Tech

Mozilla announces ban on Firefox extensions containing obfuscated code

Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a focus on security issues.

Written by Catalin Cimpanu, Contributor May 2, 2019 at 9:48 a.m. PT

Mozilla announced plans today to ban Firefox extensions from its Add-ons portal if the extension contains obfuscated code.

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

The ban will enter into effect on June 10, at which point Mozilla plans to remove all Firefox extensions that don't meet this criteria and shoot down any future extension submissions that fail to provide full access to their source code.

Google also banned obfuscated extensions

The move comes after Google announced a similar policy for Chrome extensions in October last year, which entered into effect on January 1, 2019.

When it took its decision, Google engineers said that around 70 percent of all the malicious Chrome extensions the company was actively blocking had used code obfuscation techniques.

For non-technical users, obfuscation is the deliberate act of writing source code that is difficult for humans to understand. Common obfuscation techniques include naming variables in a meaningless or deceptive way, making code look like comments and vice-versa, repeating code blocks, and others.

Obfuscation should also not be confused with minified (compressed) code. Minification or compression, refers to the practice of removing whitespace, newlines, or shortening variables for the sake of performance.

Minified code can be easily de-minified, while deobfuscating obfuscated code takes a lot of time, and using it in the first place has no performance benefits --with its main benefit being of hiding malicious code from source code reviewers.

"We will no longer accept extensions that contain obfuscated code," said Caitlin Neiman, Add-ons Community Manager at Mozilla.

"We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included. If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked."

Mozilla getting tougher on shady extensions

Besides blocking obfuscated code, Neiman also announced that starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies.

"We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.

"We will be casting a wider net, and will err on the side of user security when determining whether or not to block," she added.