In order to protect Firefox users from malicious add-ons, Mozilla has banned extensions that contain obfuscated code.
Caitlin Neiman, Add-ons Community Manager at Mozilla, said in a blog post on Thursday that the new policy will go into effect on 10 June.
Here’s the gist of that new policy:
We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included.
If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.
And here’s a link to the add-on policy in full.
Blocking, also called “blocklisting,” add-ons that contain obfuscated code means disabling them in the browser after the user installed them, Neiman explained.
Extensions that violate Mozilla’s policies will face the wrath of a newly proactive Mozilla, Neiman said:
We will be casting a wider net, and will err on the side of user security when determining whether or not to block.
Neiman said that Mozilla will also keep on blocking extensions that intentionally violate its policies or that have critical security vulnerabilities, or that compromise user privacy or skirt user consent or control. Other unexpected “surprises” that Mozilla doesn’t want to see (without a clearly worded opt-in and clearly stated name of what add-on is asking for what) include extensions that change default settings, such as the new tab page, homepage or search engine; extensions that make unexpected changes to the browser or web content; or ones with features or functionality not related to the add-on’s core function(s).
Let’s keep that browser predictable
After all, surprises are fun when they pop out of birthday cakes, but not coming from an extension, Mozilla says:
Surprises … are not welcome when user security, privacy and control are at stake. It is extremely important to be as transparent as possible when submitting an add-on. Users should be able to easily discern what the functionality of your add-on is and not be presented with unexpected user experiences after installing it.
Mozilla’s got some history behind this new no-obfuscation policy.
In August 2018, it axed 23 add-ons, following a report that a security add-on was up to funny business. Mozilla had highlighted that add-on in a blog post promoting a collection of security-focused extensions to the browser. But when curious techies picked apart the program to find out exactly what it was doing, they discovered that it was assigning each user an ID and sending information labelled ‘old-URL’ and ‘new-URL’ to a consistent IP address.
On further examination, Mozilla engineer Rob Wu found 22 other browser extensions in the Firefox portfolio that were also up to no good: one group that was sending browsing information to a remote server that could potentially launch a remote code execution attack on the client, and a second group that didn’t collect URL information but were still able to launch a remote code execution attack on the client.
That code was heavily obfuscated, Wu said at the time.
roleary
about:robots is a good surprise though, right?
Paul Ducklin
At the risk of sounding like a killjoy (and despite vaguely enjoying it myself)…
…I don’t much approve of “easter eggs” in software that’s meant to be secure. Also, mixing up Asimov with Adams is kind of insulting to both – one a science populariser who wrote consistently good fiction and the other a very witty man who overmilked the goose that mixed the golden metaphor… ah, you know what I mean. HHGttG is all very well but the follow-up books sank into increasingly embarrassing mediocrity.
(I didn’t dig too deep in there, but The Day The Earth Stood Still gets a look in too… check the <title>.)
davidbradburyatchess
@paulducklin Yes – i’m afraid this comment reads like your (normally good) sense of humour has been obfuscated. I agree with Mozilla’s intentions though.
Mahhn
Great work Mozilla, thank you.
liedetectorltd
I use private plugins that are no business of theirs. I am not a 12 year old girl and can decide what I want to use. When did the children running Mozilla become my babysitter? Because most of the world is incompetent, this is what I get?
Paul Ducklin
Addon signing has been in Firefox for ages and “compulsory” by default for quite some time.
Mozilla has been perfectly open about this…
…and if you have been running “private plugins”, as you say, you must have been perfectly aware of it in order to configure Firefox to allow your private plugins to run. And if that were true, this SNAFU surely wouldn’t have affected you anyway?
frater jason
Having all your add-ons implode because of an expired cert was an unpleasant surprise.
Anonymous
It’s to block gab, to prevent free speech on the internet. SJWs inside!
Epic_Null
Obfuscated code is a real problem though. It can make verifying a program’s behavior significantly more difficult since a source code scan won’t reveal the code’s purpose.
Also given other recent changes to firefox (blocking autoplay and the addid tracking protection), I doubt that GAB is the focus of the policies. More likely, they are trying to ensure people’s data stays where it’s expected.
RichardD
It’s a good idea, but who’s going to verify that the non-obfuscated code matches the “minified, concatenated, or otherwise machine-generated” code?
Paul Ducklin
You could do that by requiring specific minifiers to be used so the process can be repeated and verified, or by further, more time consuming checks…
…not sure how precise the matching of source to modded version will be, though.
Epic_Null
I would imagine that you could also do something similar to compilation to the two codes and see if the outputs match.
Paul Ducklin
But you would need to know which minifier had been used – and how – so you’d need to limit which ones were allowed (or to require the minifier to be part of the source code).
marykinney
i think mozila did great job.