Pretty much, security is a proactive endeavor not a passive one. You can either trust that they are legit or do your due diligence, unfortunately not much in between. Theoretically WebExtensions alleviate this as they are for all intents and purposes limited to being pure scripted which should imply that you can't do that anymore, but you can theoretically still import external scripts, so there is that. There are I am sure script analyzers you can dump the code into and get a breakdown of what's in there and to expedite analysis a bit but again that's a matter of dealer's choice (meaning what works for you to feel comfortable with something) no one can really tell you how to approach your own piece of mind.rehash wrote:So in conclusion the only way to be sure that by using an add-on you're running only free open software is to check:This is a security and privacy nightmare. Is there any control over add-ons that are offered on addons.mozilla.org and over what they really do? Who checks this and how - for each new version? How can a user know which add-ons are trustworthy?
- its license
- that all files in its XPI are source files and not binary files
- every last line of its source code, because in one line it can fetch proprietary unknown code and execute it
How is it possible for add-ons to be proprietary
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: How is it possible for add-ons to be proprietary
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Re: How is it possible for add-ons to be proprietary
Have there been lots of known cases of malicious add-ons in the past? Giorgio wrote that a pre-WebExtensions add-on could easily send your disk contents to a remote server https://hackademix.net/2017/12/11/noscr ... ermission/. Would the add-on community even be likely to discover something like that if the add-on was clever and stealthy?
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: How is it possible for add-ons to be proprietary
If there is sufficient community involvement and code review around it, then yes.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0