Firefox Extensions Security

[spacesurfer]

I was a fan of IE7 until Firefox 3 came out. It's a great browser and the extensions available make it worthwhile.

However, after using it for some time, I just happened to question the legitimacy of some extensions that can notify you if you have new email.

For example, I was using the extension called GMail Manager to check my gmail emails periodically. It's a great extension. But then I started to wonder: How do I know that the password I supply is not being stolen by the author of the extension? I mean, who is to say they aren't doing that? How do we ensure the extension that require our passwords are safe to use?

There are many others out there other than GMail Manager.

Hummm.... any have similar doubts? I've disable this extension for now... I'd rather just sign in to Gmail and check my mail.

[CoffeeFiend]

Long story short: you don't really... It comes down to trust.

Same for any application you install on your computer. You have to trust them to not do anything malicious. For all you know, IE7 could be sending your browsing history to the FBI

The thing is, extensions aren't compiled, so you can look at the source code. Anything suspicious in any popular extension would quickly be found. And you can look at the web traffic it generates too (using a debugging proxy, or a network capture tool). So if some app/extension was stealing data, someone would quickly find out.

[DigeratiPrime]

If the extension just manipulates the data inbound to your pc but does not redirect it first through a proxy then it probably has not been intercepted by another party. Like crahak said the extensions are open source, javascript only I think, so you could scan through them to see how they work. Also like crahak said you could check that the packets are coming directly from Google in this case and not from some "man in the middle".

Web Messengers like Meebo though, do "borrow" your password in order for the service to work, but they disclaim this in their Privacy Policy.