Cenzic 232 Patent
Paid Advertising
web application security lab

Whitelist and Blacklists in Firefox Plugins

Trev has a good writeup about some obvious holes in Firefox plugins. I’ve long said that the biggest holes you will find in Firefox will be in the plugins themselves, not in the browser. I consider browser rulesets to be sorta the equivalent of killing an ant with a club. You can be pretty sure you’ve taken care of the issue if you turn off scripting in the browser, but that is not the case with tools like noscript. As Trev points out once you start making exceptions that’s where things start going awry quickly. To quote myself:

Think about other places where muddying the water has become an issue - Firefox plugins and PHP plugins. Need I say more? Since they are different developers with different skillsets they will no doubt miss the security aspects. Since it’s two developers instead of one (as JavaScript and the server side code are most likely different languages) you’re twice as likely to have security holes.

Trev himself told me that he’s been thinking about this a long time as well, outside of the context of my arguments. The sheer complexity of a stand alone web-browser is startling (in a big way this entire website is at least in part devoted to it) but it makes matters exponentially worse when you start adding new and untested technologies on top of the systems. Not that I think either Adblockplus or noscript are bad plugins, but both suffer from that exclusion list issue which really can make things far more complex from a security perspective. Diversity in browser functionality is a good thing for security, but from an actual vulnerability standpoint it’s a scary thought given how many holes we’ve found in these sorts of applications.

As a side note, I’ve been wanting to turn Adblockplus into an application firewall for a long time (over the less functional alternatives). I hope something as mature as adblockplus can be converted into something like this, because it’s got a great chance of at least partially mitigating a lot of problems that have been all but unsolvable to date.

2 Responses to “Whitelist and Blacklists in Firefox Plugins”

  1. Jordan Says:

    What about firekeeper? It seems that it’s starting from the right perspective first, so it might be better suited to the problem as opposed to trying to adapt adblockplus.

    http://firekeeper.mozdev.org/

  2. Jordan Says:

    /me sighs.

    Duh. Maybe I’ll read the links next time before posting. ;-)