Mozilla Connect

🧠 The Problem with Today's Extension Trust Model

Firefox currently treats extension permissions as binary — an extension either has a permission or it doesn't. There is no dynamic, real-time trust scoring system that reflects how an extension actually behaves at runtime versus what it declared at install time.

The existing Quarantined Domains feature — introduced in Firefox 115 — is a great foundation, but it has a critical scalability ceiling: Mozilla must manually curate every domain on the list. Currently only 6 domains are protected. The world has millions of high-value targets.

💡 Proposed Solution: Adaptive Extension Trust Scoring (AETS)

A lightweight, fully on-device, privacy-preserving behavioral analysis engine that continuously scores each installed extension based on runtime behavior — not just declared permissions at install time.

⚙️ How It Works

1. Baseline Declaration Score

At install time, each extension receives an initial trust score computed from:

• Declared permission scope and sensitivity
• Publisher history and AMO review status
• Update frequency and changelog transparency
• User base size and community reports

2. Runtime Behavioral Delta Engine

A sandboxed observer silently monitors extension activity patterns and flags deviations from declared intent:

• 🔍 DOM mutation frequency and scope creep
• 🌐 Network request patterns — domains, frequency, payload size
• 🚫 Cross-origin resource access attempts
• 💾 Background script CPU/memory usage spikes
• 📂 Storage read/write access patterns

If runtime behavior deviates significantly from declared intent, the trust score adjusts automatically and instantly.

3. User-Facing Trust Dashboard

A simple 0–100 trust score per extension, visible directly inside about:addons:

• 🟢 75–100 — Trusted, behaving as declared
• 🟡 40–74 — Review recommended, minor anomalies
• 🔴 0–39 — Anomaly detected, user action advised

One-click drill-down shows exactly which behaviors triggered the score change — explained in plain language, not raw technical logs.

4. Quarantine Trigger Integration

Extensions that fall below a user-configurable trust threshold are automatically quarantined from high-value domains — banking, healthcare, government — without requiring Mozilla to manually curate thousands of domain entries.

This directly solves the scalability problem of the current extensions.quarantinedDomains implementation.

5. Zero Telemetry — Fully On-Device

All behavioral scoring happens locally on the user's machine. No behavioral data leaves the browser. Users may optionally contribute anonymized anomaly signals to a community threat feed — strictly opt-in.

🎯 Why This Matters

The current permission model was designed for a simpler web. Modern malicious extensions are sophisticated — an attacker can request minimal permissions at install time and activate harmful behavior weeks later after building user trust. Static permission review at AMO cannot catch post-activation behavioral changes.

AETS closes that gap — dynamically, privately, and without user friction.

🗺️ Implementation Roadmap

Phase Scope User Impact

🔬 Prior Art & Differentiation

Chrome's Enhanced Safe Browsing touches on extension risk assessment but is cloud-dependent, opaque to users, and not privacy-preserving by design.

No browser currently implements a fully on-device, privacy-preserving, real-time behavioral trust engine with a transparent user-visible scoring system. This would be a Firefox-first feature and a meaningful market differentiator — especially for privacy-conscious users who choose Firefox precisely because they don't want cloud-based behavioral surveillance.

✅ Alignment with Mozilla's Core Values

• 🔒 Privacy — fully on-device, zero telemetry by default
• 👁️ Transparency — users see exactly why a score changed
• 🎛️ User Control — configurable thresholds, opt-in community feed
• 🛡️ Security — closes the post-install behavioral attack vector

This idea builds directly on Firefox's existing Quarantined Domains infrastructure and takes it to its logical, scalable conclusion — protecting every user, on every sensitive site, automatically.