How are the Grammarly[1] or Honey[2] addons terrible for security?
I can guess why you say they're terrible for privacy, but they both mention what data they share on the addon page. So it seems not so much that they are violating users privacy, but that you think people should be more concerned with the amount of privacy they give up.
For the record, I am pro-privacy, and would never want to use addons like these that send my browsing and other data to a third-party. And I know the vast majority of people don't read privacy statements and might not fully realize the amount of privacy they're giving up. But that's a much bigger problem than Mozilla giving these addons that openly collect this data a Verified tag. Also, the tag will ostensibly indicate some level of verification that the addon isn't doing anything sneaky (on the client side), so it's not "just" promotion, according to the announcement. If you don't believe Mozilla is going to do that verification well/honestly, that's a different discussion.
Regarding open-source projects, I share your concern, but would be interested to see some evidence that they will be hurt by this.
Open source extensions already wait weeks or, more often, months to be reviewed and have that scary warning removed. As this program is planned, any commercial or other well-funded extensions will be jumping the queue ahead of them. That seems strictly worse, unless they also pay to play.
Well the Mozilla add-on website maybe isn't the only way to distribute webextensions. Mozilla already hosts and lists the add-ons for free. It seems only normal it warns users that no verification has been made as they might assume since it's on an official website. Extensions may be hosted elsewhere and reviewed by online communities too. For example, the Krabby extension that add Kakoune keybindings to web navigation is hosted on github.
Thanks for the precision. I did not know it was the case. Indeed you have to use Firefox Nightly to use Krabby... But if no verification is made on add-ons, does it mean it is easy to have them signed? It seems rather contradictory that a add-on has to be signed only to end up with a banner that warns it might be harmful but still can't be distributed elsewhere. It's like you want a store like everyone else but you don't have the perks of a store. What's the point then?
If that is true, then I would hope that they fail the verification review, despite having paid a fee.
"Developers will have all new versions of their add-on reviewed for security and policy compliance. If the add-on passes, it will receive a Verified badge"
FWIW-- I have never used either of those extensions (or products), but at least Grammarly (based on this alone) is truly awful. I think they're still violating user privacy, here's the excerpt from the bottom of the extension page from Grammarly:
> Additionally, we collect payment information if you choose to use our Premium services, and we automatically collect technical information, including log data and usage information, for legitimate business interests, such as improving our product and providing customer support.
You can bet that means they're building a credit profile of people and likely selling the information.
> We may share any of the information that we collect through the add-on with our third-party service providers in order to provide you with services, as required by law, to protect our rights or the rights of others, with your consent, or as otherwise legally permitted.
I'd really like to call out the "or as otherwise legally permitted at the end" which means essentially says that the previous list of things is a bullshit hand-picked subset of the set "legally permitted to perform." When I change it to:
> We may share any of the information that we collect through the add-on with our third-party service providers as legally permitted.
It all feels a bit different; which is to say, unless the law says its explicitly illegal for us to share information we collect, we can and will share it. For something that literally monitors everything you write/think, your payment information (probably invoices/site/etc), and then shares it with anyone the fucking please... I'm gonna say that's a big "terrible for security" from me, dawg.
Where I live it's illegal to walk around with a beer/booze in public. But whenever I want to drink a beer in public, I just walk around with it like any other drink. My behavior looks so normal, people just assume it's not a beer, helping me out even more is the fact is "it's illegal" so people's good intentions/will further push the idea out of mind "I don't want to think they're breaking the law, they don't look like they would."
I would say after reading what's literally on the page and thinking about it: the Grammarly extension authors are pretty proudly walking around with a beer right now...
Mozilla being like the friend who invites someone to your home to help tighten up some loose wobblywomps on the porch; but that person then drinks your beer, drinks their beer, goes through your fridge eats what they want, starts making their own batch of beer at your house, and then finally partially adjusts your wobblywomps. Departing, the drunken fat stranger looks to you and says "it was great doing business with you and I be back everyday this week to tighten your wobblywomps."
> Additionally, we collect payment information if you choose to use our Premium services, and we automatically collect technical information, including log data and usage information, for legitimate business interests, such as improving our product and providing customer support.
> You can bet that means they're building a credit profile of people and likely selling the information.
I only saw a security issues from years ago from that link. Is there anything active right now? I couldn't find anything. Or are you suggesting that an issue from years ago means they are forever tainted?
The open-source projects with no income are the ones getting hurt.