• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Stop using proprietary Firefox extensions. Dangerous

D

drag

Elite Member

These items do automatic self-updates without user's control, notifications, or consent (generally). These guys check back with their corporate masters over unencrypted http.

Due to no ssl certs or anything like that then this leaves users using these extensions in a dangerous position because of things like DNS spoofing. There is no checking of hosts... It's all based on domain names, which is known problem.


If your using the community contributed stuff from addons.mozilla.org and whatever whitelist Firefox has setup by default then your fine. These things are (generally) immune to this sort of problem.

 
Thanks for the info, drag. The blog.wired.com link isn't working for me right now.

How do we know which extensions are proprietary and which aren't?

As I'm typing this the Wired.com link loaded. Reading now
 
I didn installed any of these. They start with your computer when you are using Windows systems and we yet don know waht they do really.
 
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every
 
thanks for the heads up.

i do love the browser sync though 🙁

maybe they wont take too long to fix it now that its been announced, ill have it off in the meantime
 
Originally posted by: Robor
Thanks for the info, drag. The blog.wired.com link isn't working for me right now.

How do we know which extensions are proprietary and which aren't?
Click to expand...


The easy way to know the difference is if you got the extension from addons.mozilla.org or any sort of official mozilla/firefox mechanism. Those are going to be safe. They require the use of https (which authenticates the hosts your getting the files from) and they have to ask your permission to upgrade or not.

If you had to go to a external site and whitelist it then you have to be carefull. The fact that these are updating automaticly and do not use any host authentication beyond DNS names is the problem.


From the disclosure:
The vast majority of the open source/hobbyist made Firefox extensions
- those that are hosted at https://addons.mozilla.org - are not
vulnerable to this attack. Users of popular Firefox extensions such as
NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.
Click to expand...
 
Originally posted by: Robor
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every
Click to expand...

Stuff like greasemonkey, noscript, and adblock are going to be safe.

I am not familar with all of them so I don't know.


A partial list of problem extensions is (from the disclosure):
A vulnerability exists in the upgrade mechanism used by a number of
high profile Firefox extensions. These include Google Toolbar, Google
Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar,
AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft
Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others,
mainly commercial extensions.
Click to expand...


Any extensions you got from addons.mozilla.org or got through the 'get more extensions' in the tool menu ---> extensions window then you're fine.
 
Originally posted by: Robor
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every
Click to expand...

If you're using a recent version of ABP, the Filterset.G Updater is obsolete...the built in subscription mechanism is much better IMO.
 
Originally posted by: A5
Originally posted by: Robor
I've got quite a few installed. This is my lappy:

1. AdBlock Plus
2. Adblock Filterset.G Updater
3. Adblock Plus: Element Hiding Helper
4. CookieSafe
5. Fasterfox
6. FlashGot
7. Foxmarks Bookmark Synchronizer
8. Greasemonkey
9. NoScript
10. Reload Every
Click to expand...

If you're using a recent version of ABP, the Filterset.G Updater is obsolete...the built in subscription mechanism is much better IMO.
Click to expand...

Yep, I'm using the latest ABP. Thanks for the heads up. 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top