Glad you're here! Hope we can catch up while we're both in town...

"the focus was Firefox as a platform and the proliferation of Firefox extension."

Um... yes... Asa, could you do a post on this:
http://www.techweb.com/wire/security/191101268

"An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee."

The page further calims that the fake extension somehow skips the confirmation window and just installs itself.

Mind you, they didn't put what versions of FF are affected and I suspect its only for Windows.

But some official announcement would make me feel better :)

From Mike's Firefox platform talk summary: "Firefox has created a rich platform for extensions -- not all of which are open source"

Would it be possible to list the license in the extension descriptions on addons.mozilla.org? (e.g. "GPL" or "restricted", with that word linked to the corresponding license text)

It might not be something the average user cares to know, but I could see that if Firefox was installed in a business setting that it would be important as far as the company would be concerned.

Also, it would nice for that same info to be displayed in the "About" section for each extension in Firefox itself and/or when its installed.

> Um... yes... Asa, could you do a post on this:
The text says that the system has already been infected for this to happen.

From http://www.heise-security.co.uk/news/76019

"spam emails that purport to come from Wal-Mart. If the recipient opens the mail attachment while running a Windows operating system, the Trojan then installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. McAfee has dubbed the Trojan "FormSpy," although the company is still currently categorizing its distribution as low.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds."

OK, so its Windows-only and it sounds like its writing directly to the HD, rather than invoking Firefox (I was concerned that it was the latter).

As per http://developer.mozilla.org/en/docs/Enhanced_Extension_Installation (discussing Firefox 1.0), "Extensions can be installed into only two locations: [...] The Firefox user's profile directory directory [or] The Firefox application directory"

so one of those two dirs is what they're calling "the Firefox configuration data" Is there a way to protect those dirs from other apps?

> Is there a way to protect those dirs from other apps?
winpooch

Hey, thanks! That's good to know. Their URL:
http://winpooch.free.fr/home/index.php

"Winpooch is a Windows watchdog, free and open source. Anti spyware and anti trojan, it gives a full protection against local or external attacks by scanning the activity of programs in real time. Associated with ClamWin antivirus, Winpooch keeps safe your computer against virus."

Oh and actually being on-topic regarding "Firefox as a platform", I think we can easily see that in extensions like FireFTP, ChatZilla and AIMfire where small extensions do the work of much larger programs; even extensions like Calculator and the game ones like Cards, Blockfall, etc. show this to be the case.

I think that Opera to a certain extent likes how extensions can behave as applications and is working in that direction with their "widgets" but prefers to maintain tight control over the browser itself and that's why they're limited to only mini-apps rather than the full power of extensions to modify the browser in an unlimited amount of ways... I wonder how much of this is because Opera is closed source while Firefox is open source.