Firefox Extension Guru’s Blog

Warning: This extension should only be used if you are using/testing nightly builds and/or betas.

Note: This extension is not hosted on Mozilla’s Firefox Add-Ons, but I have deemed this extension and its source as trustworthy.

At some point I downloaded a milestone version of Gran Paradiso (Firefox 3.0a1) which caused me to no longer get the Minefield nightly builds. I really didn’t want to go digging through the Mozilla FTP, download and install the nightly, so I thought I could go into about:config and change the app.update.channel setting to nightly. Of course this seemed too easy, change the setting and I would get start getting the nightly builds again. Turns out that was too easy, doesn’t quite work that way. What I needed to do was get the Update Channel Changer extension. The extension allows you to change your update channel to one of the following:

• release: The release channel will provide stable release versions, including security updates (e.g. Firefox 2.0, 2.0.0.1, etc. and their release candidates).
• beta (milestone): The beta channel lets you receive every beta, release candidate, and release version of the product (e.g. Firefox 2.0.0.2 beta 1, Firefox 2.0.0.2 RC 1, Firefox 2.0.0.2, etc.).
• nightly: The nightly channel allows you to update to every nightly test build that is produced. There are nightly channels for the trunk, and the Mozilla1.9a2 branch.
• default: This channel is used when there is no channel information, for example if you build Firefox or Thunderbird yourself. There are no updates on this channel.

Once installed you will need to restart Firefox and then select via the Help Menu, Check For Updates. Firefox will check for updates on the current update channel and if there are none will display “There are no new updates available”. At that point a new option, Change Update Channel will appear in the box.

After I installed the extension and restarted my Gran Paradiso 3.0a1 build I was able to download the current nightly for Minefield 3.0a2!

Information Source: mozillaZine

Jesse Ruderman, a contributor for Firefox security topics, released an article providing security tips for a Firefox users. His recommendations include:

• Set Firefox to automatically install updates.
• Keep plugins such as Flash, QuickTime, Adobe Reader and Shockwave up to date.
• Only download and install software (including extensions) from trustworthy sources.
• Double check the location bar to ensure you are where you are supposed to be. Specially when you are at sites where sensitive data is exchanged like financial sites.
• Use anti-virus software

The full article provides more details on these recommendations as well as some very useful tips for avoiding phising and ID theft.

While I agree with almost all of the above tips, I am a bit uneasy allowing Firefox to automatically install updates. I suppose for basic users this is a good idea, but I prefer to have control when Firefox is updated. Now keep in mind I usually install updates shortly after they are offered, I just don’t want to be in the middle of something (such as a blog entry) and Firefox updates itself.

Furthermore, as Ryan has pointed out and asked on the CyberNet Forum:

“Does this mean that Mozilla tests all extensions that they post on their addons page? That would be a lot of work to make sure none of the extensions do anything unknowingly.”

I provided a much more detailed answer on the forum, but in summary I do think the extensions on Firefox Add-ons are tested. However, I pointed out some the extensions I have recommended (ChromEdit Plus, Nightly Tester Tools, etc.) are not listed/hosted on the Firefox Add-ons page. Now, this begs the question, “How do we know that these extensions are coming from a trustworthy source?”

I suppose the answer to this is that it is up to expert users such as myself to make that judgment call. Before I post any recommendations or links for extension not listed/hosted on Firefox Add-ons, I have downloaded and tested to make sure the extensions (as well as the sources) are safe. I suppose Jesse’s recommendation are more intended for the basic/casual Firefox user who may not be aware of the dangers.

I’ve been using Firefox for almost 2 years now (I downloaded Firefox 1.0 back on Christmas 2004) and I thought I knew everything there was to being safe while browsing with Firefox. However, the article points out a very serious security vulnerability, known as Browser chrome spoofing. This is when a site opens a link/page in a new window, they can hide the address bar (this is a purposed Firefox 3 fix) and instead display a spoofed address bar. The spoofed address bar displays the address of a legitimate site, but in reality the real address bar with the fake address is hidden. There are several ways you can protect yourself:

• Force Firefox to open links/page in new tab. This will prevent the address bar from being hidden.

Firefox 1.5.0.X: From Tools menu, select Options… then go to Tabs. Check the option ‘Force links that open new windows to open in” and be sure a new tab is selected as well.

Firefox 2.0.0.X: From Tools menu, select Options… then go to Tabs. For the option “New pages should be opened in:” select a new tab.

• If a new window is opened, check your bookmark toolbar (below the address bar) first. If it is missing or does not look the same as your main window, chances are you have been redirected to a fake/spoofed site.
• Via about:config, change dom.disable_window_open_feature.location to true
• If you know you are suppose to be on a secure site (https), check the status bar at the bottom of the screen, it will display the hostname next to the padlock icon. If this is missing or incorrect you are not on a secure or correct site
  

News Sources: Mozilla Links & Security tips for Firefox users