Improving our Response to Add-on Problems

Problems

Add-on Security

1. Add-on ids can be easily replicated to bypass blocklisting. Our only way to identify add-ons is using their ids. We use them to get metadata, collect stats and add them to the blocklist. Today, the worst potential problem we face is a viral malicious add-on that uses the same id of a very popular add-on. This hasn't happened yet, as far as we know.
2. Malicious add-ons are being distributed through Facebook and video sites repeatedly. About 35 malicious add-ons have been blocklisted so far this year. They all follow the same pattern: they are disguised as a Flash or DivX update, or something else people want (free Cheesecake Factory dinner) and when installed they insert malicious code into Facebook or other sites. A couple of keyloggers have been submitted to AMO also. They are all copies of malicious code posted in a blog post some time ago. Creating and distributing these add-ons is cheap and easy, and they don't show any sign of stopping.

Blocklisting

1. The blocklist system isn't designed as an effective warning system. Blocklisting is now limited to critical cases because its user interface is too severe-looking and doesn't give users enough information or alternatives.
2. The blocklist system doesn't give users ways to act and resolve the problem. It doesn't look for fixed updates or direct users to the right place to seek help (the block page is sometimes not the right place to send people).
3. The blocklist can be easily subverted by malicious add-ons.

Add-on Quality

1. Many add-ons that are not hosted on AMO have very poor quality. Crashes, memory leaks, poor performance are reported frequently for many of them.
2. We have almost no tools to diagnose add-on impact in Firefox performance. It's difficult for us to diagnose problems, and much more difficult for the affected users.
3. We don't have an effective way to communicate quality problems in add-ons.
4. Old versions of the SDK are constantly being deprecated and quality problems are found in them. A quality problem in the SDK affects dozens or hundreds or add-ons, and most developers don't expect a need to update the SDK frequently.

Add-on Installation

1. The foreign-installed add-on¹ confirmation screen might not be sufficient to inform users. We have no data about the effectiveness of the Firefox 8 mass add-on opt-in. Do we have data about the confirmation screen?
2. At least one installer (Ask.com) is modifying the foreign-installed confirmation screen to encourage users to accept.
3. Many users install foreign-installed add-ons unknowingly and have problems uninstalling them. Many cases may be users clicking through installation wizards without paying attention, or users who share computers with others.
4. Users forget which add-ons they have installed and just accumulate them.

¹Foreign-installed add-ons: add-ons that are installed by external applications.

Communication

1. We don't provide enough documentation about doing things The Right Way™.
2. Public communications about major add-ons can damage our relationship with business partners.

Possible Solutions

Add-on Security

• Add-on File Registration.
• Add-on Review Signatures.

There are two approaches that can be taken here. We can either implement Add-on File Registration and non-compulsory Add-on Signatures, or just compulsory Add-on Signatures. I recommend the first approach because it's more likely to be accepted by the developer community, and it is less technically and logistically challenging.

Blocklisting

• The blocklist should be hardened by moving it to a separate process. I think this can be done relatively easily on Windows because of the changes done for Silent Update. It should be still be possible to configure it, but not with Firefox preferences that can be easily changed by extensions.
  • How it ultimately interacts with the Add-ons Manager is still a vulnerable area, though.
• Change the refresh rate to twice a day to improve its effectiveness.
• When faced with a blocked add-on, the Add-ons Manager should look for suitable upgrades or even downgrades in order to avoid the block.
  • This requires a better plugin update mechanism on our side. The plugin check page isn't good enough.
• We need a warning system that may or may not be part of the blocklist system.
  • Different warning levels (low, medium, high). The different levels would determine if they should only show up in the Add-ons Manager, show up in a notification bar, or display a more urgent popup.
  • Different reasons. Since we want the messages to be localized, we need some predetermined warning reasons, like Performance, Security, Stability, Privacy.
  • It should be possible to link to a more detailed article about the problem.
  • This will significantly improve our ability to deal with quality problems in add-ons. We want to avoid user fatigue (too many warnings), but it should significantly lower the bar for dealing with bad situations.

Add-on Quality

• The solutions proposed in the Add-on Security address some of this, by offering (or mandating) code reviews for non-AMO developers.
• We need to have a performance tracking page in Firefox (about:performance, maybe?), showing graphs of known metrics (startup time, memory consumption) through time, with markers showing when add-ons were installed/uninstalled/enabled/disabled, and other useful info (tab/window count? visited sites?). If and when poor performance is detected, users should be prompted to review this page.
• We need to come up with a regular, continuous test plan for top add-ons. It should be something like regular testdays, where one or more members of the Review Team help QA and volunteer testers review the most commonly used add-ons (and maybe other randomly chosen ones).
• Better documentation. Many poor practices out there exist because there are no published alternatives, or they were copied from poor published alternatives. We need to better understand why developers chose to do things a certain way instead of the one that seems logical to us.
• bug 751466 is tracking updating add-ons that use older versions of the SDK. Many developers have been contacted directly already. However, the long term solution to this problem (integrating the SDK into Firefox) should happen ASAP.

Add-on Installation

• Add-on installation needs to be simplified and renewed so that users don't get so used to ignoring installation prompts. bug 643020 started this work in the right direction.
• Revisit the foreign-installed add-on screen. It might not be giving users enough information to act. It should also acknowledge that some installers are overlaying information over it.
• We need to decide (again) what's the approved way to install add-ons externally. Our current recommendation is to add them using the registry. This only works on Windows, can install add-ons before Firefox is installed, and installs them in a way that can't be removed from the Add-ons Manager. The easier and more widely published this is, the less likely are developers from using different methods.
• It should always be possible to remove an add-on from a profile. The only possible exception are enterprise-like deployments. In this case, it should be possible for them to set a system-wide preference instead of profile-specific. Any profile-specific solution is vulnerable to other add-ons.
• Users should be reminded about the add-ons they have installed. Maybe in about:home, or just displaying an Add-on count in the menu could help. Prompting might be too much, but should be considered.
• In order to give users more data, users should be able to rate any add-on anonymously from the Add-ons Manager, which should be presented on install and in the Add-ons Manager. We might need to have a public page to display some basic data, user reviews, a Report Abuse link like on AMO, but no download links.

Communication

• See Add-on Quality and Add-on Installation for specific areas where documentation is lacking. We should have an add-ons landing page aimed for non-AMO developers that groups all the information that is specially useful for them.
• Communicate inside Mozilla what are the appropriate ways to deal with add-on problems (file a bug, ping us, etc.). We might want to open up the marketplace-abuse mailing list for anyone in the staff to report problems.
• We need closer communication between the Add-ons Team and SUMO. Should we have a regular meeting? A dashboard for the Add-ons team? We need to be aware or top and trending problems related to add-ons.

Sources and Related Discussions and Bugs

• McAfee is killing us.
• bug 727938 - Block McAfee Site Advisor 3.4.1 -- it leaks every content compartment forever.
• The McAfee Site Advisor add-on has an appalling memory leak.
• Testing the top 100 add-ons for memory leaks.
• bug 720856 - Need way to flag known problems in installed extensions to users.
• Expose Add-on Performance feature page.
• bug 733516 - Request for telemetry add-on data.
• bug 730737 - Test the 100 most popular add-ons for memory leaks.
• bug 695481 - Indicate on add-on download page whether add-on is known to leak.
• MemShrink progress, week 32.
• bug 720236 - An analysis of the memory consumption of 16 add-ons.
• The carrot, the stick, and the wrench: Add-on leaks are everyone's problem.
• bug 695348 - create a tool to analyze why compartments are alive.
• bug 728227 - Require that third-party add-ons installed by third-party installers (not user action in Firefox) be signed by the AMO team.
• bug 721258 - Stop third party add-ons from altering our opt-in screen.
• bug 643020 - Implement the new install UI in the content area.
• bug 293548 - Provide windows registry install location for extensions.
• Ask Toolbar is changing the Firefox add-on process.
• Pros and cons of different add-on install methods
  • Install methods Etherpad.
• bug 662819 - Track "Application Reputation" for protection against socially engineered malware attacks and malicious executable downloads
• Antivirus Hall Of Shame
• bug 735931 - avast! WebRep add-on is obnoxious, possibly insecure?
• bug 733892 - crash aswJsFlt.dll (Avast) and Ant extension.
• bug 721264 - Please consider blocking the Babylon Toolbar.
• A summary of ideas to improve add-ons.
  • Ideas Etherpad
• bug 751466 - Get add-ons to upgrade from old versions of the SDK.