Mozilla Signs Firefox Add-Ons

Mozilla developer Jorge Villalobos has announced that Mozilla is ready to implement its new program of digitally signing add-on extensions for the Firefox browser. The plan was originally announced back in February. Firefox developers have long taken pride in the extensive and powerful collection of add-on applications that users can easily add to their browser configuration. However, the Firefox team has become alarmed at the number of add-ons that are insecure – or sometimes even malware. According to the original announcement, "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into web pages or even inject malicious scripts into social media sites."

To combat this misuse of the add-on ecosystem, Mozilla developed a new set of guidelines for add-on developers and implemented the signing process as a means for assuring users that the add-on has been properly vetted.

Mozilla will take a week to create signed versions of existing add-ons. For a transition period of two release cycles (approximately 12 weeks), non-signed add-ons will only trigger a warning in Firefox. After the transition period, release and beta versions of Firefox will not install unsigned extensions.

Weird Worm Burrows into Linux-Based Routers

Security researchers at ESET have released a lengthy report on the Moose malware, a worm that affects Linux-based home routers and embedded gadgets. Attackers appear to have assembled a large botnet of compromised devices through weak passwords.

According to the report, Moose does not install backdoors or rootkits. The goal of the attack appears to be social media fraud. Moose intercepts web cookies and uses them to hijack social media accounts. The schemers apparently deploy the botnet as a social media tool, auto-generating likes, views, and other popularity indicators for a price.

The Register quotes a report from the Rapid 7 security firm stating that 50,000 routers are infected with the Moose worm. Most of the attack traffic targets Twitter and Instagram.

US Government Requires HTTPS

The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication. A summary document online, titled "The HTTPS-Only Standard" is a web-friendly version of the White House Office of Management and Budget memo M-15-13, "Policy to Require Secure Connections across Federal Websites and Web Services."

The document states the requirement that "all publicly accessible Federal websites and web services only provide service through a secure connection." According to the doc, Hypertext Transfer Protocol Secure (HTTPS) is the "strongest privacy and integrity protection currently available for public web connections," and it is therefore the protocol of choice for encrypted sessions.

Although many modern websites have adopted HTTPS as the standard web protocol, a vast number of sites still operate on un-encrypted, plain old HTTP. The US federal government has such a huge collection of sites that establishing HTTPS as a minimum standard for privacy could have a ripple effect through the rest of the web. The memo states the principle that "All browsing activity should be considered private and sensitive," which privacy advocates in the US and abroad will welcome.

Although this plan has reportedly been in the works for several months, the announcement might have been timed to appear proactive in the wake of reports about security breaches on government sites, such as the recent massive attack on the US Office of Personnel Management. The NSA scandals have also created a need for the White House to make a statement affirming a general right for privacy, although recent proceedings in the congress and courtroom indicate the administration isn't giving up on its interest in Internet surveillance.