Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Firefox Mozilla The Internet IT Technology

Mozilla Says It Will Ban Firefox Add-ons With Obfuscated Code (betanews.com) 148

DarkRookie2 writes: As Mozilla continues to try to make it safer than ever to use Firefox, the organization has updated its Add-on Policy so that any updates that include obfuscated code are explicitly banned. Mozilla has also set out in plain terms its blocking process for add-ons and extensions. While there is nothing surprising here, the clarification should mean that there are fewer causes for disputes when an add-on is blocklisted. The updated Add-on policy comes into force on June 10, so add-on developers have a little more than a month to take note of the changes and comply. Mozilla says that the move is designed to help it better deal with malicious extensions. Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a heavy focus on security issues. ZDNet adds: [...] Starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies."We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.
This discussion has been archived. No new comments can be posted.

Mozilla Says It Will Ban Firefox Add-ons With Obfuscated Code

Comments Filter:
  • by Anonymous Coward

    is totally ok right?

    • by jellomizer ( 103300 ) on Thursday May 02, 2019 @12:26PM (#58528014)

      Add-ons can bypass the built in security and protection systems built into Firefox. Javascript is running against Firefoxes security systems.
      So Javascript normally cannot get all the files in your documents folder and upload them in the background to the website owner. While with an Add-on you can.

      Minimized Javascript is mostly done to reduce the download size of the file.

      • by AmiMoJo ( 196126 )

        Not sure that's true for add-ons any more. Firefox adopted the Chrome model for add-ons, which doesn't allow them to randomly access files on your computer. They can store data on your machine but only in their own, controlled directories. Saving can only be done via the standard Chrome file download dialogue. Uploads only via the standard browse button or drag and drop.

        It's true that add-ons can have more power than Javascript loaded from websites, which is why they have a permission system, but I don't th

      • by higuita ( 129722 )

        old add-on could change everything in firefox, but new add-on API is limited, you can only access what you announce and those APIs are limited, so unless there is a bug, you can't really get outside the add-on jail.

        What they can do is request full webpage access to add some pretty icon in all pages, but hidden in the obfuscated code they are also parsing and stealing your authentication data. They want to block code that is hard to read so reviewers can quickly confirm if the add-on only do what it say and

  • by FudRucker ( 866063 ) on Thursday May 02, 2019 @12:07PM (#58527908)
    all GNU/GPL/FOSS software projects should be banning closed and obfuscated code all along since the GPL was first written by our lord and savior Richard Stallman
    • So is your stance on the GPL political or Religious?

      • Is your stance that it should be limited to only one?
      • by higuita ( 129722 )

        It's "real world" stance!
        you can call it whatever you want, but the true is that he is right.... he is crazy and difficult (and this just to be nice!) , but we got what we have today thanks to him (and of course, many others, better yet, all of us, everyone contributes a little)

        BSD/MIT is perfect in a perfect world, but the world is not perfect
        Closed source is full of broken things, unsupported software, backdoors, stolen code and hidden "features"
        GPL is the necessary push to BSD/MIT to be applied in the re

  • by jellomizer ( 103300 ) on Thursday May 02, 2019 @12:12PM (#58527938)

    Source Code can be Obfuscated. Heck you can open a Hex editor and read the binary machine code of a program, and track it out to see what it is doing. Granted that you are gave the specifications.
    I remember a while back I was trying to debug an output file from a program. I have the source code but the output wasn't readable (without a bunch of recoding) because the system handled integers in Big Endian while my PC used Little Endian so I needed to do bit level transposition. Also a lot of programmers will assume the language defaults will be consistent. Will int x; be 0 or some random number based on the states the RAM had during allocation. All these issues happen even without trying to obfuscate code. However an open specifications would save hours or more of research and retries.

    • Source Code can be Obfuscated.

      Both GPLv2 and GPLv3 define a work's source code as "the preferred form of a work for making modifications to it". I don't understand how something can simultaneously be "the preferred form of a work for making modifications to it" and obfuscated.

      Heck you can open a Hex editor and read the binary machine code of a program, and track it out to see what it is doing.

      With very few exceptions, such as developing on and for an 8-bit computer using a "mini-assembler" or bootstrapping a system from a hex monitor [gnu.org], object code is not "the preferred form of a work for making modifications to it".

      • by edwdig ( 47888 )

        Both GPLv2 and GPLv3 define a work's source code as "the preferred form of a work for making modifications to it". I don't understand how something can simultaneously be "the preferred form of a work for making modifications to it" and obfuscated.

        Unless you're dealing with a legal issue regarding the GPL, it doesn't matter how the GPL defines source code.

        In this context, source code means "whatever Firefox's JavaScript engine recognizes as valid code". The Firefox team decided that standard wasn't good enou

  • Why don't the have a test container to simulate user actions and track bad actions? I guessing this would be much better way to find bad actors.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      You're years behind the state of the art.

      They may actually do that, but it's not good enough in today's world. Malware tries to detect that it's under test, and acts innocent. There's an arms race over making it hard to detect that you're under test, but the natural advantage there falls to the malware; it's almost impossible to totally simulate the real environment.

      I'm not saying manual review works well either, but I think it's healthy to assume that any code that actively tries to avoid being reviewed is

  • Obfuscate in a way such that resulting code appears to not be obfuscated.
    • I guess maybe that would be called "code stenography"? You'd need lots of mundane-looking code interspersed with a few lines here and there that subtly did the "real" work. Tough to pull off, but certainly not impossible.

    • by functor0 ( 89014 )

      Obfuscate in a way such that resulting code appears to not be obfuscated.

      Hardly new: http://www.underhanded-c.org/ [underhanded-c.org]

    • I can't believe no one has mentioned this yet.

      "The Underhanded C Contest [underhanded-c.org] is an annual contest to write innocent-looking C code implementing malicious behavior. ... The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil. Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious be

    • by balbeir ( 557475 )
      Not easy.

      But I know a couple of people that can do the reverse: writing non-obfuscated code that appears obfuscated to everyone else.

  • by xack ( 5304745 ) on Thursday May 02, 2019 @12:46PM (#58528134)
    Mo$illa is a puppet of Alphabet Inc. Google doesn't want a browser to exist that is infinitely customizable due to their ad networks and data analytics. They let Firefox exist as token competition to trick anti trust regulators but do not allow real competition that challenges the chromopoly. There was a discussion on hacker news recently about how they have the ability to damage internet explorer [ycombinator.com] by saying "it's obsolete" and that you should upgrade to "modern chrome". This new "extension regulation" is just more of the same. They have paid off Waterfox and Pale Moon too. We need a truly independent browser foundation that lets you extend anything without restriction.
  • Are there enough people in Mozilla to review every extension, including every new version? Also is there any strict definition of obfuscated code?
    • they've had a required review and signing process for years already, they're just tightening down the screws on the bad guys. If someone submits a piece of malware or spyware they can be banned, so it's not like each version has to be checked after that.

      • they've had a required review and signing process for years already

        But are they prepared for the influx of extension clones with small harmful additions?

        ...now it will be easy for any random script kiddie to "secretly fork" - search-and-replace out the origins of popular addons, cut-and-paste some harm in, call it the krad ad blocker man.

        The obfuscations arent only harmful. In some ways they have been helpful too.

    • Common types of javascript obfuscation are easy to detect programmatically. And the fact that a determined bad actor may be able to devise a unique obfuscation to slip through (such as code that appears readable at first glance but doesn't do what it appears to do) doesn't mean there's no point in limiting obfuscation.

    • by higuita ( 129722 )

      without code obfuscation, its easier for tools to parse and check automatically code. With it, they may bypass the filters and still have bad code, requiring manual and slow code review. So this not only allow easier review by humans, but also make it easier for tools to detect bad "features" hidden in the code

  • by Anonymous Coward

    The newspeak is strong with this one.

  • Itâ(TM)s not obfuscated, thatâ(TM)s just the way I write code!

    • I write in perl, you insensitive clod!

    • It doesn't really matter whether an add-on was intentionally or unintentionally obfuscated: the fact that it's not easy to review is a good enough reason to reject it.

      • the fact that it's not easy to review is a good enough reason to reject it.

        Whose definition of "easy"? While you may think that Mozilla will set some reasonable standard, it is the reviewers that measure their efforts and they of course want jobs that require little effort.

        • The path of least resistance for a lazy reviewer is approving the add-on; rejecting it will likely require discussion with the submitter.

  • What about code that only *looks* obfuscated because it's actually just really poorly written, can you ban that too? :-)

  • by aglider ( 2435074 ) on Friday May 03, 2019 @04:02AM (#58532260) Homepage

    Obfuscation is not a true or false thing.
    It's more like fifty shades of brown.

  • My views on Mozilla are dark apparently. When I read the headline, the meaning I got from it that Mozilla was going to obfuscate their code to make it more difficult for add-ons to work.

    The only addon I use is noscript, and Mozilla worked REALLY hard to prevent it from being effective and they are working VERY hard to make sure nobody uses it. The only way to find noscript is to type its name in. You can not browse and easily find noscript without manually searching for it. When searching for script blocker

  • " and will also act on extensions compromising user privacy or circumventing user consent or control"

    And one day later fuck up the entire add-on system with a broken certificate, compromising every users privacy and circumventing user consent or control

"Help Mr. Wizard!" -- Tennessee Tuxedo

Working...