1

As an 'extension' to earlier questions on this topic (for instance here and here),

  • What makes Firefox extensions (appear) more secure than Chrome extensions?
  • Do they just appear to be more secure, or are they really?

See also:

  • How do you define "secure"? "which is more secure?" is like asking "which girl is more beautiful?", unless you define the criteria you use to determine "secure". – MCW Aug 14 '14 at 11:20
  • 1
    @MarkC.Wallace There *are* ugly girls. – nutty about natty Aug 14 '14 at 13:49
  • Is it appropriate for me to ask a new question comparing 2018 Chrome and the Firefox Quantum rewrite (limiting users to NPAPI extensions), and the relative securities of each? I am unsure as to whether it would be more approrpriate to write a new answer here, or to ask a new question on the topic, as it is effectively the same question. However the accepted answer was right then, and is still right (when dealing with old fox and 2014 chrome), so in many ways my question is a new one. – wizzwizz2 Dec 30 '18 at 11:18
  • @wizzwizz2 I feel that a deep redesign of security architecture of a new version of a program (even though the end user may not feel the difference) deserve asking a brand new Q. – curiousguy Aug 22 '19 at 00:21

2 Answers2

7

Your assumption is incorrect, Firefox addons are not inherently more secure than Chrome extensions (though in terms of security, I attach more value to Firefox's official addon gallery (AMO) than the Chrome Web Store because all addons on AMO are manually reviewed).

Addons in Firefox are trusted by design; they can do anything that is allowed by the Firefox process. The worst-case scenario for installing a malicious Firefox addon is a re-install of your operating system to clean up the mess.

The Chrome extension APIs are very constrained, because the Chrome browser does not fully trust extensions (unlike Firefox). Chromium extensions can typically not access any resources outside Chrome's sandbox without the user's approval. The worst-case scenario in Chrome is less severe than Firefox' (and also applicable to Firefox): All of your web browsing activities can be considered compromised.

Since most of us increasingly spend more time in the web browser than in native applications (e.g. internet banking, e-mail), it is a stupid act to install extensions that you cannot trust. Considering this view, then Chrome extensions could be more secure because you have to consent to the every newly requested permissions upon installation/update. Firefox has not implemented any addon permission warnings, so when you install a Firefox addon, you should always mentally add a "This addon could access all data on your computer and the websites you visit" warning to the installation dialog.

On the other hand, because Firefox addons are more powerful, they can also integrate security features in a much better way than Chrome extensions. For example, to date it is not possible to create a NoScript equivalent in Chrome because of the limited extension API.

If you want to know more about Chrome's extension security design, I suggest to read:

Rob W
  • 2,113
  • 18
  • 20
  • 3
    +1 for mentioning `NoScript` as an example to highlight one of the differences of FF vs. Chrome :-) – nutty about natty Aug 14 '14 at 13:35
  • I wonder if that line about NoScript equivalents is still true. The Chrome web store seems to have several noscript alternatives listed https://chrome.google.com/webstore/search/NoScript – Ajedi32 Mar 13 '15 at 14:23
  • @Ajedi32 The part about NoScript is still true. The Chrome APIs are simply not powerful enough to offer all features from Firefox's NoScript. – Rob W Mar 13 '15 at 14:27
  • At a glance it seems there are a number of APIs which could potentially be useful for implementing a NoScript plugin: https://developer.chrome.com/extensions/contentSettings https://developer.chrome.com/extensions/webRequest And the extensions shown in the link I posted in my previous comment seem to be able to prevent JavaScript execution. I haven't used NoScript before, so maybe I'm just confused: what features are those extensions lacking that NoScript has? – Ajedi32 Mar 13 '15 at 14:30
  • @Ajedi32 `contentSettings.javascript` applies to whole tabs only, it cannot be used to selectively disable JavaScript on domains in a (sub)frames. – Rob W Mar 13 '15 at 16:05
  • @RobW Right, I imagine that would be used for blocking JavaScript on a site entirely, whereas https://developer.chrome.com/extensions/webRequest would be used for more selective blocking of third-party JavaScript and such. – Ajedi32 Mar 13 '15 at 18:13
  • @Ajedi32 The webRequest API can only block requests. It cannot be used to selectively disable inline scripts. I have [proposed a patch for Chromium](https://groups.google.com/a/chromium.org/d/msg/blink-dev/bChX6leKqtg/Idut6cE4ORcJ) which allows extension developers to get more control over whether to execute a specific script, but it was not well-received. – Rob W Mar 13 '15 at 18:31
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/21920/discussion-between-ajedi32-and-rob-w). – Ajedi32 Mar 13 '15 at 18:50
1

Do they just appear to be more secure, or are they really?

While this is always changing with Firefox's continual drive to improve their security, many of their add-on's appear more secure than they are. Mainly due to what problems haven't been discovered yet. Note the popular NoScript issues outlined in the following security article here. And other problems with Firefox add-ons discussed here. This isn't an attack on Firefox. Next week chrome could be getting the same negative media attention.

Both teams develop their API (and API limitations) with end user security in mind. With new vulnerabilities being discovered frequently in cyber security research, at any given time one developers team may be ahead of the other.

I use both Chrome and Firefox and have a hard-time sticking with just one because as soon as I do, I find a vulnerability in one that is fixed in the other.

jtlindsey
  • 225
  • 1
  • 10