0

When I install an add-on to Firefox, choosing it from the ones I find by using the Tools / Add-ons menu, sometimes after a few days Avast pops up a warning that the add-on is "unreputable" and strongly recommends and offers to remove it.

Of course malicious add-ons could potentially steal my passwords, intercept anything I type in that browser and do horrible things in general, so when I see such warnings I don't think twice and I just remove the add-on, but it's becoming too frequent and annoying, and it surprises me a lot that apparently Avast knows so much better than Mozilla about unreputable Firefox add-ons.

If Avast discovers malice in an add-on and lets the world know and even offers to remove it, why at the same time Mozilla happily keeps offering the add-on for long time? I had some that Avast recommended me to remove many months ago and are still offered in FF. Mozilla might even offer add-ons that were never checked at all, see this answer, but how is that possible if add-ons are potentially so dangerous? I'm also curious about how common successful attacks via FF add-ons are.

Also because if it's so common that FF add-ons that keep being offered in FF are unreputable, I would have a good deal of worrying to do for the past, because I kept "unreputable" add-ons installed for a while before Avast found them.

SantiBailors
  • 391
  • 2
  • 11
  • New add-on is not accepted in the store for lack of reputation. Can't get reputation because nobody can install the add-on. Do you see the problem here? –  Jun 18 '19 at 05:05
  • Lack of reputation is not the same as being malicious. It is just that it is not specifically known to be good (and also not known to be bad). Of course the risk is higher with add-ones lacking any reputation compared to add-ones with a good reputation, but it is lower compared to add-ones with an explicitly bad reputation. Nothing in your question actually suggests that Avast considers the specific add-one to be actually malicious, but it seems to be only you who thinks that no reputation is the same as malicious and then you draw further conclusions from this interpretation. – Steffen Ullrich Jun 18 '19 at 05:31
  • @SteffenUllrich To me it's not that "no reputation is the same as malicious", obviously. It's that "unreputable" is the same as malicious. And that's because to me "unreputable" meant "with a bad reputation", not "not known to be good or bad". If it turns out that your interpretation of "unreputable" is correct, that would be the answer to my question. – SantiBailors Jun 18 '19 at 06:23
  • @SantiBailors Mozilla used to manually vet the source code of each and every extension they allowed into their store. They'd even fix any security bugs that they find. They no longer do this however, and instead rely on static analysis with automated tools, which is not particularly effective. – forest Jun 18 '19 at 07:35
  • 1
    @SantiBailors: I'm not a native english speaker but from my research it looks like the meaning of *unreputable* is not really clear and the word is also not much used. See also [this discussion](https://en.wikipedia.org/wiki/Wikipedia_talk:WikiProject_Fact_and_Reference_Check/Archive_5#Nonreputable_vs._unreputable) here where it also talks about similar but slightly different words like *disreputable* and *nonreputable*, where the first is more in the direction of bad reputation while the second more like no reputation. – Steffen Ullrich Jun 18 '19 at 07:35
  • @SteffenUllrich I see, I'm no English native speaker either and I understand the potential for confusion. However at this point I would say that it doesn't matter what "unreputable" "means" in English but what Avast means by "unreputable". Maybe that's what I should be asking. Anyway Avast does recommend to remove those add-ons; but maybe it's because they know that Mozilla is not committed to checking all the add-ons so maybe Avast's approach is actually "no reputation = risky" because of the lack of checks. – SantiBailors Jun 18 '19 at 08:30
  • 1
    @SantiBailors If Avast actually uses the word "unreputable" then for the reasons Steffen mentions, it's a poor choice of words. If you do contact them, it may be worth mentioning it (assuming they _do_ mean "it's too new to have built any reputation", then "_Reputation: none_" or "_Reputation: unknown_" would be better. Their recommendation to remove it is probably more to be "_better safe than sorry_" than specifically because Mozilla no longer check things by hand. – TripeHound Jun 18 '19 at 11:06
  • @TripeHound But if they feel the need to be "_better safe than sorry_" it must be because they have specific reasons for concern, otherwise their recommendation would be equivalent to "don't install any add-on at all". And in my understanding that reason for concern is that Mozilla don't check the add-ons they offer; initially I thought the reason for concern was that they found malicious code in the add-ons they recommend to remove, but it seems this is not the case. Next time I get such warning I will post it here, to see exactly how they use the word "unreputable". – SantiBailors Jun 18 '19 at 11:41
  • @TripeHound The screenshot in the first post (the question) of [this](https://forum.avast.com/index.php?topic=208239.msg1418656#msg1418656) topic in Avast forum shows how Avast uses the word "unreputable" in the dialog I'm talking about. – SantiBailors Jun 18 '19 at 14:14
  • 1
    @SantiBailors Not having used Avast, I don't know whether they are trying to say "Disreputable" (=known to have a bad reputation) or "No reputation" (=not enough is known about it to say one way or the other). If they mean the first, then the recommendation to remove it is clearly justified. If they mean the second, then it's a "safe than sorry" ... it's too new, and/or not enough people have used it for them to have received enough good/bad reports to be sure. In the absence of positive reputation, the _safe_ thing is to remove it (but they don't know whether it's _necessary_ to remove it). – TripeHound Jun 18 '19 at 14:48

0 Answers0