Permissions management for extensions

[Andrew Herbert]

We already have permissions management for websites, why not have it for extensions too?

[New Tobin Paradigm]

Because no, that's why. Also, you posted in the wrong category. This should be under UXP development cause such non-sense would affect us all.

[Moonchild]

Topic moved.

[moonbat]

If you're going by WebExtensions having a permissions model, note that it has done zilch to stop the spread of counterfeit extensions that steal your data. If user permissions worked as intended, Android should be free of malware. Now Webextensions have resulted in the same problem on AMO as with Google's Play Store - tons of shitty extensions that are copied from popular ones, or that demand different permissions and spy on your usage.
The same goes for forced extension signing - it caused a huge problem last year when the signing certificate expired, and has done nothing to fix security. Nothing beats human review of submitted extensions for problems, and earlier Mozilla used to do that when they supported XUL.

[Andrew Herbert]

If you're going by WebExtensions having a permissions model, note that it has done zilch to stop the spread of counterfeit extensions that steal your data. If user permissions worked as intended, Android should be free of malware. Now Webextensions have resulted in the same problem on AMO as with Google's Play Store - tons of shitty extensions that are copied from popular ones, or that demand different permissions and spy on your usage.
The same goes for forced extension signing - it caused a huge problem last year when the signing certificate expired, and has done nothing to fix security. Nothing beats human review of submitted extensions for problems, and earlier Mozilla used to do that when they supported XUL.

But it doesn't mean that permissions model is useless, and it can also help with privacy concerns.

Moreover, extension signing isn't comparable, since it takes away choice from the users due to its centralized nature.

[Lootyhoof]

You can't have both full XUL extensions AND a fleshed out permissions model. The extensions can hook anywhere into the platform, that's the entire point of them.

[Moonchild]

One other thing:
The WebExtensions permissions model is just offloading the task of vetting to the end user. And (legally speaking) nobody but the end user can be blamed if it's malware.

XUL extensions are as powerful as they are EXACTLY BECAUSE they are as native in their code permissions as the browser code itself is.

[moonbat]

And for all the bullshit about XUL being insecure compared to WebExtension, the opposite has been shown to be true, there never was a rash of XUL extension malware as there is now - thanks to their making extensions compatible with Chrome so now there's cross browser malware easily ported from there. The permissions and forced extension signing did nothing to stop the spread of malware and copycat or counterfeit extensions on AMO - there is no substitute to having humans examine and vet submitted extensions.

[Moonchild]

The permissions and forced extension signing did nothing to stop the spread of malware and copycat or counterfeit extensions

Of course it didn't. Why would anyone think it did?

Extension signing by an automated process and enforcing it in the browser does one thing and one thing only: vendor lock-in to the distribution platform. It's exactly the same reason why we have never agreed to use F-Droid for the Pale Moon for Android version when that was a thing. It's marketed as a "security" feature based on the approach that people now can't be tricked into downloading and installing extensions from potentially malicious sources. But the problem is that the extensions are easily distributed through the locked-in platform too, AND it allows the distribution platform to restrict (read: censor) which extensions are "allowed" based on arbitrary reasons, as well as being incompatible with licensing that protects the rights of developers/authors.

The permissions system did nothing because if people are installing extensions that need specific permissions, they are of course going to grant them. Even in the case of an extension with initially harmless permissions: Provide a malware update requesting additional permissions and what will the average user do? Grant them of course, because they want the extension to work and continue working.
And that's just talking within the bounds of the permission system, not even touching on bypassing it completely.

[moonbat]

Of course it didn't. Why would anyone think it did?

I've seen this touted as a feature that makes it superior to Pale Moon
No reply when reminded of the number of malware WebExtensions that somehow never were a problem under 'dangerous' and 'insecure' XUL/XPCOM.

[Moonchild]

I've seen this touted as a feature that makes it superior to Pale Moon

See my previous replies.
I guess it falls in the same category of "not knowing what you're talking about" as the whole "Pale Moon is insecure because they removed the (sic: unused) sandbox code"

[moonbat]

I guess it falls in the same category of "not knowing what you're talking about" as the whole "Pale Moon is insecure because they removed the (sic: unused) sandbox code"

If I had a penny for every time that 'insecure' bit has been pushed around. No one for some reason can point to a security bug that was fixed in Firefox but remains a problem here.

[Moonchild]

No one for some reason can point to a security bug that was fixed in Firefox but remains a problem here.

Maybe that reason is that Pale Moon keeps up with all sec issues that are applicable? Just a suggestion.

[moonbat]

The usual response from them is again *crickets*. Won't stop the FUD from being spread though.

[Moonchild]

Off-topic:

The usual response from them is again *crickets*. Won't stop the FUD from being spread though.

Yeah unfortunately there are no consequences for these people spreading FUD. It's completely unfair. People can spread FUD, causing bad PR (severity of which depending on the popularity of the channel used, not the reputation or authenticity of the FUDer) for those they target, which has consequences, but at the same time they go completely free without repercussions. What's worse is that if you actually try to correct this situation with statements of truth (which takes considerable effort and distracts from things of importance) you are often painted in a negative light for doing so as well... Still trying to figure that one out.

I can truly, honestly say I'm sick and tired of that situation.

[Moonchild]

To give an example of WebExtension permissions causing security issues, see CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
So anyone trusting the WebExtension permissions system being a safe way to restrict what WEs can do is regularly letting a wolf in along with the sheep.

[moonbat]

I think the open web is lost

Google has destroyed the concept of software versioning, with everyone copying them, including Microsoft with Windows 10, and now the HTML standard itself - I don't see any way for it to get out of their clutches.

Edit - Was getting maudlin - just thinking of how with all this lipstick on pig that Mozilla's done, they're still seen as champions of privacy.