New Mozilla Security Blog

David Scott Lewis wrote on June 5, 2007 at 6:33 am:

My greatest concern about Firefox security is the potential for evil add-ons that seem to function properly, but are really malware in disguise.

I’d like to see Mozilla have some sort of policy about this, whereby add-ons have to be tested and certified. Perhaps there could be a volunteer group to do this, splitting new add-ons among various groups of volunteers. For example, those interested in photo editing add-ons could be in one group, those interested in RSS readers could be in another group, you get my point.

This is hardly a perfect solution, but one of my greatest concerns is that an add-on will cripple Firefox and (worse) someone’s PC. This seems like something that Mozilla must be able to handle. Saying that someone shouldn’t add third-party add-ons from unknown sites is ridiculous. If this advice were followed, only a handful of add-ons would see any significant adoption and the advantage of FF over IE would be severely curtailed.

Bottom line: Focus on the security of add-ons. Provide certification, ratings, whatever you can. And force the certifiers to sign what they say, to put they name by their rating. For legal purposes, of course, you need to have all the necessary disclaimers. But what I wouldn’t want to see is a new add-on review committee being controlled by the add-on author and his half-dozen closest friends.