Among the many reasons why Mozilla's Firefox browser has become popular is the fact that it's relatively easy to build and install add on extensions for it. That ease of extensibility however has a potential dark side to it.

Those same extensions that add power to Firefox, generally speaking, could arguably represent a security risk as well. It's a security gap that Mozilla is now plugging with its Alpha 8 development release of its next generation Firefox 3 browser.

In terms of add-on extension security, Firefox 3 Alpha 8 is specifically targeting the updating of add-ons to make that process more secure.

Mozilla spells out the issue in its guide on the new extension security:

"Firefox currently automatically checks for updates to add-ons using a url specified in the add-on's install manifest. Currently there are no requirements placed on these urls. In particular, neither url is required to be https. This allows either the update manifest or the update package to be compromised, potentially resulting in the injection of malicious updates. A demonstration of one form of compromise is already public."