this post was submitted on 04 Oct 2023
79 points (98.8% liked)

Firefox

17937 readers
38 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

Many add-ons have somewhat spookiy authorisation requirements, such as "access all of your activity". In many cases this is justified by it's function, and of course there isn't any problem with it as long as we're sure all this data stays on your computer and isn't shared with any remote server. How are we sure of that tho? Is there an easy way to check for each add-on ?

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 23 points 1 year ago (1 children)

Packet sniffer? Like wireshark maybe?

[–] [email protected] 8 points 1 year ago (2 children)

But wouldn't that just tell you, "Firefox was connecting to the internet"?

[–] [email protected] 17 points 1 year ago (1 children)

Nope, it'd give details. Combing through and decrypting those details is another matter, though.

[–] [email protected] 8 points 1 year ago (1 children)

You can MITM yourself and setup your own CA, no?

[–] [email protected] 3 points 1 year ago

If you so chose to, yep.

[–] [email protected] 8 points 1 year ago

No, it would say which packet is being sent to which destination.

[–] [email protected] 15 points 1 year ago (1 children)

It just isn’t easy. You can read permissions and try to read the source, but it requires some expertise.

[–] [email protected] 4 points 1 year ago

For smaller extensions, you can start by looking at the manifest.json as this file is the entry point. You can see which part of the code needs access to 'everything' and go from there.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json

For example, with Instance Assistant for Lemmy, you need to give access to all sites because it needs to run on any Lemmy site and that's not something you can hardcode in.

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (1 children)

I think it's "access your data" permissions that are the ones to be wary of, due to the explanation here. Defending against this, I'm not really sure. Someone who knows more should chime in, but maybe a software firewall like Little Snitch/OpenSnitch that will let you approve/deny every connection. (This will probably get fatiguing fast.)

[–] [email protected] 9 points 1 year ago (1 children)

As a longtime Little Snitch user, it's freakin exhausting.

[–] [email protected] 3 points 1 year ago (1 children)

I thought little snitch worked per app and not for each connection one app makes

[–] [email protected] 4 points 1 year ago (1 children)

You can make rules network-wide, per-app, or per-incident. The latter is useful for getting a handle on app behavior. Like if you see it contacting 'updates.somedev.com' weekly, you can choose to allow or disallow permanently based on how benign you think the app is. But more likely, anything trying to phone home has a dozen CDNs it's trying to hit rather than an easily identifiable URL. Block one, it tries to hit the other. Maybe today, maybe next week. It gets overwhelming (which IMO is a feature for the dev, not a bug).

[–] [email protected] 1 points 1 year ago
[–] ink 7 points 1 year ago

Easiest way is to use packet sniffing. but they could be set-up to only send data at random intervals, which could be hours, days or weeks. so you're best bet is go through the source code by extracting the extension file and look for any links, domains or mangled code which may be encoded with something malicious.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

A. PiHole has the added benefit of blocking some known blacklisted domains and even if it doesn't block it, you'll see the DNS resolution requests by device in your network. It might be hard to know which requests are coming from the add-on if the hostname or timing is not obvious though.

B. Using a local sniffer like Wireshark you can list everything that goes through a network interface in real time. Since it's a really long list, I'd isolate the app first by running it in a container and only sniff that container's interface instead. And since you're using containers, you can also run Wireshark itself in one. This is an example of Firefox in Docker - though I've never used it.

C. If open source and you have the knowledge, check the source code for mentions of request protocols "http", "tcp", or keywords like "timeout", "payload", "track", and "telemetry". It's common for projects to use libraries that collect and submit logs, often for legitimate purposes, like sentry, new relic, and datadog.

[–] [email protected] 1 points 1 year ago

Thanks! I haven't yet tried to use wireshark with a container, tho'll keep that in mind, but I did check the code on Github (my coding knowledge is small, but not nonexistent, and it was easier once I had an idea of what to look for). The addon I was interested but wary of at the moment was Redirector, but from what I've seen so far it seems legit (I didn't find any occurence of most of these keywords, or anything that seemed suspicious with the occurences of http).