Establishing Digital Trust: Don't Sacrifice Security for Convenience
Among the many reasons why Mozilla's Firefox browser has become popular is the fact that it's relatively easy to build and install add on extensions for it. That ease of extensibility however has a potential dark side to it.
Those same extensions that add power to Firefox, generally speaking, could arguably represent a security risk as well. It's a security gap that Mozilla is now plugging with its Alpha 8 development release of its next generation Firefox 3 browser.
In terms of add-on extension security, Firefox 3 Alpha 8 is specifically targeting the updating of add-ons to make that process more secure.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Mozilla spells out the issue in its guide on the new extension security:
"Firefox currently automatically checks for updates to add-ons using a url specified in the add-on's install manifest. Currently there are no requirements placed on these urls. In particular, neither url is required to be https. This allows either the update manifest or the update package to be compromised, potentially resulting in the injection of malicious updates. A demonstration of one form of compromise is already public."
The new extension security feature will aim to secure updates by a number of mechanisms including using SSL (define), and digital signatures that help to verify the identity and authenticity of the add-on's author. The general idea is that by ensuring that both the update mechanism and integrity of the update package are properly secured, overall safety will be improved.
There still might well be other issues that Mozilla will need to tackle in order to further improve add-on security though.
"It should be stressed that this feature is targeted at ensuring the security of updates to add-ons and has no impact on the security of initial add-on installs," Mozilla admits in its guide.
The Alpha 8 build is what Mozilla considers to be an early developer milestone and is not intended for the general public. In fact one of the rough edges in Firefox 3 Alpha 8 will actually prevent it from launching on Windows Vista if parental controls are enabled.