SpoofStick: the Good, the Bad, and the Ugly

I heard about a tool called SpoofStick, which is a browser extension for Internet Explorer and Firefox. The good thing about this tool is that it shows you the real URL of the site you're visiting. The tool is designed to help prevent people from falling victim (the bad part) to URL spoof attacks.

The ugly part is that during installation of SpoofStick all instances of Firefox 1.0PR are immediately shut down without so much as any warning, not to mention a prompt to ask if it's all right to do so. I think this is due to a bug because the first time I tried to installed SpoofStick it didn't install itself. I had to try to reinstall it again to get it work with Firefox and when I performed the second installation it didn't close the browser, but instead showed a message in the Extensions dialog that the installation would be completed after Firefox was restarted.

This bug is an ugly problem because, for example, if you had a couple of instances of Firefox open with a dozen or more tabs open in those instances and you hadn't bookmarked the pages yet then too bad. You'll suddenly find yourselves relegated to searching through mounds of browsing history references to find the URLs again, assuming you have history enabled and the references haven't aged out of it yet.

I wrote to the makers of SpoofStick who told me:

"I think that SpoofStick installation behavior is controlled more by how FireFox deals with extensions than with any code specific to SpoofStick. I expect these issues to be fixed by the FireFox team as they release the final version of the browser.

We'll take a look through the code to see if there's anything that we can do on the SpoofStick side to make this process easier and to make sure it's not actually a bug."

The question remains whether this behavior is due to a bug in SpoofStick or a bug in Firefox 1.0PR. I haven't had problems with any other Firefox extensions, so it'll be interesting to learn where the problem actually resides.

End of Article