How Writing Firefox Extensions Can Scare You Away From Them

Extensions are one of the key reasons we love Firefox. However, one extension developer found the security model for Firefox extensions so disturbing that she's stopped using them altogether.

In a fascinating presentation at Linux.conf.au 2011, Anna Gerber outlined the development of LORE, a complex Firefox extension designed to help literary scholars annotate texts, create compound objects which combine multiple texts and notes and share their work. Gerber works as a senior software engineer with the ITEE eResearch Lab at the University of Queensland, and the project was developed as a Firefox extension because most researchers are used to working in a browser environment, and it enables installation easily even on locked-down machines. (You can see some of its functions in the video above.)

While the LORE project has been very successful so far, Gerber said that the entire experience was a real eye-opener in terms of how Firefox extensions actually work and where the development process needs to improve. In particular, the open-ended privileges which Firefox extensions have is a concern:

It's all or nothing. Firefox extensions run in this privileged environment — it's really scary what they can do. Since writing this, I don't run any Firefox extensions anymore. I just don't trust them.

Building the extension was also tricky, though Gerber stressed that this was in large part because LORE is a multi-faceted extension with its own GUI, rather than the more typical single-function add-on. "It works great for simple tasks," she said. "But for complex extensions, it's really, really difficult. There are almost no tools you can use for debugging them. The tools that work for web development don't work within the extension environment. Chromebug is so flaky it's not funny. There's a real gap there for people developing complex extensions." Constant changes to the Firefox API are also an issue, meaning lots of features break as new versions appear.

The inevitable question: does Chrome do better? Gerber thinks so — "they have what seems to be what seems to a be a well thought out extension framework" — though again she stressed that this is partly because Chrome's developers have been able to learn from the Firefox experience and start with a more efficient and secure model. She can also see potential in the Mozilla Jetpack project for this kind of development.

Arguably none of that means you should be throwing out your tried and trusted Firefox extensions, but it's a reminder to remain cautious when installing unfamiliar software and to have a little sympathy if your favourite extension doesn't immediately update when Firefox does. Thanks again to Anna for a great presentation!


Comments

    Why do you imagine a firefox extension is any different to any other program your operating system runs? They all have the privileges to do effectively 'anything' on your system.

      Actually a good program should be coded to abide by the system rules of elecated priviledges, this goes to show that Firefox extensions seem to be completely ignoring that, hmmm.. very peculiar indeed.

        ...Except all applications are forced to abide by the OS's system of user privileges, no matter how they are coded. (Baring privilege escalation bugs in the OS)

          True. And we all left UAC switched on in Windows, didn't we? :)

            Yup, for two reasons: (a) the tiny bit of protection that IE's protected mode affords you disappears when UAC is disabled - and everybody knows that IE needs every bit of help it can get when it comes to security; and (b) if clicking Continue twice a month is too demanding then perhaps you need to reassess your life.

    Her experience is pretty surprising. Chrome extensions are hard to write because developers have to wait for Google to write the APIs wrappers for anything you want to do. In Firefox, you can access all the APIs yourself, so extensions can actually do useful stuff (power and responsibility always go hand in hand). Jetpack and Chrome are safe exactly because of their impotence.

    Yes, there's a security concern, because extensions are software. Do you install any apps on your phone? Any programs on your OS?

    Firefox extensions are even safer - nobody is reviewing the variety of programs you can install on your OS (unless you consider antivirus software "moderation"). Apple reviews the apps you install on your phone, but they're released as compiled code, so what if they made a mistake? In a Firefox extension, you have all those safeguards, plus the ability to read the source code yourself - an ability you share with anybody else using the code.

    Eye-balls on code guarantee nothing as any developer of fifteen or twenty years experience will tell you. It is exceedingly difficult to find the bug which is known to exist in code; it is impossible to find the bug which is not even known to exist. Humans read code from the viewpoint of programmer's intent, micro controllers process code according to its actual meaning. The other point is that these code reviewers do not exist. Nobody knows one. If you think otherwise, name one.

    Given the position and qualifications of Anna Gerber, if she has sworn off Firefox extensions, then that is all I need to know. Trying to downplay the seriousness of the vulnerabilities in the extension framework is ludicrous on one hand and downright dishonest on the other. Entertaining the idea that Anna Gerber must be wrong is just insanity.

      Do you mean the code reviewers for your OS, for the iPhone store, or for Firefox? There aren't any for your OS. For your iPhone, nobody knows who they are. For Firefox, they are at [email protected], and they approve addons at addons.firefox.com. Anna knows about them - on her addon, it says "This add-on has not been reviewed by Mozilla" and users are warned before being offered to install it.

      If you want to rely on Anna's ethos, go ahead. There are people with even more experience who aren't as paranoid. It's not dishonest to say that extensions are software. If you need someone with credibility, I'll just say my addon gets downloaded more in a single day then hers has in the last 3 months. (It was approved by the editors, people who actually exist with names).

      The simple truth is that Firefox extensions are safer than the applications you install on your OS or iPhone. But they are all still "software". It's not ludicrous, dishonest, or insane.

Join the discussion!

Trending Stories Right Now