Stop using proprietary Firefox extensions. Dangerous

[drag]

These items do automatic self-updates without user's control, notifications, or consent (generally). These guys check back with their corporate masters over unencrypted http.

Due to no ssl certs or anything like that then this leaves users using these extensions in a dangerous position because of things like DNS spoofing. There is no checking of hosts... It's all based on domain names, which is known problem.


If your using the community contributed stuff from addons.mozilla.org and whatever whitelist Firefox has setup by default then your fine. These things are (generally) immune to this sort of problem.

 

[drag]

oh here is a article about it:
http://blog.wired.com/27bstroke6/2007/05/google_yahoo_fa.html

Here is the vunerability disclosure:
http://lwn.net/Articles/236198/


edit:

From the email the guy disclosed this stuff to Google et al 45 days before releasing the info to public. Still no fix. So much for 'Do no evil' (well I gave up even thinking that was a possiblity after the chinese b.s.)

 

[Robor]

Thanks for the info, drag. The blog.wired.com link isn't working for me right now.

How do we know which extensions are proprietary and which aren't?

As I'm typing this the Wired.com link loaded. Reading now

 

[greylica]

I didn installed any of these. They start with your computer when you are using Windows systems and we yet don know waht they do really.

 

[Robor]

I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every

 

[xSauronx]

thanks for the heads up.

i do love the browser sync though

maybe they wont take too long to fix it now that its been announced, ill have it off in the meantime

 

[drag]

Originally posted by: Robor
Thanks for the info, drag. The blog.wired.com link isn't working for me right now.

How do we know which extensions are proprietary and which aren't?

The easy way to know the difference is if you got the extension from addons.mozilla.org or any sort of official mozilla/firefox mechanism. Those are going to be safe. They require the use of https (which authenticates the hosts your getting the files from) and they have to ask your permission to upgrade or not.

If you had to go to a external site and whitelist it then you have to be carefull. The fact that these are updating automaticly and do not use any host authentication beyond DNS names is the problem.


From the disclosure:

The vast majority of the open source/hobbyist made Firefox extensions
- those that are hosted at https://addons.mozilla.org - are not
vulnerable to this attack. Users of popular Firefox extensions such as
NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

 

[drag]

Originally posted by: Robor
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every

Stuff like greasemonkey, noscript, and adblock are going to be safe.

I am not familar with all of them so I don't know.


A partial list of problem extensions is (from the disclosure):

A vulnerability exists in the upgrade mechanism used by a number of
high profile Firefox extensions. These include Google Toolbar, Google
Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar,
AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft
Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others,
mainly commercial extensions.

Any extensions you got from addons.mozilla.org or got through the 'get more extensions' in the tool menu ---> extensions window then you're fine.

 

[A5]

Originally posted by: Robor
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every

If you're using a recent version of ABP, the Filterset.G Updater is obsolete...the built in subscription mechanism is much better IMO.

 

[Robor]

Originally posted by: A5

Originally posted by: Robor
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every

If you're using a recent version of ABP, the Filterset.G Updater is obsolete...the built in subscription mechanism is much better IMO.

Yep, I'm using the latest ABP. Thanks for the heads up.