Executive Summary:

Firefox add-ons can make this web browser very tempting for your users—but these plug-ins can carry a security risk you might not want. Loading and experimenting with these plug-ins yourself, before your users do, is a proactive way to deal with users wanting Firefox plug-ins.


Mozilla Firefox's success as a web browser has been propelled by its adoption of a user-created add-on/extension model, which provides a dizzying array of customizations to enhance and customize the user's web experience. Although other browsers offer add-on features as well, what sets Firefox apart is its direct accessibility for finding and installing new add-ons. Simply browse to their add-on website (https://addons.mozilla.org), search by keyword or category, find the plug-in you like, and click Add to Firefox.This accessibility makes experimenting very easy but carries with it the risk that your end users can modify their browser to perform all sorts of functions which you might not want.

For this reason, I recommend researching the variety of Firefox plug-ins available and verifying that these don’t exceed your organization’s risk tolerance. For example, if your company has standardized on Internet Explorer (IE) and uses Group Policy Objects (GPOs) to strictly control Internet Security zones or the installation of ActiveX (or other) controls, then consider restricting your users from installing Firefox. Even in a company with few restrictions, user-awareness training is a key component for guiding your users through safe Internet surfing and keeping them out of trouble.

If you’ve never used Firefox before, download and install the current release for your platform (http://www.mozilla.com/en-US/firefox). Next, click Tools, Add-ons to see which add-ons are currently installed with Firefox. Firefox separates its add-ons into three categories: Plug-ins, Extensions, and Themes. Plug-ins are traditional third-party software usually designed to help render and display particular content and are usually available for different web browser applications. Popular plug-ins include Apple QuickTime, Java, and Adobe Acrobat. Themes are partial or complete changes to the Firefox UI; this is also called “skinning” because you change the appearance or "skin" of the program. Extensions are add-ons specifically designed to change how Firefox operates. Extensions are the add-ons of most concern.

Click the Get Add-ons button, and Firefox will open a new window where you can search through extensions having to do with appearance, bookmarks, dictionaries, as well as privacy, security, and search tools, as well as search for the most popular or most recently updated extensions. You'll also see a screenshot of the add-on, a star ranking assigned by reviewers, reviewer comments, and a count of the number of weekly downloads. It’s easy to install an extension, verify for yourself how it works, then uninstall it. Uninstalling an extension is easy—just access the Add-ons dialog box, click the extensions tab, find the add-on you want to uninstall, and click the uninstall button.

As of Firefox 3.0, Firefox plug-ins aren't digitally signed, so you and your users need to be cautious of the source of the plug-in. Firefox includes some security features designed to prevent the rogue installation of a plug-in. For example, the program delays three seconds after you agree to install an extension until the extension is actually installed, in an effort to combat the potential installation of bad software. For example, a website could initiate the installation of malware and entice you to press the Y key simultaneously, tricking you into answering “yes” to installing the software.

The Firefox add-on model is popular and likely used by members of your organization. You might even find that you want to use some of the add-ons yourself, such as those that let you preview thumbnails of web sites from your search results, block scripts from running, and let your manage cookies. Knowing what is out there will help you avoid any surprises, whether good or bad, and steer your users in the right direction as well.