Mike Henley wrote:
Hi. I'm using mozilla and mozilla firefox. I often install extensions
though only through the usual websites (mozilla.org, mozdev,
texturizer).
Today though I tried to install an extension from
http://jgillick.nettripper.com/ and as such found myself wondering if
extensions comprmise the security of mozilla or firefox.
I use firefox to access sites such as paypal and my bank.
In this case, you may want to try also our TrustBar extension
(http://TrustBar.mozdev.org) to provide you with secure logo for these
sites for easy and secure identification of spoofed sites...
As such I
would like to ask the following questions...
1 - can someone make an extension that would allow it (while
performing its advertised function) to send my username/password
either from those stored in mozilla/firefox or as i enter them?
Yes.
2 - can such an application make it to the trusted sites? (mozilla,
mozdev, texturizer)?
Yes, it can. Our TrustBar is in mozdev, and while it is of course not
doing anything like that (on the contrary, it improves your security),
there is nothing preventing us from uploading a malicious version.
or is there a review process before such
extension is allowed to be distributed?
Well, there was a short process to get us on mozdev; I'm not sure if
they checked our personal credentials (don't think they did) and they
definitely didn't go over the code.
thanks
_______________________________________________
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security
