For best security, both the extension download and the online version should use SSL and an https URL. Otherwise, the door is left open for the following attack:An attacker inserts his computer into the connection path between the client computer and the PasswordMaker web site (spoofing attack). The attacker then provides a munged version of either the extension or the online version (depending on what the client was requesting). The munged version will contain code to upload the master password to the attacker's web site.
Note that SSL is insufficient. The attacker could simply use a hacked copy of the PasswordMaker web site with his own SSL. (OK, "simply" is a misstatement: it is usually not easy to inject a site that pretends to be passwordmaker.org - but it is possible, which is why https exists.) The client wouldn't know the server is bogus and would happily chat with it over the SSL connection. The client needs a certificate that it can trace to a root certificate authority that authenticates the server. Can you get that free from CACerts.org? If not, it might cost hundreds of dollars to get one. :(
Now here is an interesting twist. Let's say you decide to secure the PasswordMaker web site with https. The common user still won't be secure. The problem is that the mozilla web site itself is insecure! That is, if the user clicks Install Now from the Mozilla PasswordMaker
page, he gets an insecure download link
. I wonder if automatic updates work the same way.
Futhermore, there may be an additional vulnerability, depending on Firefox's sandboxing model. If extensions are allowed to access data from other extensions (even private data using introspection), any other extension could access the master password stored in PasswordMaker. That would mean users would need to trust all
extensions to the same degree that they do PasswordMaker. Hopefully, Firefox is already designed to isolate extensions, but it would be worth verifying and reporting, if not.
My bottom line recommendation would be to switch to https if practical (i.e. the authentication certificate isn't too expensive) and report the vulnerability of the Mozilla download
. The other way of looking at it is to say, well, there's no point until Mozilla gets its act together. This is largely a value judgment, similar to the political question of whether a country should bother outlawing harmful internet content even if similar content would still be available due to its legality in other countries. My personal values tend me toward doing what I think is best if it is practical for me to implement - even if there is little immediate practical value - as a matter of principle and to set an example for others.