undefined | Better HN

0 pointstredre32y ago0 comments

Mozilla claims that they review all the code, but in practice they don't. They have an automated tool that looks for certain things. If nothing is found, this is the end of the code review. If things are flagged, then a human will look at the code a little.

If you have an established extension and push an update, odds are there will be no human review of the code changes. That is how most malicious extensions happen.

Sure, Mozilla historically had less malicious extensions than Chrome. But that's for the same reason that Linux has less viruses than Windows: hackers will target the 90% of users and not waste time on the rest.

I say all this as a staunch Firefox user and maintainer of a handful of extensions.

0 comments

3 comments · 1 top-level

no_wizard2y ago· 2 in thread

They do seem to audit their recommended extensions[0] differently though. At least according to their FAQ, the extension can't get the recommended badge until it undergoes an actual security review.

Open question about that for me though, is after the initial review is done, do they audit the updates? Something tells me that may not be the case.

[0]: https://support.mozilla.org/en-US/kb/recommended-extensions-...

elashri2y ago

They do, I first came to know that from seeing ublock origin updates gets to other browsers first. The author then says that this is because it is Firefox recommended extension and have to go through the extensive review.

no_wizard2y ago

That makes me happy to read. Good to know Firefox is keeping that promise for the recommended extensions, at least

j / k navigate · click thread line to collapse