Can a Web site check if an add-on has been modified?

Question

This is the context: Suppose there is a plug-in, P, available at the Mozilla Firefox add-on site.

Consider a malicious user that modifies P, for example, to make it deviate from the normal behavior. My first question is:

1. Could the Firefox browser detect that the plug-in is not the original one (i.e., the one that was downloaded from Firefox site? If this can be detected, could the Firefox browser disable the (modified) plug-in?

Now consider the case of a Web site that interacts with the plug-in P. For example, the site allows access to the web content only if the plug-in is original (it has not been modified).

My second question is:

2. Could the site be able to detect that this malicious user modified the plug-in?

Answer 1

You're asking for DRM, i.e. the ability to verify that a remote piece of software running on general purpose computing hardware is executing the code which it itself claims to be executing.

This is not possible, since the claimant can always lie and run any code snippet used for interactive authentication in some form of emulator.

Depending on what you're actually trying to achieve you should use user-specific authentication, i.e. tie site access to some token or password instead of the addon, or treat all inputs by the addon as unstrusted and verify them against whatever protocol they should follow.

In short: Validate data, not code.

Answer 2

Firefox detecting changes

All extensions which are downloaded from AMO are cryptographically signed by Mozilla (link 2). If the extension is modified in any way, Firefox will automatically detect that there have been changes and will disable the add-on.

However, if the user is running Firefox Developer Edition, Firefox Nightly, Unbranded Beta, or Unbranded Release, they can change a preference such that the modified extension will not be disabled. The modification will still be detected, and the user informed in about:addons (Ctrl-Shif-A, Cmd-Shif-A on OSX). It is also possible for the user to download the source code for Firefox and compile their own version which disables add-on signature checking.

Temporary add-ons
The normal release and beta versions of Firefox do not permit the user the option to permanently install and run extensions which have not been signed, or where the extension has been changed after signing. However, they do, along with all other versions, permit an extension to be loaded as a temporary add-on even if unsigned, or changed. This makes it impossible unsigned add-ons which require a browser restart in those versions of Firefox.

Summary
Mozilla singing add-ons is intended to prevent add-ons, which are malicious, or that just have not been reviewed by Mozilla, from being downloaded and installed by naive users. Thus, to install an unsigned, or changed, add-on, the user has to jump through extra, inconvenient steps (not use a branded release or beta Firefox, or use a temporary add-on install). However, signing does not, and was not intended to, prevent the user from intentionally changing an add-on and not being able to run it.

Website detecting that the extension has changed

No, assuming that the modifications to the extension are intentionally being hidden, there is no guaranteed way for the web page to detect that a change has occurred. The modified extension can spoof any information that is provided to the web page by the original extension code. You can make this hard to do, but it can not be guaranteed.

You have not mentioned why you are wanting your website to be able to detect these changes. Thus, without guessing as to the purpose, it is not possible to provide you with reasonable alternatives.