Murphy's Law: It's a Mad, Mad, Add-On World


After hearing the recent announcement that Google has opened up the doors to its extensions gallery for developers, I thought but one thing: Hurry. It's been more than a year since the launch of the browser itself--a tough, troubling year for those of us used to hacking the crap out of our browsers with all the third-party extensions and themes we can stuff into the window.

It warms the heart to see that Google will be using an automated approval process for extensions submitted to its online gallery, reserving the white-glove, actual-human treatment for those using the NPAPI components. For the uninitiated, NPAPI is a cross-platform architecture that should allow developers to quickly port Firefox plugins over to Google Chrome. That's plugins, not extensions--Google still has a lot of catching up to do in order to deliver the wealth of customizations currently enjoyed by the Firefox community at-large.

To this point, however, I wonder if the time has come where the security of a browsing experience has started to outweigh its customizability. Or, in layperson's terms, would you rather have a packed-to-the-gills Web browser or a safe, speedy Web browser? I've always found myself leaning toward the former because tweaking a piece of software to one's own specifications is an art in itself. And I do like transforming Firefox into a Swiss Army knife of add-ons. However, there does come a point when all the extensions in the world can't improve issues like a 600,000K memory leak or, worse, third-party security exploits.

Firefox might have a wealth of third-party customizations on its side, but is the allure of a fresh start in admittedly better browser enough to compel users to make a switch to Google's Chrome? It might just yet...

Let's ignore all the marketing talk, product integration, and existing browser share between the two products--people are loathe to switch away from that-which-works, after all. Just look at the raw nuts and bolts of the two browsers. Firefox has been through a number of successful design changes and iterations throughout the course of its long life. And, yet, the browser hasn't corrected the ever-present memory leak issue that's plagued this application since its inception. More than that, Firefox just isn't that secure. It's not that difficult for a piece of third-party malware disguised as a useful add-on to wreak all sorts of havoc on your machine. And without any kind of stringent review process for add-on performance, beyond that of Firefox's standard security checks for newly submitted apps, it's hard to prevent the content you download from adversely affecting your browsing in some capacity.

Google Chrome, in contrast, doesn't appear to suffer from the same memory issues as its Firefox friend. To be fair, most users typically run Firefox with some kind of add-ons installed, which can push the memory problems into the stratosphere depending on what's going on behind-the-scenes. It remains to be seen just how Google Chrome will be affected by, say, a Skype plugin--one of the bigger sources of frustration throughout my own Firefox use.

As for security, Google Chrome's sandboxing does make it the superior platform for shielding your everyday PC use against malware and exploits coming in through your browser. Without getting into it in too much detail, the read and write operations of your system are separated from the HTML rendering and Javascript execution in Chrome browser tabs. While nefarious folk might be able to affect your system via the browser, they would need to find some way to insert a bug or workaround for Chrome's sandbox in order to gain access to the core of your operating system. However, plugins based on NPAPI bypass this shielding, which could give a line of entry should you allow any plugin under the sun to make its home in your Chrome browser.

This, of course, brings us full-circle. A thorough vetting process that's locked into a single point of entry a la Apple's App Store would do much to weed out problematic plug-ins and extensions from affecting one's browser for the worse. Whether it's a person or a script, I would love to have the assurance that some kind of performance testing has used every add-on, or iteration of an add-on, in Mozilla's or Google's gallery. No third-party add-on should otherwise reduce the core performance of a browser beyond a particular agreed-upon standard. And if this is a question of quantity over quality, than additional measures should be built into the browser to warn users when their customization habits are reducing the browser's functionality past a set degree.

In addition, I find it strange that Mozilla and Google don't lock users into a one-shop environment for add-ons. I realize this is a rather odd thing to say in a column that usually bashes applications for refusing to adhere to the principles of openness. However, I think security takes precedence in this case. Instead of granting anyone the ability to install an add-on or extension from any source they want, both Firefox and Chrome should build in some kind of permissions call-back to the main company servers. Any extension that hasn't been vetted by the above review process would be automatically disabled. Period.

Draconian? Perhaps. I have yet to have an exploit hit my iPhone through any app I've downloaded. Granted, Apple has its own problems to deal with surrounding its review process for third-party software. But to its credit, the iPhone isn't going to be shot to pieces because someone injected malicious code into the fart app you bought last week. And that's just my mobile device--instead of focusing on endless add-ons and tweaks, why can't we make the simple act of surfing the net as secure as possible from third-party tampering?

David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!

Around the web

by CPMStar (Sponsored) Free to play