Firefox Extensions -- are they safe?

[Total Noob]

Open query:

I use Ubuntu 9.10.

I saw some interesting FireFox extensions (there are a handful of them) and installed them using the tabs within the browser for doing so.

I was surprised that they installed without me being asked for an installation password first, as customarily the case when installing Linux apps via the package manager or with programs obtained elsewhere.

I thought the supposed imperviousness of Linux to viruses was password/root protection before software could be installed, as opposed to Windows where bad stuff may install from email attachments or poisoned websites without the user having any idea it was doing that.

But with FireFox, apparently the Linux norm is bypassed somehow, and maybe it is allowing malware in under the same process. So is this a flaw in security?

I like the idea of package management because I assume that Canononical is checking the programs out before putting them in its repositories. I hope my assumption is correct.

I also know to use discretion when installing third party programs -- that it could be infected or just bad.

But now I don't know what to think about Firefox and its motives or its safety record, especially with its placement in the market somewhere between a large company's and some unemployed college kid working in his basement.

Is Firefox certifying the extensions before they allow them to go into its repositories? Is it taking responsibility if an app is poison? Why did it override the password protection?

Comments invited.

[kage]

Firefox extensions are installed locally into the user home directory and as such, do not require elevated privileged to be installed. Firefox does have a degree of security and extensions cannot automatically be installed without some interaction from the user.

Since the extensions are installed locally, they cannot compromise your operating system in the same way that Windows malware does, since they only have access to /home/$USER and not your entire system.

[Total Noob]

Quote:

Originally Posted by kage

Firefox extensions are installed locally into the user home directory and as such, do not require elevated privileged to be installed. Firefox does have a degree of security and extensions cannot automatically be installed without some interaction from the user.

When you say Firefox as a degree of security, does this mean that the manufacturer is verifying and our vouching for the extensions, as, say, Apple does with the iPhone apps?

Quote:

Originally Posted by kage

Since the extensions are installed locally, they cannot compromise your operating system in the same way that Windows malware does, since they only have access to /home/$USER and not your entire system.

OK, I don't know what you mean by "locally," but I accept the premise. Yet, does that mean that the Firefox extensions simply can't keylog, email out files by themselves, or do other noxious things like deleting data folders?

[kage]

Quote:

Originally Posted by Total Noob

When you say Firefox as a degree of security, does this mean that the manufacturer is verifying and our vouching for the extensions, as, say, Apple does with the iPhone apps?

What I said was Firefox has some built-in security to prevent extensions from being installed without the users permission (malicious installations).

For information on the process of creating an extension, take a look at this link. It is not easy to "slip something by" and push it via a Firefox extension.

Quote:

Originally Posted by Total Noob

OK, I don't know what you mean by "locally," but I accept the premise. Yet, does that mean that the Firefox extensions simply can't keylog, email out files by themselves, or do other noxious things like deleting data folders?

Technically Firefox extensions can have malicious properities, but Firefox has a rather large user base so if a Firefox extension were acting in a malicious way, people would be very vocal about it. Also, there is testing done on extensions before they are allowed to be downloaded.