A few months ago, I created the following bug report at the Mozilla project’s install of Bugzilla:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Steps to Reproduce:
1. Install jstest package (attached).
2. Edit xul.js (in zip file), replacing the second parameter to the “save()” call to a local file on your system (or to a file that doesn’t exist yet in a writable directory).
3. Place xul.js (in zip file) on a remote server.
4. Edit the button in jstest.xul within package so that the parameter to “execute()” in the “oncommand” parameter points to the file created in step 2.
5. Run the package and press the button.
A file is written to the local path specified in the remote script containing the text sent as the first parameter to the remote “save()” function.
In plain English, it means that installing Firefox extensions can be dangerous if you’re not very careful about what you install. When you install an extension, you’re giving full control of your browser to the developer who wrote the extension. In most cases, this’ll work out just fine, as most people who write extensions are writing utilities that they find useful and wanted to make available to others. But there’s always the jerk who ruins a good thing. Later in the bug report, I go back and forth with a key developer about whether or not this is in fact a bug. He concludes that it’s not. In short, if you agree to install an extension, you agree to take whatever pain or pleasure comes with installing that extension, and it’s a bad idea to install untrusted extensions. And of course he’s right. The extension system has to have pretty much full privileges or else it’ll be rendered essentially useless. So the credibility of Firefox as a secure browser is in some ways in the hands of users, who are known for installing spyware on their systems through IE and can’t really be trusted to keep security in mind.
To illustrate the point, I’ve written a little test extension named Prawn (as in shrimp) that shows you prawnography on demand. The real life example, of course, would showcase pornography and would be more fully-featured than my extension. Prawn adds an item to your “Tools” menu named “Prawn me” that, when selected, spawns a new tab loaded with a random racy image from prawnography.net. The extension also has an annoying habit of popping up a window every 30 seconds or so. It’s ok to download and try my extension — I promise it doesn’t do anything truly malicious, and it shows the point pretty well, I think. If you happen to be a prawn fetishist and you see this great extension that gives you access to prawnography, you might carelessly download this extension and find yourself stuck with annoying popups. Moreover, if the popups don’t indicate that they’re associated with the Prawn extension, you might not be able to figure out how to make them stop, short of reinstalling Firefox (though all it in fact takes is uninstalling the extension).
The moral here isn’t that Firefox is bad or insecure, though the argument could be made. I’ve spoken to Firefox developers who point out that the extensions manager instructs users not to install untrusted extensions, and I suppose that’s valid, though we all know that it’s absurd to trust users to follow instructions. (In spite of my warnings about not installing untrusted extensions, did you download and install mine? If so, shame on you. It really is safe, but what if somebody else wrote a similar blog posting with their own extension that actually turned out to be malicious?) Developers and advocates also point out that one of Firefox’s big strengths is that it doesn’t run ActiveX controls, which are responsible for most of the malware that’s out there. And that’s true and good. But if a similarly exploitable technology is built into Firefox, is it really that much better?
Well, I think it is. I’m a devoted Firefox user, and I encourage everybody I can to use the browser. But I also encourage them to be sensible about what extensions they add to Firefox. Theoretically, the extensions available at update.mozilla.org are safe, but I don’t know how much scrutiny is actually given to extensions before they’re added there. (There may be a great deal of scrutiny; I’m not saying there’s not; I’m just saying that I don’t know.) And I don’t know how much code review is done. Is it possible, I wonder, to submit and have approved a cool extension but then to go back and edit it without review a few months later so that it includes malicious code?
Questions like this are no doubt being asked as the Mozilla Foundation works even now on revamping update.mozilla.org, but they’re probably too technical and uninteresting to many, if not most, members of the growing pool of Firefox users. And debatably, they’re questions that users shouldn’t have to worry about. In an ideal world, you’d just install your browser and use it without looking back. The jerks out there who make malware will always find ways to thwart this ideal vision, I suspect. My advice, then, is to use Firefox (right now, it is safer than IE; if you don’t use Firefox, consider Opera or some other alternative). I also advocate spreading Firefox, an activity I’ve been engaged in for six months now. But don’t be blind to the shortcomings that the greatness of Firefox extensibility introduces. Try to verify that any extensions you install are safe. And whatever you do, if you need to browse prawnography, don’t use my extension to do so; you’ll find it most annoying, if (for now) technically harmless.