Closed Bug 1203163 Opened 9 years ago Closed 9 years ago

Blocklist Barre de Confiance CM-CIC 3.4.0.0

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: magopian, Unassigned)

References

(
URL
)

Details

The following (french) article explains that the extension https://addons.mozilla.org/en-us/firefox/addon/barre-de-confiance-cm-cic/ isn't secure at all, and also performs really badly:

https://dustri.org/b/analyse-rapide-de-lextension-anti-phishing-pour-firefox-du-credit-mutuel.html

A few details (I can help with the translation to english if needed) provided by the blog post:

1/ there's whitelists that could be abused to allow phishing
2/ the blacklist contains some URLs that shouldn't be blacklisted
3/ the blacklisted URLs are matched with their protocol, so they can be bypassed by using PRURLs (eg ://malevolent.com)
4/ it matches the URL in any position, so http://malevolent.com/@www.creditmutuel.fr would be detected as green, while https://www.creditmutuel.fr/groupe/fr/index.html?@http://malevolent.com would be detected as fraudulent
5/ the popup display is utterly failing in many ways (can be disabled, the display in the toolbar can be prevented by loading a resource forever, the "get out of here" button destination can be changed very easily)
6/ the extensions adds a google analytics tracker on the whitelisted and blacklisted pages, and a cookie (this isn't explained in the EULA: https://addons.mozilla.org/en-us/firefox/addon/barre-de-confiance-cm-cic/eula/)
7/ the performance is really bad because it checks each URL against a list of 4000 urls which is unencrypted each and every time
Summary: Blocklist → Blocklist - Barre de Confiance CM-CIC 3.4.0.0
Summary: Blocklist - Barre de Confiance CM-CIC 3.4.0.0 → Blocklist Barre de Confiance CM-CIC 3.4.0.0
From that list, only the first point might warrant a block. Can you elaborate on how the whitelist can be used to perform phishing on users of this add-on?

On point 7, how bad is performance? Is there a noticeable delay when loading a page?
Flags: needinfo?(mathieu)
I'm the author of the blogpost.
Since some domains present in the whitelist aren't registered anymore, anyone could buy them and get a free "green notification".

Also, I think that the fact that the extension allows anyone to make their website "green" by adding simple parameters to URL (or to blacklist any linked website at will) might also warrant a block.
Thanks Julien for the details.
Flags: needinfo?(mathieu)
As I understand it, this add-on rates websites as Safe or Not Safe, similar to what WOT does. The add-on may do a crappy job at it, but that doesn't make the user any less safe than without the extension. At most, it gives them a false sense of security, but at most it's something we need to work with the developers so they fix it, rather than blocklisting. I added a note to other reviewers pointing to this bug so they can look into these issues if there are new versions submitted or the developer applies for full review.

So, unless I'm missing something else, this add-on isn't worth blocklisting.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.