Defending against Firefox extensions that may spy on you

Arguably the best thing about Firefox, the thousands of available extensions, is a double edged sword.

Like most Firefox users I have a handful of extensions that I could not live without. Its what keeps me using the browser despite the many advantages of Google's Chrome.

But the downside of extensions came to light recently with the revelation that the Ant Video Downloader and Player secretly tracked every visited website. 

Surprisingly, this got very little traction in the press. I ran across it in a May 20th article by Dan Goodin in The Register.

The secret tracking was discovered by Simon Newton who first wrote about it on May 10th. He found that every time he went to a web page, either on the public Internet or on a private Intranet, his Firefox browser was contacting a computer named rpc.ant.com and sending it the name of the currently displayed web page. He writes 

 ... this addon is in fact, contrary to their published privacy policy, clandestinely collecting data about every site that the addon users visit (not just ant.com or video sites) and specifically tying this back to you via a cookie and what appears to be a unique identifier, aka Ant-UID. This happens in regular browsing, browsing on your corporate VPN, ‘Private browsing’ mode and browsing via proxies or anonymising services such as Tor, completely bypassing many layers of anonymity and security afforded by services such as proxies, Tor and corporate VPNs. This is beyond normal cookie or LSO tracking – this is where the plugin itself is ‘phoning home’ to ant.com every time I visit any website.

At the ANT website they say "The source code is systematically reviewed by an independant Mozilla contributor before it is given to the public. It is the same process for every add-on. So you know our add-on is 100% safe."

Part of Defensive Computing is knowing who to trust. My first question was, who or what is Ant? On their website, they go out of their way not to say who they are.

Every computer user should be wary of accepting software from strangers.  

When The Register article was written the Ant Video Downloader was available with no warning. Shortly thereafter, Mozilla removed the extension. Now, it is available again, but it's rated as experimental.

After this got publicized, Ant issued a rebuttal

BIGGER PICTURE

Taking a step back, let's consider the bigger picture.  Goodin says

The larger lesson here is that just because a Firefox add-on has been subjected to Mozilla's official vetting process there is no guarantee it doesn't do things that many users consider to be invasions of their privacy. With at least 5,000 add-ons hosted on its site, it wouldn't be shocking to find out that Ant Video isn't the only extension that comes with a few nasty surprises.

Mozilla's vetting is supposed to insure that Firefox extensions are "clearly and accurately described" and that all privacy and security concerns are clearly spelled out. Clearly, the vetting isn't perfect, but what is?   

Also, there is no need to limit this to Firefox.

Although I haven't developed a Chrome extension, I suspect that the situation is analogous with Google's browser, that is, that a Chrome extension can also spy on you.

Ditto ActiveX controls inside Internet Explorer. Heck, a Browser Helper Object installed into IE runs inside Windows Explorer, even with Internet Explorer shut down.

DEFENDING YOURSELF

Obviously the best defense against rogue browser extensions is to run a browser with no extensions.

But who wants to do this all the time? You may want a secure browser sometimes, but most people would not want to use it all the time. Many of us are, after all, addicted to our favorite extensions.

The good news, at least for Windows users, is that they can have their cake and eat it too.

Thanks to the portable edition of Firefox, you can maintain two or more totally independent copies of the browser. This is what I do to occasionally kick the tires on Firefox 4 while still using version 3.6 most of the time. The same strategy can be used to have one copy of Firefox chock full of extensions, while another one is unsullied.

While a single copy of Windows can host only one normally installed instance of Firefox, it can also host one or more portable editions. The only restriction is that you can only one run one of them at time.

I've been using the portable edition of Firefox for so long, I see no need for a normally installed copy. Not only do I like the flexibility of having both versions 3.6 and 4 available, I love the fact that I can backup the browser and copy it to other PCs. 

The exact same strategy can also be employed using the portable edition of Chrome but there is a gotcha.

While the portable edition of Firefox self-updates in exactly the same way a normally installed copy does, this is not true with portable Chrome. Frankly, keeping a portable copy of Chrome up to date with patches is a pain. There are two approaches, and neither is consistent with the way a normally installed copy of Chrome updates itself.

For an entirely different approach, check out Nir Sofer's CurrPorts program to see every network connection between your computer and the outside world.

CurrPorts is free, portable and a bit techie. It runs under pretty much every version of Windows (XP, Server 2003, Server 2008, Vista, 7 and even NT, 2000, 98 and ME) and comes in 32 and 64 bit editions. 

CurrPorts watching Chrome

The problem is that so many web pages include ads and tracking from other domains that making sense of all the connections can be difficult. In the screen shot above, you can see the connections used by the Computerworld home page. 

Of course, even a portable browser with no extensions can track you via legacy cookies, Flash cookies, HTML5 storage and more. Perhaps the best defense here is to run your browser in a Sandboxie sandbox. Highly recommended (I wrote about Sandboxie recently).

Join the discussion
Be the first to comment on this article. Our Commenting Policies