Concern about how add-on auto-review can hurt user's trust to Firefox


(Irvin) #1

Hi,

Most people don’t know that we’re now using an automatically-approval process on AMO for Firefox Add-on review (since mid. September), which means, our program will check for known problems and threats in new add-ons, and if not found, it will get published without any manual process.

https://blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/

The benefit is time. Some addon author already found that the reviewing process is incredibly quick, that it will get published in just a few minutes after uploaded new version.

However, the automatically approved system (which Chrome used for many years) had been considering harmful for general user, because it can be the routes for malware to get into user’s browser, and we can only stop and fix it after someone discovered and reported back, and cannot prevent in advance with current manual reviewing process.

And this bad part had ALREADY happened just in that week after the automatically review process up. Two weeks ago, we discover several add-ons had bound with mining codes on AMO. After some research, we found 7 add-ons with the same codes in the end.


http://boards.4chan.org/g/thread/62674567/bitcoin-miner-in-firefox-addons

Although the editor had banned them, the MALICIOUS ADD-ONs had already got into user’s computer. We didn’t know how many users were affected nor how many mal-addons left there in public.

Many people (including me) feel that AMO is not trustworthy anymore because of the potential threat. Without fully manual review, we need to assume that every add-on appears on AMO can be dangerous.

The manual review process had always been considering one of the better things Firefox’s eco-system over Chrome, that the reviewer will not only check for the malicious codes, but also help addon author to follow some best practice (eg., using the known version of libraries such as jQuery from official site).

And because of the manual reviewing process, we told general user that they need to be aware for Add-on installed from other sites, and they can trust the one listed on AMO.

With non-manual checking Add-ons (and the fact that dangerous code can be live there), we cannot trust any AMO add-ons now. Even for those been manual reviewed, because we just cannot tell which one had been check and which is not apart.

Even worst, some normal add-ons may be updated with malicious codes, been auto-approval and push into user’s browser with our auto-update mechanism anytime.

Many people are asking for purchasing the ownership of my add-ons from time to time in past, that they want to earn the profit by adding Ads to it. Guess what they want to do for now if they discover the change of reviewing process?

According to the discussion on AMO blog article, on IRC addon channel, Reddit, 4chan, Telegram and within above and below links, many contributors including volunteering reviewers, Add-on authors and users already raise the concern about safety and trust problem, before and after the change.


They didn’t get the answers before the auto-approved enabling. And they saw the incidents happened. Besides removing those add-ons which been reported, there is still lack of any steps and strategies to prevent future incidents happening again.

My question is - How can we still convince users that Firefox eco-system is still TRUSTWORTHY? If even myself found it’s not trustful anymore.


(jscher2000) #2

I think extensions that have not yet been human-reviewed should be labeled specially, for example, similarly to the old Preliminary button, for the time being until it has been proven out.


(Makyen) #3

While we might convince people that it’s trustworthy, we shouldn’t try to do so, because we already know that it’s not. Our attempting to convince them just destroys the trust which people have in us. The only appropriate way to handle this is to be up-front with people. Tell them what the risks are.

Removing the required manual, human review of Firefox add-ons eliminates the only reason I had to continue to use Firefox post FF57. Mozilla has already chosen to change Firefox into a completely different browser. At least from the point of view of my user-experience, it is completely different not to have legacy extensions and full themes. Personally, I’ve been calling FF57+ Smolderfox, as the fire is out.

I’ve stated in multiple places that my only reason to continue to use Firefox was the trust that was gained by having manual, human review of all listed add-ons. This change completely destroys that trust. Using extensions in Smolderfox will now be just as dangerous as using them in Chrome (where there are numerous extensions that violate your privacy and security, including existing extensions which are changed to do so).


(D Jan) #4

If I read the ghacks article right, we still have human review, but only after publishing. So it is not the same as Chrome’s review process which seems to have no human review at all.

I would be interested in the relative (in-)security of the process (since all implementations pose some risk, even full human review). So based on threats recognized after publishing until now, how likely is it that an extension a user has downloaded is malicious for

  • manual review (as we had before)
  • semi automated review (as based on the rather short period until know)
  • fully automated review (as for chrome)

Is there any way we can get this data? (maybe @jorgev knows?)


(Jorge) #5

Few things I’d like to clarify here:

  1. Malicious add-ons have always been and will always be a risk, on AMO and other places. We have the blocklisting system for those add-ons.
  2. Coin miners are not considered malicious. Otherwise they would have been blocked. The reason they were on the site for a few days after being submitted and reported is that we were figuring out what our policy should be about them. They don’t quite fit previous situations and we want to make sure our policies are clear. They were taken down while we clarified the policy, and it looks like ultimately they won’t be allowed.
  3. Similarly, advertising or other forms of monetization aren’t considered malicious, though there are restrictions about disclosure and opt-in.
  4. The WebExtensions API limits the impact malicious add-ons can have on users, though they can still do some bad stuff.
  5. Chrome’s system isn’t fully automated. It’s actually fairly complex and sophisticated, and there’s a human element to it. We’re setting a higher bar, but we can’t guarantee total security (and never have).

(Irvin) #6

I would like to know that

  1. do we actually have human review all auto-approval add-ons after publishing, and how long is the window period between those two actions?

  2. How can a user know whether an addon had been human-reviewed, and

  3. is there any way to block auto-approval addon (before human check) get into our Firefox to reduce the risk?


(D Jan) #7

Thanks for the clarifications on the “malicious” criteria and the Chrome review system!
As mentioned above I think it could be very helpful to have some data on human vs. automated review, particularly since human may sound much better but might not necessarily be so. Did Mozilla collect such data or are there comparable analyses from other organizations?


(Andrei Petcu) #8

Can you please update the review policy to include this also?


(Irvin) #9

There are scam and malicious addons appear again and again on AMO. If we cannot prevent it, someday it would become huge PR problem over “Firefox is more secure” idea.


[IMPORTANT] Council Elections - Spring 2018 - Nominee Q&A