

Firefox security test add-on was backdoored - marvel
http://news.netcraft.com/archives/2010/07/15/firefox-security-test-add-on-was-backdoored.html

======
code_duck
I often wonder about the security of add-ons, and whether training users to
install them willy-nilly is a good security practice.

As for this one, I would have been wary due to the way the developer seemed to
think 'u' is a word. It's the little things that can tip you off that at
least, something might not be of professional quality.

~~~
tiles
Definitely a bad precedent, but through addons.mozilla.org, it feels no
different than the "Android Market" model. I like this quote though:

"Mozilla subsequently confirmed that they had not reviewed this add-on and are
currently working on a new security model that will require all add-ons to be
code-reviewed before becoming discoverable on addons.mozilla.org."

Which would let me rest easy installing any extensions, as long as they're
from addons.mozilla.org, a trusted source.

~~~
code_duck
Yes, it would be much better if the software on addons.mozilla.org was
reviewed. As it is, they tell you that it may be unsafe - and considering you
see that for every single add on, even ones known to be safe like Firebug,
it's as good as no message at all. I've read that there is a nefarious market
now for old, forgotten add ons - it's possible to take over development of an
add-on, and make an update that is malware. Firefox will then automatically
update the software for everyone who has it installed.

I haven't used the Android Market, but I did notice similar treatment for add
ons in the Google Desktop Sidebar. I never download the apps they offer there,
as again, the warning essentially says anything available could be a dangerous
trojan, and nobody from Google has taken the time to check any of them.

When a trusted name offers software, they should at least provide the
assurance that it is not malware. Of course, this leads to systems like the
App Store and considering how expensive and time consuming the review process
could be, I understand why they don't. So, that's great to hear Mozilla is
trying to improve this!

------
marvel
Indeed.

