June 30, 2007
Firefox extensions (MITM)
- The DNS or connection is not trustable
- a public wireless network is used
- the router was recently infected/hacked
- a 'hub' is used instead of a 'switch'
- the extension is updated by a bogus site
- the extension is updated without encryption
- change the password on your router (check it's doc)
- Get extensions from addons.mozill.org if possible
- turn off automatic checking tools -> options -> advanced -> updates -> turn off any options
- turn off extension installation or at least turn on the warning. This is not necessary when automatic checking is already turned off. tools -> options -> advanced -> updates -> "warn me when web sites try to install extensions ..."
- check to make sure SSL is used
- verify the validity of the extension by getting a copy of the MD5.
Most extension developers don't offer them but if enough people bug them it just might happen
- disable all extensions that don't use SSL
tools -> extensions -> click "uninstall" on encryption
- if you use Google's extesions then disable it's autoupdates.
in ABOUT:CONFIG search for "extensions.google",
if an extension has an entry ".autoupdate" set it false.
http://www.example.orgdoesn not use SSL
- Google Toolbar
- Google Browser Sync
- Yahoo Toolbar
- Del.icio.us Extension
- Facebook Toolbar
- AOL Toolbar
- Ask.com Toolbar
- LinkedIn Browser Toolbar
- Netcraft Anti-Phishing Toolbar
- PhishTank SiteChecker
- all versions of FFx are vulnerable
- extensions are not checked for validity
- some extensions (Google) ignore Ffxs settings and use their own autoupdate option.
- google toolbar is added with WinZip, Real Player, Shockwave. (Google pays publishers $1 for each copy they install)
- The Mozilla team provides a free/safe hosting service for open source extensions, (https://addons.mozilla.org)
- SSL Encryption will avoid DNS poisoning because the certificate will not properly match
- Ffx 'code signing' does not abate the situation
- Mozilla fixed ebay extension because they co-branded it
- Ffx checks for updates every 24 hours.
- Ffx downloads and installs extenstion the next time it restarts.
- Mozilla was notified on April 16th Their response: it is not a Firefox bug or vulnerability and to avoid vendors that do not update through their site and that a fix is is slated for Ffx 3.0
- Google was notified on April 16th, 20th, and May 24th
They said (May 25th) that they were working on a fix and expected to have it before May 30th
- Yahoo was notified on April 20th
- Facebook on April 21st
There has been no response.
- Christopher Soghoian's write-up
- 3rd party directions on developing extensions
- eweek's write-up. by Lisa Vaas
- softpedia's write-up on Ffx 3.0
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader