MozillaZine

Extensions and browsing privacy: What can they see?

User Help for Mozilla Firefox
moz2u
 
Posts: 271
Joined: February 9th, 2017, 4:03 pm

Post Posted December 1st, 2017, 7:26 am

I was just reading a review of what could be a very useful extension here:
https://addons.mozilla.org/en-US/firefo ... e/reviews/
and noticed by what is probably an advanced user that extensions can often see what you're doing because they are involved in your browsing. Think of when you're moving money around online. I didn't know if its possible to know if your activity is observable by them or not. He seems to think so. The review is titled "Wow, this is great." and is about 3/4 down the page by FF User, 3 months ago. He stated something I've never realized: "Since this plugin (along with a million others) can see all of your data on all of your websites, you should definitely consider doing that sometimes. You should also consider having multiple browser profiles configured (see FF Profile Manager) for different levels of security.. you probably don't need Ad Blocking on your bank's website!)". This really dissuades me away from extensions entirely. What do you think? Is this a valid concern?

Gingerbread Man

User avatar
 
Posts: 7739
Joined: January 30th, 2007, 10:55 am

Post Posted December 1st, 2017, 9:22 am

Until recently, add-ons would only be marked as "reviewed" after being examined by a human being. This process could take well over a month. Legacy add-ons had permission to do virtually anything: access the local file system, launch programs on the user's system, you name it. Since the switch to webextensions, most of this is no longer possible, or there are roadblocks in place to do the same thing, but in a safer (and less convenient way). Mozilla argued that the security risk has been reduced so much that add-ons can now be immediately published after being automatically scanned. An actual person will still review them... eventually.
https://blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/

Image
When you click the "Add to Firefox" button, you get a doorhanger prompt informing you of which specific permissions an add-on requires. If an update requires additional permissions, you get the prompt again. This didn't happen with legacy add-ons: as I said, they were able to do anything. Powerful add-ons like uBlock Origin and Violentmonkey have valid technical reasons to "Access your data for all websites" though it may not be obvious why.

Malicious individuals purchasing once-legitimate software and add-ons to sneak malware into them isn't unheard of. If this were to happen to a popular add-on with hundreds of thousands of users, would Mozilla's automated system catch it? Could it tell the difference between data transmission for the sake of add-on functionality and the same for the purpose of spying? If not, would Mozilla reviewers notice before too much damage had been done? I'm not so sure.

Webextensions are largely inter-compatible between the major browsers, so there's little difference as far as browser features providing extra security. The one thing that comes to mind is Chrome et al allow you to disable specific add-ons in Private Browsing mode. Firefox doesn't currently have this. I can't find a bug report for it either, Edit: it's bug 1380809 though such a feature request might be hindered by the fact that many add-ons are currently broken in Private Browsing mode (bug 781982, bug 1313401).
What can make a difference is curation of the add-on store. While as far as I know, Chrome et al don't handle things any better there, Mozilla's "review things manually at some point" doesn't exactly offer peace of mind either.
Last edited by Gingerbread Man on December 2nd, 2017, 9:15 am, edited 1 time in total.

moz2u
 
Posts: 271
Joined: February 9th, 2017, 4:03 pm

Post Posted December 1st, 2017, 11:29 am

Hopefully they will introduce a keyboard shortcut that links to a mode where privacy is at the highest possible for when you're doing financial and other personal things. We can only hope.

Brummelchen
 
Posts: 3576
Joined: March 19th, 2005, 10:51 am

Post Posted December 1st, 2017, 12:08 pm

you need to learn about permissions.
"Access your data for all websites" means - that it needs access to pages - and that include content because webextension are only allowed to work on webpages (not all) and thus need script injecting and that means exactly that permission. if you have doubt it is up on you to read and analyse code and to submit abuse in case of it.

at least submitting abuse needs some more knowledge and not assuming like you did. but i think any report is read and extension under review if evidence seems possible.

i can tell you because i did in several cases and the team reacted very fast. and i can tell you that i have a personal code review - even for crypted code.

moz2u
 
Posts: 271
Joined: February 9th, 2017, 4:03 pm

Post Posted December 1st, 2017, 1:06 pm

Are passwords encrypted? Or could they be intercepted by an extension?

Gingerbread Man

User avatar
 
Posts: 7739
Joined: January 30th, 2007, 10:55 am

Post Posted December 2nd, 2017, 9:07 am

moz2u wrote:Hopefully they will introduce a keyboard shortcut that links to a mode where privacy is at the highest possible for when you're doing financial and other personal things.

You can do the same as the review you brought up and create a separate profile with no add-ons. You can also enable permanent private browsing mode in that profile if you like. Create a Windows shortcut to it with the -no-remote parameter, assign a keyboard shortcut to it, and there you have it.
moz2u wrote:Are passwords encrypted? Or could they be intercepted by an extension?

If you set up a master password, yes.
There's no API to access the passwords at the moment (bug 1357856). I expect this would show a "Needs to access your passwords" item in the doorhanger notification. At some point it will also be possible to review add-on permissions in the Add-ons Manager (bug 1345818).

Brummelchen
 
Posts: 3576
Joined: March 19th, 2005, 10:51 am

Post Posted December 2nd, 2017, 2:20 pm

too be honest - no one (!!!!!) cared with legacy extension - all-in as much they can.
upcoming webextension with permission all people crying out loud - wtf (!!!) permissions??? huh bad, not me, crying rivers.

#-o

moz2u
 
Posts: 271
Joined: February 9th, 2017, 4:03 pm

Post Posted December 3rd, 2017, 9:01 am

You're right. Profiles and their customization are very useful. Thanks for the tip on how to quickly switch between them. Hopefully they'll be clear with a link/shortcut on the Menu bar in the future so more people partake in this.

Gingerbread Man

User avatar
 
Posts: 7739
Joined: January 30th, 2007, 10:55 am

Post Posted December 3rd, 2017, 12:06 pm

You're welcome.

That's extremely unlikely. Multiple profiles for the same OS account is an advanced feature the developers don't want to expose to every user.
Enter about:profiles into the location bar. You can keep that tab pinned for easier access. On that page, you can click "Launch profile in new browser". Though due to bug 1367743, it will only work in an instance of Firefox launched with the -no-remote parameter, so add that to your regular Firefox shortcut.

You can also use External Application Button to launch an application via a toolbar button, though I don't see how that's any more convenient than a taskbar, desktop or Start Menu shortcut.

zamar27
 
Posts: 39
Joined: November 19th, 2015, 11:06 am

Post Posted December 3rd, 2017, 3:00 pm

Brummelchen wrote:too be honest - no one (!!!!!) cared with legacy extension - all-in as much they can.


How do you know that? Any proof that no-one cared? [-X

If that were true, addon devs would not refuse to add settings allowing to revoke permissions. Current Firefox webextension model divides permissions on Required and Optional. According to Firefox webext team, only very small part of addon devs follow this guideline. Almost every addon they reviewed demands all permissions to be Required, despite its quite easy to make addons in a modular way thus allowing users to revoke Optional permissions. In fact, I can revoke all permissions from most apps in Android. Why FF webext design guidelines don't stipulate it for addons? :)

zamar27
 
Posts: 39
Joined: November 19th, 2015, 11:06 am

Post Posted December 3rd, 2017, 3:04 pm

Gingerbread Man wrote:I don't see how that's any more convenient than a taskbar, desktop or Start Menu shortcut.

Is there a similar way to block a webextension on a particular Tab or Domain rather than disable it entirely in FF Options?

Gingerbread Man wrote:Malicious individuals purchasing once-legitimate software and add-ons to sneak malware into them isn't unheard of. If this were to happen to a popular add-on with hundreds of thousands of users, would Mozilla's automated system catch it? Could it tell the difference between data transmission for the sake of add-on functionality and the same for the purpose of spying? If not, would Mozilla reviewers notice before too much damage had been done? I'm not so sure.


Agreed absolutely. There're hardly effective ways in automatic webext compliance review to distinguish legit and malicious purpose of data transmission, and such webext updates are now immediately posted in web stores to the public. That's why more and more users now demand from FF team to provide ways to temp block addons on select sites by FF own means, without fruitlessly arguing with each dev on public forums. The rational here is simple: addons are installed ONLY to enhance browser capabilities for a user, and therefore should be easily blocable when user doesn't need their work (read: privacy interference) on certain sites. By addon purpose definition, it should be explicitly user choice, whether to allow it to work on any given site or not. FF team duty should provide such granular control to the users to address their privacy concerns.

Brummelchen
 
Posts: 3576
Joined: March 19th, 2005, 10:51 am

Post Posted December 3rd, 2017, 3:41 pm

How do you know that? Any proof that no-one cared?

no need to proof - there were no permissions available for legacy extension, simple as that.
but some people can use a logger to offer evidence when reporting abuse. thats a bit different from your statement and offending without evidence.

if you are not satisfied with mozillas view this forum is the wrong audience and i am not sure if you will find many followers this way round.
https://support.mozilla.org/en-US/questions/new
https://www.mozilla.org/en-US/about/forums/
http://bugzilla.mozilla.org/

therube

User avatar
 
Posts: 18908
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted December 4th, 2017, 10:07 pm

Brummelchen wrote:too be honest - no one (!!!!!) cared with legacy extension - all-in as much they can.

Probably more like, no one considered the issue.
Had they known, had they realized that [legacy] extensions could do just about anything, & the implications of that, they likely would have cared.

upcoming webextension with permission all people crying out loud - wtf (!!!) permissions??? huh bad

It's not wtf.
It's that you're now being "notified".
So you're becoming aware of.... something. But what that something means, what it entails, how it might affect you, well that little part is simply left out.
So in that respect, it is, wtf.
WTF is this extension telling me? WTF does that mean? WTF, how is that affecting me, my privacy ...

Much like http: websites.
No one cared that a website (say, this site) is http:.
But now that FF warns you when you log in, it becomes, wtf.


There is nothing stopping anyone from making a "malicious" extension, & having it accepted (by Mozilla), so long as they follow the rules.
So you could write an extension, say one that logs all the websites you've visited & uploads the data to Google.
Call it, "google-uploader".
So long as you say, "hey, my extension tracks all the websites you've visited & uploads that data to Google", & provide some meaningless "disclaimer" on install (as in like, Access your data for all websites), you're good to go.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Brummelchen
 
Posts: 3576
Joined: March 19th, 2005, 10:51 am

Post Posted December 5th, 2017, 7:37 am

better words :)

i dont have the notification disabled, its only MZ forum to notify me.

>> WTF is this extension telling me?

idd most of the latest public submissions dont contain any description nor a picture - WTF ^^
what i dont understand because the addon is reviewed - more or less and description text is mandatory.

i can not speak for others but i am able to preflight the code inside if tracking or stats are used. but i also read comments.
Oleksandr is one of only few developers explaining the permissions for his extensions.

>> say one that logs all the websites you've visited & uploads the data to Google.

some (rare) extensions use google-analytics, but this "feature" - i call it feature - is no general tracking - some extensions sends non personal data about using extension functions, also for installing or updating, or uninstalling. in regular ways only mozilla (AMO) is informed about, not sure.

zamar27
 
Posts: 39
Joined: November 19th, 2015, 11:06 am

Post Posted December 5th, 2017, 12:05 pm

therube wrote:There is nothing stopping anyone from making a "malicious" extension, & having it accepted (by Mozilla), so long as they follow the rules.


In fact, most newly submitted webexts undergo merely automatic review of basic code compliance, and no-one analyzes what they actually do. Interesting cost cutting measure at the very pick of extensions update. :wink:

Return to Firefox Support


Who is online

Users browsing this forum: No registered users and 13 guests