[security] regular hash check on preinstalled addons

A simple addon could do this automatically very quickly and easily, by downloading the latest addons at semi random intervals, and comparing hashes; if the hashes are not already available on firefoxes own addons page. Offering a checksum would be incredibly helpful for security purposes. It would be best if Firefox provided the latest hash checksum on the addons page, to avoid the necessity of re-downloading each addon individually.

Today I had noticed the user interface in the disconnect addon totally changed in my firefox browser. For Windows. 61.0b8 64. It had a clean vertical column listing only google, facebook, twitter, and a few other websites; Each was like a rectangular button. Nothing else was visible. If I did not know what it should have looked like, I would have assumed it was legit. It was completely different than the original. I should have took a screenshot and backed up the extension but failed to do so. I uninstalled the addon and re-installed it from firefox’s website; The UI immediately went back to normal. I confirm signature checks were in fact enabled. I’m curious what kind of security firefox implements. I know its supposed to only allow signed addons, but does it go one step further and offer an option for regular hash checks to ensure it has not been modified or replaced with malware? I believe this will be a necessary step in order to mitigate against many zero day threats or vulnerabilities within browser signature verification systems.

There is a similar discussion taking place here for Chrome extensions:

It would be best if Firefox provided the latest hash checksum on the addons page, to avoid the necessity of re-downloading each addon individually.

Add-on files are signed, and Firefox checks the signature at install time and then on regular intervals. It shouldn’t be possible for an altered add-on file to run on Firefox, (unless Firefox itself is altered).