aren't Ethernet frames CRC'd? Are there other checksums down the call stack, or up the stack at the other end, that would reject such bit flips in the raw data?
Yes, Ethernet frames are CRC'd but some (most?) memory isn't. The web address is bit-flipped in memory, and then the network stack generates a valid Ethernet frame using the already corrupted address.
A few of these have the "Access your data for all websites" permission and honestly, I can't shake the feeling that I'm giving away all data on all websites at all times if I install any of these
As an extension developer, I hate to say it, but you're absolutely right to feel that way. I've had people offer to pay me to put tracking or buy an extension outright, and my extensions aren't even that popular; I can only imagine what emails developers of extensions with 100k+ users get.
If anyone from Firefox is reading these, I'd love a way to link an extension to a Github repository with a particular hash, and have users be able to verify that the code in the extension actually matches what's in the repo. Currently, even if an extension "lives" on GitHub, there's no way to know that what's in the extension library matches what's on Github.
To their credit, Mozilla does have an approval process, but it's pretty opaque what actually happens during that process. They also have a "Recommended Extensions" program which does more thorough vetting, apparently. Chrome is more of a free-for-all.
Chrome is very strict, as of the last several months, about what they allow. There's even a sticky in the support group for people whose extensions have been stuck in review for more than 3 weeks:
This is the flip side to Google and Firefox both making their extension much more locked down by removing some APIs entirely and requiring signing and approval. There are reasons to be upset that such practices hurt useful existing extensions that people like, but there's also reason to be relieved they are doing so.
The old extension system while more powerful, was pretty flaky anyway. Every browser update had a good chance of breaking extensions. At least now there is a clear api that can be kept stable over updates.
Firefox addons are reviewed, though as others note the process is a bit opaque. Interestingly, sometimes a release is approved, but then later someone comes back with issues. This is somewhat concerning as both a user and a dev. For users, it means there may be rogue extensions out there that haven't been closely reviewed yet. And for devs, it's frustrating to have a release approved and then months later to get audited.
Chrome is getting more granular in their approval process, but it seems that they're still a bit behind.
There's a dead comment that seems pretty revealing in terms of the review process:
SmallPeePeeMan 13 hours ago [dead] [–]
I’m an extension reviewer at adding.mozilla.org. Extensions that request certain permissions are manually reviewed. Others are automatically approved. Recommend extensions are ALWAYS manually reviewed for each update.
I'm curious what the _manual review_ process looks like. There are so many questions that come to mind: Is it a single person or multiple individuals reviewing the extension? Does it require the reviewer to be familiar with the code base of the extension? Wouldn't that be a significant burden, or are these reviews cursory? Do the reviews take 10 minutes? 30 minutes? days? Is the review documented? Can the review be public? Do they review the source code on github/gitlab/etc or are they reviewing the submitted file(s)?
I’m an extension reviewer at adding.mozilla.org. Extensions that request certain permissions are manually reviewed. Others are automatically approved. Recommend extensions are ALWAYS manually reviewed for each update.
I'm reminded of the ArchLinux AUR, which deals with a problem kind of like this. AUR managers show a diff of what changed in a package on each update.
Perhaps one could make extension auditing easier by scripting together a Git repository from extracted xpis, and presenting updates as patches to that repository. This is probably only viable for high-security environments - it's not with it in the common case.
Of course, the real fix would come from Firefox itself: it should provide signed extensions and a way to tie them back to Git repositories with source code, which would eliminate the need for the above automation, and allow people to crowdsource extension auditing.
That's really interesting to hear, I had always wondered how bad things can really be. I guess the answer is "as bad as money can buy" which I should have expected. Thanks.
Linking to a particular hash is a great idea. I encourage you to open a feature request as this could go a ways towards making users with extensions that require that kind of permission feel more secure
I would like to see a tab in about:addons that shows how much data each addon has received and transmitted and to what names/ip's/ports. Could Firefox be modified to do something like this? Perhaps an extension of about:networking?
This is a problem with how poorly extension permissions are handled by the browsers. There needs to be a way to gracefully ask a user for permanent (and configurable) extended permissions without it being an earth shattering event.
My experience: I have a moderately popular extension that initially only supported a couple sites so I set the permissions accordingly. I would extend permissions every time I added support for another site. However, with each permission increase my extension gets completely disabled for every user with a very scary warning that suggests something nefarious is happening. With each permission update I would lose HALF of my users. My alternatives are activeTab (awful user experience) or just being greedy with my permissions. I went with the latter.
Could you not use permissions.request() [0] to ask for access to a given site on-the-fly, when the user actually visits it? That seems to be how, for example, Reddit Enhancement Suite goes about getting perms for all the various sites it supports embedding content from (imgur, twitter etc) - you get a prompt when you click to open an embed for a site you haven't granted the permission for already.
Any extension that asks for that sadly a complete no for me. That is way too broad a permission for something as sensitive as the contents of every site I browse. I’ve found recently it means pretty much all extensions are unusable for me.
I just installed tree style tabs at the recommendation of this article and it was refreshing the way they handled permissions: a first-use popup that explains some additional features and what permissions they will request if you want to use them.
The problem is that scary as that is, as I understand, in order to interact with browser content itself, that permission is necessary. So it isn't possible to implement, say the Language Tool extension, or something that changes the appearance of webpages without that permission. I haven't looked at all these extensions to see if the permissions they ask are reasonable for what they do.
Perhaps it would be possible to create more granular controls, although I don't think it would be a simple task.
The current situation, is unfortunately bad for both users who must grant scary permissions to use useful extensions, and for extension authors who must ask for permissions that are more broad than what they really need, because it is the only option.
On Chrome, any extension that asks for permission to view/edit all your pages can be limited to a specific set of domains. I don't think Firefox has this feature, but would love to hear if it does.
