Search code examples
firefoxbrowserproxyfirefox-addonhttp-proxy

How Do Firefox Extensions Use IP Address With Anonymous Proxy? Original IP May Be Exposed?


Research On Firefox Extensions Connections

I have read the FAQ's on Firefox Extensions (https://addons.mozilla.org/en-us/faq) and have looked at their community forums for information but wasn't able to find anything on how extensions actually connect and collect your data.

The closest I found was the Mozilla Wiki page on data collection (https://wiki.mozilla.org/Firefox/Data_Collection) but it only gives you the basic opt in/out data collection levels.

What I'm trying to understand:

If I'm using a manually configured anonymous proxy in Firefox, could the extension potentially send my actual IP address (not my proxy IP address) back to a third party?

Example: Translate Extension

For example, if I were to use the Google Translate for Firefox, would Google be able to see my original IP?

What I was thinking

Since the proxy is the only way for the browser to connect to the internet, the extension would have to use the proxy IP address to connect and thus, would only be able to see the proxy IP address. However, I would love to be sure that there is no back door or way of the extension revealing my original IP.

Any insight is greatly appreciated. We are not doing anything unethical, we just have to maintain separate IP usage for various clients and do not want to risk mixing their information. Thanks again.


Solution

  • Firefox extensions are usually not limited in what they can do, only extensions based on the WebExtensions framework are sandboxed - currently the majority of Firefox extensions is still either classic XUL-based extensions or based on the Add-on SDK, these don't have inherent restrictions. So in theory an extension can do lots of things in order to deanonymize you, for example:

    • Use nsIDNSService in order to retrieve your local IP address (usually, this address isn't valid outside your local network however).
    • Change browser settings, in particular disable your configured proxy server.
    • Use external command line tools in order to read out system information or send a request bypassing the browser.
    • Read files on your hard drive in order to find your name.

    Note that Chrome also offers an API to modify browser's proxy settings extensions, and a similar API is planned for WebExtensions. So even sandboxing doesn't always protect against deanonymization, and you need to trust the extensions you are installing.

    However, the extensions hosted on Addons.Mozilla.Org are usually reviewed by Mozilla (the ones that aren't reviewed yet have a yellow install button and a warning). One aspect that the reviewers look into is: does this add-on do what it claims to do or are there unexpected side-effects? Any unexpected functionality has to be strictly opt-in, with full explanation about the implications. This was introduced in 2009 as the No Surprises policy and works remarkably well. Chrome Web Store doesn't have any comparable policy.