’t and didn’t disagree on the concept “that browser add-ons could bring additional risk to a browser“. But I was rather surprised (and, honestly, pissed off) about his suggestive exemplification choices.
- In an original message of mine, I tried to explain my objection this way:
You would never dare to say “Mail servers and Web servers, such as qmail and IIS, which come with problems and security issues of their own…”
I choose qmail for my example because of its almost immaculate security records: should you pick a single product to illustrate mail server security risks, you’d bash Sendmail with its several documented vulnerabilities, rather than DJB’s impervious creature. However the article inexplicably morphed “qmail” into GMail, making my point quite obscure (given that GMail is not even a proper mail server, nor exactly a security champion).
That said, I appreciate Roger’s transparency and I hope we’ll have chances for new constructive discussions.