Hacker News new | ask | show | jobs
by iSoron 2322 days ago
Looks like an interesting extension, but unfortunately I would never install it given that "this add-on can access data for all your websites". As far as I am aware, this means it can read and record all data in all websites I visit (including emails, banks, etc) and record everything I type anywhere (including usernames and passwords).

Even if the extension's source code is available on GitHub, there is no guarantee that the code hosted at addons.mozilla.org corresponds to the same one found on GitHub; and even if I (or someone else) could verify that the code is indeed the same, and that there is nothing malicious in it right now, there is no guarantee this will still be the case in future (silent) updates.

To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.
9 comments
greenie_beans 2322 days ago
I used to have this exact same fear and never downloaded any extensions bc of that, until I started making browser extensions. Pretty much any useful extension needs the access that prompts that generic message about accessing all the data.

Any extension that's listed on the web stores have to be reviewed for malicious code, and they must do what the listing say they do. So if your browser extension has your passwords, then that extension would be considered a password manager.

The extension probably listens to the IPs of well-known time wasting websites like HN or reddit, then adds a latency to the browsing. Same with an ad blocker -- they know every site you visit but only to compare them with their blacklist of advertising IP addresses.

Of course, you have to trust they aren't doing anything else with that info, which you can probably assume you're mostly safe if you don't need an account to use the extension.

link
skipants 2322 days ago
I believe only "recommended extensions" for Firefox are tech reviewed, which this one is not.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

link
pzmarzly 2322 days ago
According to [0], Mozilla requires all extensions to have a source in human-readable format and runs a test suite on them. They mention "code review" there, but don't say whether it's manual or automatic. I'd love to hear about it from someone who has some experience with the process.

[0] https://extensionworkshop.com/documentation/publish/submitti...

link
Anon1096 2322 days ago
For my extension the review was automatic, and flags things like direct html editing. I only have a few hundred users though, so I'm not sure at what point they decide to do manual reviews.
link
chadlavi 2322 days ago
There's a link to his github in the extension page. You can read his source code: https://github.com/OskarDamkjaer/FirefoxDelayWebpage

most of the relevant code is in https://github.com/OskarDamkjaer/FirefoxDelayWebpage/blob/ma...

link
wizzwizz4 2321 days ago
It actually matches a regular expression against the URL; I don't think it looks at the IP addresses.
link
Anon1096 2322 days ago
You are incorrect. You can inspect extensions that you download to compare the source code to the github release, or even audit the specific source you have have downloaded. Please don't spread FUD.
link
LinuxBender 2322 days ago
Would it be feasible for browsers to have a console window that enumerates add-on's to display things like URL's contained in the code, what is stored in local storage, session storage, etc? Asking because this topic comes up a lot and might not if the browser had a way to show explicit detailed permissions and capabilities vs. high level abstract permissions. This would be for less than technical people that probably won't be viewing source code, but could click a shiny button in the add-on page and get some idea if the addon shows URL, http(s), number of times the addon has used GET or POST or other methods:

  URL: http://some.site.tld/    [ INSECURE GET:1 POST:2]
  URL: https://some.other.tld/  [ SECURE GET:3 POST:2 ]
Maybe in about:networking have a tab for logging / debugging all addons?
link
snthd 2322 days ago
.xpis are just zip files.

You can literally just save them from addons.mozilla.org and look inside - it's js so it's not compiled, and obfuscated code is against Mozilla policy.

Automatic updates are optional too.

Microsoft Application Inspector might be handy for some superficial profiling - https://github.com/microsoft/ApplicationInspector

link
ReverseCold 2322 days ago
> obfuscated code is against Mozilla policy

You can submit obfuscated code as long as you also upload non-obfuscated code to Mozilla. Not sure if that separate code upload is public or not...

link
dessant 2322 days ago
Obfuscated code is not allowed on any of the browser extension stores. Mozilla requires the attachment of the original source code if you use a bundler such as webpack, or if the code is minified.

Only reviewers have access to the source code, unless you configure the listing to make the code public.

link
saber1 2322 days ago
This message is not accurate IMO.

Basically, if the addon wants to interact with any kind of urls, this message is unavoidable. Which means that even if the addon doesn't require to access any data of the websites, as long as it wants to be triggered for any websites, this message is not going to be avoidable.

https://extensionworkshop.com/documentation/develop/request-... has more information.

link
amenod 2322 days ago
FTFY: To be clear, this is more a criticism of _every browser's_ security model,...

I do agree with you though. What is surprising is that technically, this should be fairly easy to solve:

- own the CI system (to make sure the sources match the built versions)

- make sources (the ones that went into build) clearly visible

- disable silent updates

link
seanwilson 2322 days ago
The solution should surely involve more granular permissions?

I'm assuming this permission has no need to read the body of network responses, inject anything into the responses, read cookies etc.

However, it probably has no option than to request the "read and change all network data" permission because there is nothing weaker that will let it do what it needs to do.

Making sources available isn't a scalable option to help with this in my opinion. Who is going to be doing thorough security audits of every extension + every update?

link
iSoron 2322 days ago
This is exactly the approach taken by F-Droid (for Android apps). All apps available on F-Droid have been automatically built from a publicly available repository, and you can either download the binary (APK) or the source tarball that they used to produce it. Updates are manual.
link
aswan 2322 days ago
> To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.

It's a fair comment, but this extension works by injecting javascript into every page the browser loads. If this capability were removed or even changed, it would break a ton of existing extensions (and compatibility with the many extensions written for Chrome).

Given the nature of javascript and the web, once you can run a bit of javascript on a page, you can do just about anything, so the phrasing "can access data" sounds scary but it is accurate. Of course, "can" doesn't mean "does", hence all the other commenters suggesting auditing the code.

Speaking of auditing extension code, I like https://addons.mozilla.org/en-US/firefox/addon/crxviewer/

link
floatingatoll 2322 days ago
The problem with trying to cure this security model is that once an extension can rewrite page HTML, it can inject transmission of your data to a third-party, and so any addon that affects pages (such as this one) is correctly labeled as "can access your data", because it absolutely can.

To make any headway on this, you would need to start considering how to prohibit JavaScript from transmitting page content to remote servers if it's been modified by an addon, but that would then break all JavaScript modified by adblockers, and so there's not any easy solution there either.

If you can think of a valid security model here that isn't vulnerable to today's arbitrary JavaScript execution issues, I think you'd find a willing audience. Chrome tried to solve this by nailing down what extensions can do, and the adblockers all flipped out because they won't be able to run arbitrary JavaScript in-page anymore. It remains unclear how this can ever be solved.

link
ao0193344 2322 days ago
> Looks like an interesting extension, but unfortunately I would never install it given that "this add-on can access data for all your websites". As far as I am aware, this means it can read and record all data in all websites I visit (including emails, banks, etc) and record everything I type anywhere (including usernames and passwords).

> Even if the extension's source code is available on GitHub, there is no guarantee that the code hosted at addons.mozilla.org corresponds to the same one found on GitHub; and even if I (or someone else) could verify that the code is indeed the same, and that there is nothing malicious in it right now, there is no guarantee this will still be the case in future (silent) updates.

> To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.

Uhhh... yeah

link
krilly 2322 days ago
An alternative would be to throttle your network speed to like 2g with your dev tools, although this will obviously effect, say, YouTube more than HN
link