Hijacking Firefox Via Insecure Add-Ons

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

fud?

[TinBromide]

They mention the google plugin. Doesn't google offer almost all of its firefox offerings as IE search bars, desktop agents, and stuff like that. So why is the update structure for firefox different than, say, google search bar on IE?

Re:fud?

You're right, but while FF is made to be extended with plugins, IE users rarely install addons (the most with at least on addon on IE I have seen was Google toolbar). That's why FF is a dangerous target than IE.

The problem aabou the use of HTTP for updates is that mozilla.org takes weeks to update the release on their addon website (simpy plugin, for example, was affected by this: the 0.3 release took more than 2 weeks to appear on addons.mozilla.org). Otis, the simpy admin, told me about this while I wrote to him telling that 0.3 was released on the author's website and I suggested to update the simpy page about FF extension.

On the other side, few developers can afford a ssl certificate, so that's why most updates happens over http (and not on mozilla servers)

pieggi

Re:fud?

[mhall119]

Any developer can create their own SSL Certificates for free. It's getting a certificate that's been signed by a vendor already in Firefox's whitelist that they are paying for. I would rather each developer create their own self-signed certificate, then I get to decide who to trust, not Verisign.

But using HTTPS wouldn't solve this problem either, because Verisign will sell a certificate to anyone with money. What should be happening is that developers sign their packages like they do for DEB and RPM package distros. That way you always know that you're getting your updates from the same person, no matter what your internet connection.

Re:fud?

[JesseMcDonald]

Alternately, the Mozilla team could create their own signing certificate and add it to Firefox's whitelist; add-on developers could then get Mozilla-signed certificates for themselves. That would at least narrow the list a bit -- as you say, anyone can get a Verisign certificate, in part because there are just so many possible uses for one, but there should be few enough official Mozilla-signed add-on certificates to allow for some proper screening.

The certificates could also be used for authentication of the updates themselves, as you suggested.

Re:fud?

[Myen]

Unfortunately, doing that would sort of imply Mozilla would need to vouch for the extension developers (hey, they're letting them use a cert; that's what it's for, right?). As it is they barely have enough people to just try installing extensions before approving for the main site...

If it's just extension updates anyway, and extensions already act as a part of Firefox (i.e. they're not sandboxed... which they can't be in the current architecture)... They might as well just require SSL for updates, and people who don't use the Mozilla update service can just ship their own (self-signed) cert with the extension. Of course, some authors will still work around that by doing their own thing anyway. (There were, at one point, very, very insecure extensions that... load the whole toolbar at runtime using eval() by pulling data from unsecured sites.)

Re:fud?

No Sir! Firefox is terribly bad! And it has spyware and malware, and the first one to say it's safe, throw a chair!

I.E.

Re:fud?

[DaveWick79]

The different is, everyone knows IE is insecure because of this. But everyone expects Firefox to be this totally secure, unhackable browser when it really isn't. The point is that the same things can be done on both browsers.

Another point is how this affects the Google Gears project that was in a previous post. Now you have cross platform hackability for an application that could potentially host your critical apps.

Re:fud?

[JesseMcDonald]

Unfortunately, doing that would sort of imply Mozilla would need to vouch for the extension developers (hey, they're letting them use a cert; that's what it's for, right?). As it is they barely have enough people to just try installing extensions before approving for the main site...

I don't really see how this would be any more time- or reputation-intensive than granting accounts on the official Mozilla add-on site; it would simply be another step in the account-creation process. It might even help with the updates, since they could automatically pre-screen updates to reject any add-on that isn't signed by the owner of the account to which it's being uploaded. (They'd still need to perform their live tests, of course -- aside from any security issues, the extension could interfere with built-in functionality or other common extensions.)

Re:fud?

[jedidiah]

It's pretty easy to completely disable extensions. It won't "spoil your browser experience" either.

That would be the big difference here between firefox and explorer.

The real problem is when website authors make network dependencies with this kind of crap and scorn open standards. While many firefox extensions are nifty they are entirely optional. This is in stark contrast to the current trend in requiring flash or other plugins for every stupid little thing.

Quicktime buttons are another fun one.

Re:fud?

[itlurksbeneath]

I would rather each developer create their own self-signed certificate, then I get to decide who to trust, not Verisign.

You need to read up on what the ssl certs are for. They are not for trust, they are for verification. Any dork can create an ssl cert and say he's John "Maddog" Hall, but to get a VERIFIED certificate from a issuing agency saying you're indeed John "Maddog" Hall requires a LOT of verification of identity.

If you choose to trust an un-verified cert, then you are right back in the same boat as TFA is talking about.

Re:fud?

[plover]

I like this idea a lot, but who will "pay" for the service? Running a CA does cost money -- you've got to pay someone to answer the certificate requests, for example. And unless that CA is doing some kind of research on the submitters of the add-ons, the quality assurance is no different than what we get from Verisign's level 3.

A certificate won't guarantee quality, it's just supposed to guarantee that we can hunt down the person to whom it was issued. Verisign doesn't offer that unless you get to their level 2 (or level 4, or whatever their certification levels mean.) The only thing Verisign's credit-card verification offers is the assurance that whoever created object FOO has the same signature as whoever created object BAR (and that once upon a time they had a working credit card number with $14.95 to spare.) For extension updates (and to defeat this problem) that just might be good enough.

Re:fud?

[mhall119]

Then you need to read up on what VeriSign actually does. Someone with a VeriSign ssl cert hasn't verified who they are, they've only verified that they have (or more likely 'had') a credit card number and a small amount of money. I haven't tried it, but you can probably get one with a pre-paid Visa gift card.

I would rather trust a cert verified by me, than one verified by VeriSign.

Don't trust public nets.

[Rob+T+Firefly]

[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.

This is why you shouldn't be performing anything as heavy as software updates over networks you don't totally trust, least of all the lash-ups in your average coffeehouse.

Re:Don't trust public nets.

This is why one of the problem is automatical updates, multiple untrusted sources of updates and update systems that allow those by default.

Re:Don't trust public nets.

[morgan_greywolf]

This is why one of the problem is automatical updates, multiple untrusted sources of updates and update systems that allow those by default.

You mean like the Google Toolbar for IE and about a bazillion other ActiveX applets?

This problem is not Firefox-specific.

However, it's important to note that Firefox does not allow updates from untrusted sources by default. It comes configured with updates allowed only from addons.mozilla.org and updates.mozilla.org.

Furthermore, for those of you with notebooks/WiFi -- for God's sake, turn off Automatically check for Updates to: Firefox, Installed Add-Ons and Search Engines from the 'Updates' tab in the 'Advanced' options, especially if you're going to be spending time in a coffee bar. And before you say: "Well, that's in the Advanced section and we shouldn't expect normal people to have to edit those options" I say horsepuckey. If you're bright enough to be using Firefox instead of IE, you should be bright enough to know how to configure it in a secure manner.

Re:Don't trust public nets.

If you're bright enough to be using Firefox instead of IE, you should be bright enough to know how to configure it in a secure manner.

Granted. That said, checking for updates automatically is an industry-wide problem. In the Windows verse, it may take some moderate skills to disable these checks (msconfig, registry hacks, etc.). Often, the update must be disabled at multiple locations. I think this is more of a software problem than a user problem. When a program asks, "Hey there is a newer version available - do you want it installed?", I know that my privacy has been violated as that software was never explicitly authorized to make that check. It is also conditioning users to accept spooky behavior from strange pop-ups.

Re:Don't trust public nets.

No, you are wrong. This is why you perform software updates over a secure connection or check digital signatures or hashes. You know, the way all decent software update mechanisms are designed these days. The same type of attack can be done if you do your updates from home, it just becomes a bit more difficult.

Re:Don't trust public nets.

[wytcld]

addons.mozilla.org and updates.mozilla.org

Right, so I've just taken over your connection to the coffeehouse access point, and your DNS lookup now shows that addons.mozilla.org is at 192.168.1.254. Alternately, I route its real IP (63.245.209.31) to the laptop I've done the takeover with, where I've got a copy of addons.mozilla.org's content - except with evil updates.

Re:Don't trust public nets.

[morgan_greywolf]

Try reading my posts before you reply to them. I also said that it was necessary to turn off automatic updates before going to the coffee bar. Perhaps I should have also mentioned that you should install all your addons and updates at home (or in the office), on your own (or your office's) network, but I thought this was obvious.

Re:Don't trust public nets.

[brunes69]

I think you need to RTFA, or event he summary, again. The Google toolbar updates automatically. So do a lot of other extensions.

Re:Don't trust public nets.

Only if you let them! Auto-update is disablable. If you're using public wifi, for chrissake disable it!

Re:Don't trust public nets.

[General+Wesc]

I say horsepuckey. If you're bright enough to be using Firefox instead of IE, you should be bright enough to know how to configure it in a secure manner.

If you think you have to be 'bright' or computer literate to use Firefox, you're nuts. There are people who think that blue 'e' is the Internet and there are people who can hack the kernel. But there's a whole continuum of people in between who know how to install a program, but know nothing about security (and yes, that's a huge problem) and never touch the configuration screen of their newly-installed program.

Re:Don't trust public nets.

[IwantToKeepAnon]

> If you're bright enough to be using Firefox
> instead of IE, you should be bright enough to
> know how to configure it in a secure manner.

I humbly disagree. I convert as many fellow employees as I can. Most probably couldn't configure the proxy to get the the net much less address "advanced" issues.

Re:Don't trust public nets.

[Rakishi]

Except thats beyond annoying to do every single time. FF downloads updates automatically by default with no prompting except to "please restart for the update to finish installing."

Re:Don't trust public nets.

[linzeal]

I don't know about you but I have a firewall rule set that blocks all private IPs except the ones on my home network on my laptop and I cannot tell you how many times I have seen crap come in over the Wi-Fi connection that looks suspicious that is blocked.

Re:Don't trust public nets.

[jesser]

Furthermore, for those of you with notebooks/WiFi -- for God's sake, turn off Automatically check for Updates to: Firefox, Installed Add-Ons and Search Engines from the 'Updates' tab in the 'Advanced' options, especially if you're going to be spending time in a coffee bar.

Updates to Firefox itself are safe even over WiFi. Updates to extensions you got from addons.mozilla.org are also safe. Turning off automatic updates will make you less secure, not more.

Re:Don't trust public nets.

Both addons.mozilla.org and updates.mozilla.org are only available under HTTPS.

Good luck forging the SSL certificate, otherwise the update will either fail or warn the user. Remember, SSL was designed specifically to protect against man-in-the-middle attacks like the one you're proposing.

Re:Don't trust public nets.

[denbesten]

This is why you shouldn't be performing anything as heavy as software updates over networks you don't totally trust...

You mean, like the Internet?

Re:Don't trust public nets.

[Fatalis]

However, it's important to note that Firefox does not allow updates from untrusted sources by default. It comes configured with updates allowed only from addons.mozilla.org and updates.mozilla.org.

No, this is not true. If you've installed an add-on from a non-default site, it can still update in exactly the same way as an AMO approved add-on. I know this because I make Fx extensions.

Re:Don't trust public nets.

[IAmGarethAdams]

Yes, however the point is that from public Wifi you have no guarantee that addons.mozilla.org actually is addons.mozilla.org

Re:Don't trust public nets.

[jesser]

Actually, you do have that guarantee, thanks to https.

Is this a firefox issue?

[xTMFWahoo]

I would think this is an issue with the specific ad-on, not really Firefox. I guess you could say Firefox should only allow https traffic...

No shit!

This is why extensions should all be signed or have the update servers SSL cert hard-coded.

We can prevent attacks like this easily.

Surely they're signed?

Surely firefox, after initial user-accepted installation, makes sure all updates are signed using the same key?

If not, that's what's called a WTF.

Re:Surely they're signed?

[pipatron]

This is not about updates to Firefox - it's about updates for user-supplied add-ons.

Re:Surely they're signed?

Yes, I know. Try another parse. I'm sure there's an Update API which add-ons use to update, hence it's firefox that "makes sure all updates are signed using the same key?"

Re:Surely they're signed?

[pipatron]

How would this work? Either they would have to check all code themselves, before signing, or they would let the developers sign their own code, in which case the signing key would be freely available to anyone that wants to sign their malware replacement update.

Re:Surely they're signed?

[pipatron]

Ahh.. I'll try to parse your initial message again. When you say "same", you don't mean they are all using the same key, but each developer is using his/her own personal key, that does not vary between add-on updates.

Re:Surely they're signed?

[Frosty+Piss]

This is not about updates to Firefox - it's about updates for user-supplied add-ons.

Remember, Firefox is supposed to fill the same role as IE - It's not just for geeks, the "masses" are invited to use it as well. These are the same masses that Slashdotters claim don't know the difference between Windows and the Interwaeb. Thus, this issue needs to be addressed in the design and code of FF in a was that the so-called masses can handle.

Re:Surely they're signed?

[LinuxIsRetarded]

The point here is that these plugins are specifically designed to run within Firefox. If Firefox provides no mechanism to prevent these addons from downloading and installing arbitrary content, there most definitely is a serious security flaw in Firefox. What's even scarier is that you don't need elevated permissions for this flaw to be exploited. At least with Internet Explorer, the user must be running as an administrator (which any educated user simply doesn't do) in order to allow any updates to registered COM components. So, even though I run as a limited user, my DOM Inspector plugin for Firefox could potentially insecurely attempt to update itself and end up hosing my profile. Nice.

don't automatically update

[miowpurr]

How about setting your updates (yes, even for add-ons) to NOT download automatically? That way you can at least control when they download...

Re:don't automatically update

How about people stop downloading virus's. How about people stop visiting porn sites and letting them run JavaScript and ActiveX. How about people don't leave their computer on 24/7 connected to broadband. How about people don't use email until they know exactly what phishing and scam e-mails look like. Etc....

If you let Firefox off with the excuse that "users should just do this". Then you certainly have to let a lot of others off also using the same excuse.

When a user starts Firefox and gets an update message - most will happily click through the messages and install the updates without reading a thing. Same for windows updates, virus software updates, etc.. I wish all computers users knew enough not to do silly things. But that's not the case. It is getting better and probably will continue to.

Forced automatic update is evil

[syousef]

...and what happened to Google's "Do no evil" slogan?

Then again these days Firefox itself pretty much forces you to update if you want to easily install extensions. What is with forcing people to download the plugins at install time? Last time I checked there was a plugin that allowed you to download to install later. That makes no sense. Why do I need a plugin to do this???

I use to have a stable browser with 1.0. With 1.5 and 2.0 I often have to restart the thing if I open lots of tabs and some of the pages don't respond, otherwise anything new I try to open doesn't respond. Firefox is still the best browser around at the moment, but it started off with so much more promise. It's become a bit of a pain to use as I've gotten use to the features (and other browsers have caught up), yet Firefox has gotten buggier.

Re:Forced automatic update is evil

This has nothing to do with Firefox's built-in forced updates. The problem here is extensions you download from sites other than addons.mozilla.org, since they might include their own non-standard update methods which don't verify security certificates. Posting AC because I have to go to work and don't want to wait 10 minutes to reply.

google toolbar

unfortunately that threat is very much real, it happened to my father using Firefox and suspicious web-sites, he just kept clicking 'yes' as the site asked him to.. after I spend countless hours of installing/configuring WinXP to be secure.. bah!
http://www.channelregister.co.uk/2006/07/20/google _toolbar_trojan/

Addons from addons.mozilla.org not vulnerable

[CTho9305]

The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org/ - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

Since it's not mentioned in the summary, it's important to reiterate that this takes advantage of non-secure update mechanisms used by some addons. The addons.mozilla.org site will only host extensions that update from addons.mozilla.org through the built-in mechanism, which is not vulnerable to this attack. This is an extension-specific issue, and would most likely apply to any sort of addon for any software that doesn't verify security certificates.

Re:Addons from addons.mozilla.org not vulnerable

Hardly any of those addons are signed though.

Re:Addons from addons.mozilla.org not vulnerable

So? You don't need the addon to be signed to be safe here - you just need to make sure you're downloading the package from the right server (i.e. one with a trusted SSL cert).

Plug-in's are people too

[ProppaT]

Maybe if you spent more time with your plug-in's they wouldn't feel that way. Have some compassion!

Re:Plug-in's are people too

[disasm]

-3 Weird???

Re:Now they're hijacking Firefox?!

[MichaelSmith]

Someone get Larry Niven and Jerry Pournelle on the case!

What about Craig Thomas?

Is it viable?

[Xtense]

So ok, it is possible to do such an attack, but... is it viable enough as an attack vector? I mean, the attacker would have to sit 24/7 near an unsecure hotspot and/or an unsecure network to wait for a potential victim, and, as we know, firefox users aren't the majority, so this further narrows down the possibility of a successful attack. That's enough to call it improbable i think. Of course, since such an attack is possible, that can mean something, but, please, would anyone sit around coffee shops all day just to infect one person with spyware, when he could just, I dunno, send viruses or trojans through mail to computer illiterate people?

Re:Is it viable?

[CaffeineAddict2001]

The person doesn't have to actually be there. You could disguise a server as a book on a bookshelf in a coffee shop and infect and collect all day.

Re:Is it viable?

[14erCleaner]

And after "all day" was done, you still probably wouldn't have more than one victim. It would be more profitable and less work to pick pockets, if you're planning to do evil at a coffee shop.

This topic is kind of like the Linux virus stories that appear every few months: it's just anti-free-software FUD.

Firefox extensions are insecure

[140Mandak262Jamuna]

Right from day one I realized that the extensions provided by Firefox could become an security issue. I use very few of them. Scriptblock, Adblock and almost nothing else. And I disable auto updates. But on the other hand, Firefox is not so closely tied to the OS that they could take this breach, elevate privileges and take over a system, like ActiveX vulnerabilities.

Yes, one should be careful about the extensions, and use them carefully. And one should be careful about using WiFi in coffee shops and hotels. I am far more worried about our salesmen plugging in their lap top in some hotel network in Bangkok, pick up an infection and coming to corporate HQ and plug that laptop in our intranet, behind the firewall, in the trusted network. I have asked my sysadmin to set up a separate network for laptops that might be used outside our intranet that is not part of the trusted intra net.

Re:Firefox extensions are insecure

[gardyloo]

I am far more worried about our salesmen plugging in their lap top in some hotel network in Bangkok, pick up an infection and coming to corporate HQ and plug that laptop in our intranet, behind the firewall, in the trusted network. Wow. You kids these days and your descriptions of the clap!

Re:Firefox extensions are insecure

[dpozsai]

I have asked my sysadmin to set up a separate network for laptops that might be used outside our intranet that is not part of the trusted intra net.

Ask him to take a look on 802.1x http://standards.ieee.org/getieee802/download/802. 1X-2004.pdf. You can give access to different VLAN based on software policies (i.e. having AV updated and so on)

Re:Firefox extensions are insecure

[WalterGR]

Firefox is not so closely tied to the OS that they could take this breach, elevate privileges and take over a system, like ActiveX vulnerabilities.

Uh... not true at all. Firefox extensions can contain (and run) executable code.

As the Greasemokey security vulnerability demonstrated, web pages can "script" Firefox extensions.

ActiveX = executable code + scripting from the web browser. Firefox extensions introduce the same risks as ActiveX.

(addons.mozilla.org is having problems right now, otherwise I'd point out some extensions that have .EXEs in them. I looked into it before and one extension that had them added support for 3rd party download managers - don't recall the name...)

Re:Firefox extensions are insecure

[WalterGR]

Ah, good. addons.mozilla.org seems to be responding again.

So check out FoxyTunes, which is listed on the Recommended Add-ons page.

Download the XPI file, rename it to ZIP. Open it in WinZip or whatever. You'll notice several files:

• FoxyTunes.dll
• FoxyTunes.dll.linux
• FoxyTunes.dll.mac
• FoxyTunesBonobo.so.file

DLL files are executable code on Windows. I'm assuming the *.linux and *.mac are similar. SO files are executable code under Linux, not sure why it has .file after it.

I'm sure there are more extensions with executable code, that was just the first I looked at. Look for any extension that integrates with external software - almost always there will be a DLL or EXE.

Sign your addons, please..

[QuantumG]

How to sign a Firefox Extension by Frederic Mercille.

It's not hard (for anyone who can make an add-on).

Stupid

[noundi]

This is like handing out your car keys and then end up blaming Audi for it.

Welcome to the wonderful world of Bloatware

[BlackCobra43]

You laughed at IE for being full of stuff nobody uses.

You derided Opera's minuscule userbase.

You vied for the top dog spot.


Well, now you're on your way to getting there. You're gaining markt share. With growing market share come the demands of progressively dumber users - it's just the nature of the technology market. FF's code needs a good clean-up.

Re:Welcome to the wonderful world of Bloatware

[Dan+Ost]

With growing market share come the demands of progressively dumber users

I've never heard it expressed so succinctly (and without cussing).

Beautiful.

Subject to the laws of physics

[l0ne]

Q: When am I at risk?

A: When you use a public wireless network, an untrusted Internet connection, or a wireless home router with the default password set.

That means that this attack only works if the local area network is hijacked! Which reduces its danger substantially for the population at large as the huge majority of home connections is on its own link.

It is only a problem in the situation above (that are atypical nowadays) and in work or other large-network settings where it is possible to connect an untrusted computer to the network.

IT ALSO MEANS IT IS NOT FIREFOX SPECIFIC, as hijacking a connection can lead to many unpleasant things that may be as dangerous as that without requiring Firefox (ie grabbing passwords!).

Gaa...read the article if you have no clue at all

[phooka.de]

Right from day one I realized that the extensions provided by Firefox could become an security issue.[...]

OK, so it's about the "extensions provided by Firefox"? No, it's explicitly about extensions not provided by firefox but strapped on by some mechanism devised by the extension's developer, be it Google, Yahoo, whomever.

Extensions provided by Firefox are downloaded via a secure connection - it's your Google-toolbar that comes unprotected.

So, if you don't have a clue, read the article. If you still have any doubt that you fully understand it, don't comment on it.

As the user goes, so goes the browser

[macraig]

If the user is "insecure", then so too will the browser be. Anyone who would update software from a public wi-fi connection is in dire need of an education and asking for trouble. As far as extensions go, LESS IS MORE, as in beer: the browser will load faster, be less prone to memory leaks and XUL conflicts, and as the article suggests more secure to boot. Considerable skepticism should be given to any extension not found at the Mozilla site; if it were me I wouldn't install it, for the reasons above and unless it is indispensable and I was completely certain of the integrity of the author and site.

Re:As the user goes, so goes the browser

[maxwell+demon]

Note that one thing mentioned in the article was that the Google toolbar doesn't even ask. That is, you might update it without even knowing. If anything asks "do you want to update", you can always answer "no" (and are also noticed that there's an auto-update functionality running which you might be able to disable). However, if it just happens silently, then unless you already know that it happens, you'll probably not notice (at least until a new version with an user-visible change gets auto-installed).

This is crypto 101

[mrkitty]

Nothing new here please move along.

Verisign? Self signed certs? Not again!

[Ilgaz]

Let me get this straight: After years of open source software guys struggling with Verisign , self signed certificate paranoia creating alerts of Java and the horrible situation in Symbian which is just slowly getting fixed (except closed source)- Firefox developers opted in for the exact Windows scheme of doing things?

I can't blame plugin developers, a self signed certificate alert really looks more evil than unsigned code.

That Verisign/Symbian signed crap is _the_ reason why Commwarrior type of Symbian trojans which are slowly being converted to WinCE exists. People are trained/learned to ignore certificate alerts since even open source software guys couldn't sign their application with a valid signature rather than self signed , Thawte Freemail classic. If they offered free Symbian certificates to at least opensource developers, nobody would educate himself to ignore certificate alerts by OS. Now Symbian finally woke up a bit and offer it free to open source and yet they ask million dollar software houses to send their source (yes,source) to get signed.

That may happen to Sun one day too. They are still keeping their precious Java trusted certificates and even open source Java software comes with self signed certificates.

What would happen if they used the standard RC4 scheme or even text based gpgp which is in use for years?

What I am trying to say is, the current situation, if people doesn't get educated to ignore security warnings is lot better/safer than millions collectively ignoring security warnings. They should change the entire scheme of doing things, developers shouldn't teach users "If a security alert pops up, press ignore".

You are wrong

[I)_MaLaClYpSe_(I]

Ask him to take a look on 802.1x http://standards.ieee.org/getieee802/download/802. 1X-2004.pdf. You can give access to different VLAN based on software policies (i.e. having AV updated and so on)
You obviously confused some things:

EEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails.

You might want to read the documents you refer to. I guess, what you meant was NAC - Network Admission Control

Re:Goatse!

[maxwell+demon]

Well, maybe someone exploited the security hole mentioned in this article to add a "goatse extension" to some Firefox installations, which automatically sends a goatse comment to each visited Slashdot story. :-)

HTTPS isn't necessarily secure..

[madsheep]

HTTPS just makes it hard to eavesdrop. It doesn't mean the site you are getting your plugin from isn't a spoofed one with a self-signed cert or that your legitimate location for downloading the plugin hasn't been hacked. I guess all of www.download.com downloads are vulnerable since they're sent over http or ftp - which is suceptible to attacks! Also, if your DNS (or host file etc) is owned/poisoned then I'd think your firefox plugin is the least of your concerns. Give me a break.

HTTP versus HTTPS is _not_ the problem

[Henry+V+.009]

This is not an issue of http versus https. The only way for Firefox add-on updates to be secure, or any software updates to be secure for that matter, is for the software to make sure that the update code has been signed by the developer before installing the update. This is software updating 101. Impossible to spoof without the developer's private key.

Back in my day ...

[GISGEOLOGYGEEK]

Funny, I remember a time when people ran away from Internet explorer because of the potential for some very powerful and useful plugin technology (ActiveX) to be used against their computers.

Everyone's websurfing saviour firefox is just as vulnerable it seems ... but everyone loves firefox and hates IE.

I think this big warped shift in people's perception happened about the time when all those pesky Javascript haters (all slashdot readers just a couple years ago) fell in love with Ajax ... as if it wasn't simply a cool way to use javascript with a new extention or two.

Ah yes. The good old days.

Relation

[MBHkewl]

How is this related to FireFox only?

Doesn't the same apply for Windows Updates? A hijacked DNS can return a false address of a windows pdate server and have the user download vulns. instead of patches.