Mozilla will now ban hidden or obfuscated code exemptions

Firefox and privacy

Mozilla has warned about the tightening of plugin catalog rules for Firefox (Mozilla AMO) to counteract the placement of malicious plugins.

For as of June 10, 2019 (current year), it will be forbidden to place in the catalog plugins that use obfuscation methods, that is, plugins that use methods such as packing the code in Base64 blocks or other methods.

At the same time, code minimization techniques (abbreviation of variable and function names, combination of JavaScript files, removal of extra spaces, comments, newlines and separators) are still allowed, but if, in addition to the minimized version, the complete source code is attached to the plugin.

Firefox recommends developers use code obfuscation or minimization techniques to release a new version before June 10 that complies with up-to-date AMO rules and includes the complete source code for all components.

After June 10, problematic plugins will be blocked in the directory and instances already installed will be disabled on users' systems by distributing the blacklist.

In addition, the practice of blocking systems installed on users' systems with installed add-ons containing critical vulnerabilities, violating confidentiality, and taking actions without user consent or control will continue.

Mozilla will take action against those who do not follow the rules

En general, developers are free to maintain their plugins in the form they choose.

However, to maintain adequate data security and effectively review the code, Mozilla requires certain technical requirements that all plugins must meet.

  • Plugins should only request the necessary permissions for the role
  • Plugins must be self-contained and not upload remote code for execution
  • Plugins must use encrypted channels to send sensitive user data
  • Plugins should avoid including duplicate or unnecessary files
  • Additional code should be written in a way that is reviewable and understandable. Reviewers may ask you to refactor parts of the code if it is not reviewable.
  • Add-ons should not adversely affect the performance or stability of Firefox.
  • Only release versions of third party libraries and / or frameworks can be bundled with a plugin. Modifications to these libraries / frameworks are not allowed.

Depending on the nature of the policy violation, Mozilla will use different types of locks.

With a "Hard block", the plugin is disabled in Firefox and users cannot bypass the block. This action is reserved for plugins with the following characteristics:

  • It seems they are intentionally raping
  • They contain critical security vulnerabilities.
  • They compromise the privacy of users.
  • They severely circumvent user consent or control.

Un Soft Software Lock will disable a default plugin, but allow the user to override it and continue using it. This lock is used for add-ons with the following characteristics:

  • They cause serious stability and performance problems in Firefox.
  • They contain non-critical policy violations.

Each Plugins that appear to be clones, repeats, or close copies of already locked plugins will also be removed.

If a problem affects only a subset of versions, the lock can be applied specifically to the affected versions. Plugins that contain hidden or unreadable code will also be blocked.

“When we decide to block a plugin, we can contact the developer if we think the problem can be solved.

As user safety may be at stake, we ask developers to respond within three days. If a response is not received within this timeframe or if the developer cannot resolve the issue, we can proceed with the lockdown.

"More generally, we will not contact developers before blocking if the plugin turns out to be intentionally violating our policies or if the violation is serious enough."

Mozilla said that the strategy was designed to help you better handle malicious extensions:

“When we decide to block an add-on in Firefox, we wonder if the risk is such that it exceeds the choice of The user must install the software, the utility it provides, as well as the freedom of the developer to distribute and control their software. "If we find ourselves in a situation where we cannot make a clear decision, we will seek security to protect the user."

Source: https://developer.mozilla.org


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

3 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Rafa said

    The initiative of the firefox team seems great to me since the extensions with obfuscated code can have malicious code and be spyware and at the browser level in linux this is very screwed since we are NOT used to dealing with antivirus or other niceties of this type and not because using linux we are no longer victims of malicious applications or extensions that can even take over critical data such as passwords or credit card numbers. It is also sad that a good job by the firefox team can be marred by extensions of dubious code. In the past, I already had some problems observing automatic activity of sending data from my browsing history without my consent, and also redirecting to pages that I had not invoked or in google searches leaving me sponsored links that had nothing to do with it. with what I was looking for.

  2.   Juan said

    I am not Linux, but the first impression is that the "adjustments" are making it difficult for the user to use options that give security or knowledge to the user while browsing. It is difficult even to define starpage as an alternative search engine. Isn't FF falling into the hands of Google ??

  3.   David said

    well, from my ignorance of programming I am with Juan; ad blockers, in addition to invasive ads, also block hidden links, infinite pop-up spam advertising, ... Any improvement in terms of security is beneficial, but why not a warning about the specific extension and let you decide if the do you block or not? My antivirus extension has been blocked, (which I wouldn't have paid for if I didn't trust it), and now I'm forced to browse without it even on windows. It strikes me as a bit of a paternalistic attitude for a navigator who claims to be independent, and such. Or maybe there are other interests as hidden as the codes that they claim to avoid