Are there objective reasons to not allow Google Chrome extensions, but to allow Firefox extensions?

Question

Recently, the company I work for has forbidden usage of any extensions in Chrome. They also do not allow account sync. This affected virtually all Web developers since they use Chrome to test their front-end code and use an extension or two to improve productivity (JSON view, Redux dev tools).

Unfortunately, this has changed overnight without proper communication and there is no clear reason for this change.

However, I have noticed that I am able to use a portable version of Firefox and install all needed extensions.

Currently I am using Chrome 62.0 and Firefox 56.0.2 (portable). I use the portable version because the company officially allows FrontMotion and I do not want to mess with its installation.

This rather old post does not show any serious security problems for Google Chrome (except for privacy).

Question: Are there any objective reasons to forbid Google Chrome's extensions, but allow Firefox extensions?

Are Firefox extensions explicitly allowed? My guess is that nobody thought about blocking them yet, or that it is hard to block peope from doing a portable install if they have admin rights. — Anders, Nov 27 '17 at 10:19
@Anders - there was nothing communicated about Firefox usage at all (with or without extensions) and I noticed that its extensions are allowed only after they did not allow Chrome extensions (I had no reason to test them before). Also, the portable version does not have to be installed (just unpacked). Anyway, I will try to obtain a very short list of clearly defined extensions to be white-listed in Chrome and not use extensions in Firefox at all. — Alexei, Nov 27 '17 at 10:40
A possible reason, or side-effect: Firefox is much slower, as Chrome. So if you write code which performs enough well on FF, it will be surely rocket-wonderful on Chrome. — peterh, Nov 27 '17 at 12:52
Are they blocking Chrome and allowing Firefox? Or have they simply not figured out how to block portable Firefox and extensions for it? (Or, more probably, do they not know PortableApps exist?) Those are very different scenarios... — WernerCD, Nov 27 '17 at 13:28
@WernerCD - Chrome extensions have been explicitly blocked along with account data sync. In most cases, security changes just happened without any prior notifications, so I cannot tell anything about Firefox. As a developer I must ensure that web apps also support it and now that Chrome extensions are gone, I just tried it along with extensions and they just worked. I know that it sounds weird, but in large organizations there can be a great hierarchical distance between the developers and persons deciding these things. — Alexei, Nov 27 '17 at 13:34
Note: the word of $$$ is always stronger as the word of some sysadms lobbying for weird things reasoned by "security". Explain to your bosses, how it pulls back you in your work. If you are enough convincing, the bosses - having to pay you - will do something. — peterh, Nov 27 '17 at 14:52
Tangentially, it is important to note that useful browser extensions with high reputation can be (and [have been](https://security.stackexchange.com/q/166606/56961)) hijacked to malicious ends. — Michael, Nov 27 '17 at 16:05
I might suggest asking a variation of this question on workplace.stackexchange.com. The workplace question you might ask boils down to "How to I respond to security policy changes that hamper my productivity?". May be a duplicate. The answer is fairly obvious though: locking down extensions hurts your productivity, which has a real cost to the business. Finding a middle ground will probably be most productive: get some extensions white-listed, or have someone reproduce the most useful extensions (JSON view is super easy, for instance). — Conor Mancone, Nov 27 '17 at 17:46
@ConorMancone - yes, that's a good idea. Some answers from there are very good and somewhat creative. — Alexei, Nov 27 '17 at 18:40
@Alexei You mention you did not find serious security problems with Chrome except Privacy - why do you discard the privacy issues? For a company privacy in the sense that it keeps vital company information safe can be a very serious issue. That being said, I guess someone read something bad about Chrome or Chrome extensions and Firefox is simply not on that person's radar, yet. — Frank Hopkins, Nov 27 '17 at 19:59
@Alexei - yes, privacy is (or was, as the article is one year old) an important issue. I know that extensions usually abuse their requirements (many read all accessed information), but isn't this also happening in Firefox? I believe that you are right: Firefox was simply ignored because most users that have administrative rights (or know about the portable version) use Google Chrome. — Alexei, Nov 27 '17 at 20:42
@peterh are you sure about that? The latest Firefox outperforms the latest Chrome on most sites. — OrangeDog, Nov 28 '17 at 14:49
@OrangeDog Also I like FF much more, but the project on which I am currently working on, has a *very* huge disadvantage for it (ff performs lesser as 10% of the Chrome speed). The situation start to escalate into the "why are you using still ff" direction and I won't be able to hold the front too long. :-( Yes, it is Angular. I use FF nightly, but also the stable versions are similarly slow. I have also major problems with e10s, so I turn it off anywhere I only can. (If I allow it, it doesn't help anything.) — peterh, Nov 28 '17 at 15:35
The difference in permitting FF extensions, but not Chrome, may be based on outdated information. In the past, every version of every FF extension listed on AMO had gone through a manual review of the code (in addition to automated checks). Mozilla [recently changed their review policies/process](//blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/). All FF extensions are now automatically checked and listed without manual review. Mozilla claims that many extensions will still be manually reviewed *after* being listed. Mozilla refuses to expose the manual review status to users. — Makyen, Nov 28 '17 at 19:02
@Makyen sure, but as so many FF extensions are now obsoleted by the new API, and the new API is supposedly much more secure (and correspondingly much less capable), I suppose they think automated checking is now a valid approach. — gbjbaanb, Nov 28 '17 at 20:02
@gbjbaanb, FF's WebExtensions API is effectively the same API which Chrome uses for their extensions (with some additional restrictions/differences/missing APIs/additions). Extensions written for Chrome are largely code-compatible with WebExtensions. There's no valid reason to believe that the vast majority of the security issues which have plagued Chrome are not also possible in Firefox WebExtensions (often without needing to change any code). WebExtensions are only "more secure" when compared to "legacy" Firefox extensions, and that merely because they are *far* less capable. — Makyen, Nov 28 '17 at 20:09
Lucky you. My company doesn't even allow Chrome or Firefox, only IE11 is allowed — Tim, Nov 29 '17 at 11:45
@peterh That sounds like a good reason to *keep* using Firefox. Chrome isn't the only browser in existence, and if your project works in other browsers, it will be used in them. You can't just look at the best performance results and call it good. — Yay295, Nov 30 '17 at 06:27
@Yay295 Right. The problem is that this project can't be made working easily on firefox, but it works pretty well on any other browser. It is the source of a big sadness to me. I think somehow it is so... nasty. Angular is developed by the Google, Chrome is developed by the Google, and Angular performs well on Chrome, but not on ff... — peterh, Nov 30 '17 at 10:22

score 50 · Accepted Answer · edited Jun 16 '20 at 09:49

I cannot answer the asked question, but I hope this could shed some light on your problem.

Should corporate security rules forbid usage of some browser extension?

IMHO the answer is YES here. Browser extensions can virtually do almost anything on behalf of the regular browser. That means that a local firewall will not detect them.
Are there objective reasons to trust more XXX (put whatever browser of browser extension here) than YYY (another browser or browser extension).

Well in IT security trust is based on 2 major pieces: audit of code and reputation. The former is objective, while the latter is not, but I must admit that I mainly use the latter because I have neither enough time nor enough knowledge to review everything, so I just rely on external advice from sources that I trust. When I rely on HTTPS to secure a channel, I must trust the certificate owner to not do bad things with the data once it has received it, and I trust the certificate signer. Long story short, it may be possible to say whether an extension has better reputation than another one, but it can only be by extension and not globally by browser.
Is usage of a portable Firefox in your use case an acceptable solution?

Still my opinion, but unless you are in hierarchical place that allows you to ignore a rule from the security team, I want to say a big NO here. My advice is that you should first make a list of the extensions you commonly used, and possible replacement ones. Then you should try to gather as many elements on their objective security and on their reputation (still on a security point of view). Then you should tell your manager that the recent forbidding of Chrome extension leads to a net decrease in productivity, and ask him to propose the security team a list of extensions you need with possible replacements (Firefox for Chrome by example). Then either they agree with an acceptable list, or the question should climb higher in the organization hierarchy, until someone that is accountable for both the global security and the global productivity takes a decision. Silently ignoring corporate rules is always a bad decision because the guy that has global authority has no way to know that some rules are not followed.

And if your boss chooses that security is more important than productivity or the opposite, he has authority for that choice while you may not have.

Thank you for the exhaustive answer. Firefox usage is not regulated (at least not explicitly) and I use it only to double check my developments. Also I have a very small of extensions that I use and they are all very popular, so I can theoretically indicate them and ask to be white-listed. — Alexei, Nov 27 '17 at 10:03
As a side note, a security policy that forbids all extensions (not just user-installed ones) and doesn't forcibly install UBO on all workstations is hopelessly broken. — R.. GitHub STOP HELPING ICE, Nov 28 '17 at 03:00
@Alexei Very popular does not mean secure. It's often the other way: Very popular extension dev gets an offer from malware makers offering to buy the extension from them for a large sum of money. The best you can do is only use open source extension from devs you know you can trust to not sell out. — Qwertie, Nov 28 '17 at 05:16
See Ilmari Karonen's answer. There is a big difference in how code is audited for the extensions in each browser. — OrangeDog, Nov 28 '17 at 14:52
[uBlock Origin](https://github.com/gorhill/uBlock/). It's a general-purpose ad/content blocker with many powerful features. — SilverWolf, Nov 29 '17 at 14:37
@seaturtle: Thanks. I use it too actually, but didn't think about it at first. — Eric Duminil, Nov 29 '17 at 19:45

Ilmari Karonen · Answer 2 · 2017-11-29T03:02:33.937

I suspect that Anders is right, and whoever set up the Chrome extension ban just didn't think about Firefox. If they realized that you were using Firefox to get around the ban, they'd probably forbid that too (or try to, anyway).

FWIW, yes, browser extensions can be problematic from a security viewpoint, and I can see reasons for banning or heavily restricting them in some situations. That said, being able to install your own software, including a different browser, is just as problematic for the same reasons, or more so, so allowing that while banning extensions does seem inconsistent.

In any case, the real problem here seems to be the lack of communication. If the extension ban was based on an existing official policy, all employees should have been made aware of the policy; if not, such a policy should have been created and properly announced.

All that said, as the author of a Chrome / Firefox extension (SOUP), let me note that there is, or at least used to be, a real difference in the security review process between Chrome Web Store and Firefox Add-ons. Basically, the difference is that Firefox Add-ons used to have a mandatory manual security review process that all extensions had to pass before being approved, whereas Chrome Web Store only flags extensions for manual review if they fail an automated heuristic check.

Basically, my personal experience with submitting my extension to Firefox Add-ons and Chrome Web Store was more or less as follows:

Firefox Add-ons: I signed up for a developer account and submitted the extension. Two weeks later I received an e-mail saying that my extension (which, admittedly, had already grown quite large at that point) had been fully reviewed and approved. The reviewer had clearly gone over the code with a detailed eye, since they had spotted a nontrivial HTML sanitization bug (among just under 2,000 lines of pretty dense JavaScript) that could have led to an XSS vulnerability if, as they also noted in their review, the input hadn't come from a trusted source. Subsequent updates of the extension have generally been approved within a few days at most.
Chrome Web Store: To be able to submit an extension, I had to pay a $5 registration fee. This actually ended up taking me a while, since my bank was apparently flagging the charge as potentially fraudulent and refusing to let it through. Eventually I managed to sort it out by calling my bank and having them manually allow the charge. After completing the registration process, I submitted the extension and it was (IIRC) almost immediately published, apparently having passed the automated checks.

Of course, without knowing exactly what Google's automated checks are checking for, I cannot tell for sure how good they are at catching bugs and malware. But I do know that they failed to spot the almost-XSS bug in my own extension that Mozilla's reviewer caught.

More generally, my impression is that Google is more focused on trying to make extension authors traceable and accountable (via the registration fee, which at least means they know my credit card details; although I'm sure a malicious actor could find ways around that) and on detecting deliberate malware. And they don't always seem to catch it, either. The former Firefox Add-ons review process, on the other hand, not only kept out malware but also actually tried to spot potential security holes even in well-intentioned extensions. And by manually reviewing updates to existing extensions, the Firefox Add-ons system would also thwart developer account hijacking attacks like those that have compromised several legitimate Chrome extensions recently.

Unfortunately, as Makyen pointed out in the comments below, this difference no longer exists: as of a few months ago, Firefox Add-ons has moved to a semi-automated extension review process, just like the one Chrome Web Store is using.

In the linked blog post, the change has been motivated by "the new WebExtensions API [being] less likely to cause security or stability problems for users." Unfortunately, that reasoning does not really convince me: WebExtensions — even pure content script extensions like SOUP — can do plenty of damage in the hands of a malicious actor.

Just the content script API basically gives an extension free access to every web page you visit and every password or credit card number that you type in. Sure, when you install the extension, you'll be told about the sites it may run content scripts on — but so many extensions (including ad blockers, privacy extensions, etc.) already require the ability to inject scripts on every site that few users will pay any attention to that warning, even if they understand what it means.

Just a week after the announcement linked above, two extensions with embedded bitcoin miners were already spotted on Firefox Add-ons. So it seems that, when it comes to extensions, the former security advantage of Firefox over Chrome is now just nostalgia. :(

I agree that there used to be a *significant* difference. Unfortunately, [Mozilla's policies for add-on review have changed](https://blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/). The review for listing on AMO is now fully automatic/programmatic, not manual (for WebExtensions based add-ons). Mozilla has stated that some *subset* of add-ons will be manually reviewed *after* being listed. They have stated that they are unwilling to expose to users the current state of any add-on having been, or not been, manually reviewed. — Makyen, Nov 28 '17 at 19:07
Reading this made me so happy that Mozilla actually put so much effort into reviewing extensions. For the first time in years, the thought of donating to them popped up in the back of my mind... then I got to the end of your post and saw that they did away with such a detailed review... For shame, Mozilla. — forest, Dec 26 '17 at 12:34

user541686 · Answer 3 · 2017-11-28T11:42:39.610

Yes.

There can be a legitimate reason:

Chrome extensions are always automatically updated.
Firefox extensions are not required to be auto-updated.

This means that if the account of the developer of any Chrome extension with "read your information on all websites" permission gets compromised, the thief can push out malicious code around the world very quickly¹—and all sorts of accounts, from emails to bank accounts, would be at risk. Allowing the user to update at a slower and less-predictable pace makes it (1) more likely that by the time the update is done, the malicious code will have been spotted and removed, and also (2) that the attack itself would be less likely to be attempted due to the caveat in (1).

Now, I have no idea if this is your company's reason. In my experience, people (and even Google) seem to forget about this threat and/or brush this threat of developer compromise under the rug (and in my opinion, dangerously incorrectly so). However, it is a legitimate concern, and I believe it is only a matter of time before dangerous malware spreads globally via forced auto-update.

_{¹Don't be too naive in how you think about this. If you're thinking "but they run automated tests" or "but they stagger the updates" or [whatever], realize that malicious code need not show signs of malicious activity immediately, especially not network activity. It can simply lie dormant while the update is being pushed out, then set to activate sometime later, and after the simultaneous global activation, it can send credentials from a ton of users and websites back to its mother ship before it is caught and disabled.}

More importantly, every Firefox extension update is manually reviewed before being published. — OrangeDog, Nov 28 '17 at 14:51
This is an interesting answer. However, there seem to be ways to [disable update of extensions](https://stackoverflow.com/questions/27657617/how-to-disable-google-chrome-extension-autoupdate). — Alexei, Nov 28 '17 at 19:05
@Alexei: The point is not just disabling updates entirely, the point is being able to choose when to update each extension. If you go through the trouble of cloning the extension and disable updating in the manifest of your local clone (mind you, this is too painful to be practical for those not already familiar with Chrome extensions, or for anyone who doesn't feel like doing it over and over again for each of their 20 extensions), then you'll have to reinstall the extension to update it, which is hardly something users will want to go through (*especially* not if it erases their settings). — user541686, Nov 28 '17 at 19:12
@OrangeDog [Mozilla changed their add-on review procedure in September](https://blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/). Firefox add-ons are now listed after only an automatic/programmatic review (for WebExtensions based add-ons; i.e. compatible with FF57+). A manual review will be performed on only a subset of of all new add-on versions, but only *after* the add-on has been listed on AMO. — Makyen, Nov 28 '17 at 19:16

score 8 · Answer 4 · answered Nov 27 '17 at 14:46

8

Perhaps in your company there were users who had malware or stolen data troubles because of Google Chrome extensions.

Happened to me so I won't discount it.

I don't know about Firefox extensions, but I have found malware in a Chrome extension which was manipulating my browser output. I investigated it on my own and reported it to Google but nothing happened. On the surface it was a very useful plugin that allowed me to have a separate session in each tab for the same domain.

So in my personal experience, Google is bad at monitoring / moderating apps / extensions. Every single plugin you have in your Chrome is capable of many dangerous things.

answered Nov 27 '17 at 14:46

a20

198
7

Just to let you know, Firefox has had a built-in feature (enabled via the Multi-Account Containers add-on which adds a GUI to it) to do that. – wizzwizz4 Nov 28 '17 at 17:59
Firefox was really hogging my memory the last time I used it ~3 years back. Is that still the case? Chrome has managed to find a pretty decent niche in my workflow so I'm be very reluctant to move from it. – a20 Nov 29 '17 at 05:00
You've caught it at a great time; they've recently completely reprogrammed the majority of the code (including ~95% of the backend, the whole rendering engine etc.) to be faster and have a lower memory footprint. They've also rolled out features such as es10 to the main branch. Basically, there's now a process for the UI (one for each window?) and one for each tab, and very little code bloat. – wizzwizz4 Nov 29 '17 at 16:37
For most non-Google sites (which Chrome beats it at for obvious reasons) Firefox is faster. In fact, there is one Google site (I'm not certain which, but Gmail comes to mind) which Firefox is faster at. Plus, the multi-process thing means you can set the process priority of _individual tabs_, which is nice. – wizzwizz4 Nov 29 '17 at 16:39

Joel Coehoorn · Answer 5 · 2017-11-29T15:58:06.540

It is possible it relates to the tooling available to the security team. A team may have access to tools to manage and vet or even just report on extensions for one of the browsers but not the other at this time.

I don't think that's likely to be your situation, but it is a legitimate reason for a policy that seems to discriminate against a particular browser for no other apparent reason. I know Chrome, in particular, does have an administration package available for Windows Domain administrators that allows admins to see and set a number of security options, but that doesn't mean the security team has been able to set up these tools. I suspect Firefox has something similar, but I'm not up on Mozilla's tooling for this at the moment.

darkmoon · Answer 6 · 2017-11-29T16:04:20.153

1

Are there objective reasons to not allow Google Chrome extensions, but to allow Firefox extensions?

Objectively, Mozilla has a more sturdy process for deploying an add-on than chrome.

Objectively, Chrome extensions got breached recently (social engineering is platform independent, though).

Objectively, Chrome has a way higher usage share. Wanna target a popular OS? Target Windows. Wanna target a popular browser? Target chrome

You probably shouldn't keep using those add-ons without explicit permission but I do believe Chrome extensions are, in a way, less secure than Mozilla add-ons.

edited Nov 29 '17 at 16:04

answered Nov 29 '17 at 15:55

darkmoon

11
5

Social engineering is platform-independent, but it's less of an issue if Firefox accounts get breached as every single add-on (_every_ add-on without exception now, though there was a time where there was a trusted list for updated versions of certain add-ons) goes through a mandatory fine-toothed-comb review process that catches innocent mistakes, not to mention blatant malware (obfuscated or no). – wizzwizz4 Nov 29 '17 at 16:41

Are there objective reasons to not allow Google Chrome extensions, but to allow Firefox extensions?

6 Answers6

Yes.