Whining about Firefox not being Perfect in Every Way

A thread popped up a few days ago on BugTraq entitled, Evil side of Firefox extensions. The short story is that you can implement a firefox extension to act as a keylogger. Not a big deal for really anyone except people who use public terminals running FF (which is awful common at security conferences).

This got me thinking about my one huge complaint about Firefox extension developers: Nobody signs their extensions, ever. And a little Googling shows this complaint is neither novel nor new -- an apparently infamous Microsoft hit piece goes into this in some detail. But that was written a year and a half ago. Are things any better now?

Doesn't seem so -- I like Firefox extensions, but it just rubs me the wrong way when normal and popular extensions like FlashBlock, AdBlock, and GreaseMonkey are unsigned.

Reading the MozillaZine followup thread, though, makes it obvious that extension developers do not care about signing their extensions. In fact, some claim that it's impossible, for some reason.

So, the moral of the story is, feel free to implement your own awesome-cool onboard XSS exploit and perform some DNS trickery to ensure that a sizable fraction of AdBlock users get 0wned for a few hours (assuming people notice that quick).

By the way, the only signed extension I've ever seen is NetCraft's anti-phishing toolbar (which is basically a fancy advertisment for other NetCraft services).

Oh, and how do you actually go about signing XPIs? Well, give this a shot. It looks like it'll kinda sorta work.

Once I have my own XPIs together, I will get to the bottom of this signing fiasco!