Hijacking Firefox Via Insecure Add-Ons

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

Forced automatic update is evil

[syousef]

...and what happened to Google's "Do no evil" slogan?

Then again these days Firefox itself pretty much forces you to update if you want to easily install extensions. What is with forcing people to download the plugins at install time? Last time I checked there was a plugin that allowed you to download to install later. That makes no sense. Why do I need a plugin to do this???

I use to have a stable browser with 1.0. With 1.5 and 2.0 I often have to restart the thing if I open lots of tabs and some of the pages don't respond, otherwise anything new I try to open doesn't respond. Firefox is still the best browser around at the moment, but it started off with so much more promise. It's become a bit of a pain to use as I've gotten use to the features (and other browsers have caught up), yet Firefox has gotten buggier.

This is crypto 101

[mrkitty]

Nothing new here please move along.