Is "uMatrix" on Firefox Add-ons Safe to Install?
uMatrix: A point-and-click matrix-based firewall, with many privacy-enhancing tools. *For advanced users.* uMatrix put you in full control of where your browser is allowed to connect, what type of data it is allowed to download, and what it is allowed to execute. Nobody else decides for you: You choose. You are in full control of your privacy. Out of the box, uMatrix works in relax block-all/allow-exceptionally mode, meaning web sites which require 3rd-party scripts are likely to be "broken". With two clicks, uMatrix can be set to work in allow-all/block-exceptionally mode, which generally will not break web sites. See https://github.com/gorhill/httpswitchboard/wiki/How-to-use-HTTP-Switchboard:-Two-opposing-views for more details on this topic. * See ALL the remote connections, failed or attempted, depending on whether they were blocked or allowed (you decide). * A single-click to whitelist/blacklist one or multiple classes of requests according to the destination and type of data (a blocked request will NEVER leave your browser). * Efficient blacklisting: cookies won't leave your browser, JavaScript won't execute, plugins won't play, tracking pixels won't download, etc. * You do not have to solely rely on just one particular curated blacklist (arguably with many missing entries) outside which nothing else can be blocked: You are in full control. * Ease of use: uMatrix lets you easily whitelist/blacklist net requests which originate from within a web page according to a point-and-click matrix: - domain names (left column) * from very specific * to very generic - type of requests (top row) * cookies * CSS-related resources (stylesheets and web fonts) * images * plugins * scripts * XHR (requests made by scripts) * frames * others You can blacklist/whitelist a single cell, an entire row, a group of rows, an entire column, or the whole matrix with just one click. uMatrix's filtering engine uses precedence logic to evaluate what is blocked/allowed according to which cells are blacklisted/whitelisted. For example, this allows you to whitelist a whole page with one click, without having to repeatedly whitelist whatever new data appear on the page. All rules are scoped. For example, you can block ` facebook.com ` and ` facebook.net ` everywhere except when visiting a page on ` www.facebook.com `. This way Facebook won't be able to build a profile of your browsing habits. The goal of this extension is to make the allowing or blocking of web sites, wholly or partly, as straightforward as possible, so as to encourage users to care about their privacy. The extension comes with 3rd-party hosts files totaling over 62,000 distinct hostnames (lists can be selectively disabled/enabled according to your choice). Ultimately, you can choose however you browse the net: * Blacklist all by default, and whitelist as needed (default mode). * Whitelist all by default, and blacklist as needed. Either way, you still benefit from the preset blacklists so that at least you get basic protection from trackers, malware sites, etc. Or you can disable all of these preset blacklists. Your choice. Randomly assembled documentation: https://github.com/gorhill/uMatrix/wiki ===== This extension is also useful to understand what the web page in your browser is doing, often without your knowledge. You have full ability to see and decide with whom a web page communicates, and to restrict these communications to specific classes of objects within the web page. The number which appear in the extension icon correspond to the total number of distinct requests attempted (successfully or not depending on whether these were allowed or blocked) by the web page. Simply click on the appropriate entry in the matrix in order to white-, black- or graylist a component. Graylisting means the blocked or allowed status will be inherited from another cell with higher precedence in the matrix. Red square = effectively blacklisted, i.e. requests are prevented from reaching their intended destination: * Dark red square: the domain name and/or type of request is specifically blacklisted. * Faded red square: the blacklist status is inherited because the entry is graylisted. Green square = effectively whitelisted, i.e. requests are allowed to reach their intended destination: * Dark green square: the domain name and/or type of request is specifically whitelisted. * Faded green square: the whitelist status is inherited because the entry is graylisted. The top-left cell in the matrix, the "all" cell, represents the default global setting, which allows you to choose whether allowing or blocking everything is the default behavior. Some prefer to allow everything while blocking exceptionally. My personal preference is of course the reverse, blocking everything and allowing exceptionally. This extension is also useful if you wish to speed up your browsing, by globally blocking all requests for images as an example. ===== BUGS, ISSUES: https://github.com/gorhill/uMatrix/issues SOURCE CODE: https://github.com/gorhill/uMatrix (GPLv3) CHANGE LOG: https://github.com/gorhill/uMatrix/releases
Risk Assessment
Pending0 security findings detected across all analyzers
Firefox extension requesting 11 permissions
No Threats Detected
This extension passed all security checks
About This Extension
No Findings
All security checks passed
AI Security Report
AI Security Analysis: uMatrix
Analysis generated: 2025-12-11T17:32:25+13:00
Model: gemini-3-pro-preview
Quick Facts
| Property | Value |
|---|---|
| UUID | 2f479866-d78b-54ac-9b36-d454e36c7c57 |
| Type | firefox |
| Version | |
| Users | 17110 |
| Risk Score | 100.0/100 (CRITICAL) |
| Malware Detected | ⚠️ Yes |
| Secrets Exposed | ✅ No |
| Critical Vulns | ✅ No |
AI Analysis
Executive Summary
The security assessment for uMatrix presents a classic "false positive" scenario common when analyzing security tools. While the calculated risk score is CRITICAL (100/100), this is primarily driven by the extension containing extensive lists of malicious domains for the purpose of blocking them, which the scanner has interpreted as Indicators of Compromise (IOCs). uMatrix is a legitimate, advanced firewall extension developed by Raymond Hill (a highly respected developer in the privacy community). The primary security concern is not malware, but rather that the project is archived and no longer actively maintained, which poses long-term compatibility and security risks.
Threat Assessment
The automated analysis has flagged uMatrix as malicious due to the nature of its functionality. A detailed breakdown of the threats follows:
- Massive Volume of IOCs (65,643 findings): The scanner identified over 65,000 "Indicators of Compromise." uMatrix functions by using blocklists (hosts files) to prevent the browser from connecting to tracking and malware domains. The scanner has detected these domains inside the extension's code/files and flagged the extension as harboring malware. In reality, these are blocklists, not destination lists.
- YARA Signature Matches (High Severity):
postinstall_network_communication: uMatrix is designed to fetch updated blocklists from remote servers immediately after installation and periodically thereafter. This is legitimate behavior for this specific tool.postinstall_file_manipulation&LocalStorage: The extension requires extensive local storage to save complex user rules, matrix states, and cached blocklists.postinstall_system_command: This is the most concerning tag, but in the context of a complex extension like uMatrix, this often triggers on legitimate browser API calls (likeruntime.connect) or generic variable names in the minified JavaScript that resemble system execution commands. Given the developer's reputation, this is likely a heuristic false positive.
- Developer Reputation: Raymond Hill (gorhill) is the creator of uBlock Origin and uMatrix. He is a trusted figure in the open-source community. The "Verified Publisher: false" status likely reflects the platform's specific verification criteria or the fact that the project is archived.
Risk Justification
Adjusted Risk Level: LOW (Security) / MEDIUM (Maintenance)
The automated score of 100/100 is INFLATED and misleading.
- Why it scored 100: The sheer volume of "malicious domains" found in the text files within the extension triggered a maximum severity response.
- Why it is actually Low Risk: The "malicious" domains are present to protect the user, not to exploit them. The behavioral signatures (network, file manipulation) are consistent with the documented features of a firewall extension.
- The Real Risk: The project is archived. It does not receive security updates or patches for new browser vulnerabilities.
Key Findings
- False Positive IOC Flood: 65,643 findings are attributed to known malicious domains found within the extension's blocklists (e.g., "Malware Domains List", "EasyList").
- Legitimate Network Activity Flagged: Multiple
postinstall_network_communicationfindings correspond to the extension's auto-update mechanism for fetching third-party rule assets. - Legacy Storage Methods: The
LocalStorageShouldNotBeUsedfinding indicates the use of older storage APIs, which is expected given the age of the codebase. - Heuristic Mismatches: High-severity tags regarding "crypto operations" and "file manipulation" are standard operations for an extension that verifies asset integrity (hashing) and stores large rulesets.
Recommendations
- Ignore the Malware Score: Acknowledge that the 100/100 score is a false positive resulting from the scanner analyzing a security tool's blocklists.
- Verify Source Integrity: Ensure this specific instance of uMatrix matches the official hash from the Mozilla Add-ons store or the GitHub repository to ensure it is not a "trojanized" clone.
- Transition Plan: Acknowledge that uMatrix is end-of-life software. While not malicious, it is no longer maintained.
- Manual Review of "System Command": If resources allow, a manual code review of the specific line triggering
postinstall_system_commandshould be conducted to definitively rule out a supply-chain injection, though this is unlikely in the official version.
Mitigation Strategies
If the organization requires the granular control uMatrix provides:
- Verify the UUID: Ensure the installed UUID matches the official Firefox Add-on store entry to prevent installing a copycat.
- Disable Auto-Update of Assets (Optional): If strict network control is required, administrators can disable the auto-updating of blocklists within the extension settings, though this reduces the extension's efficacy.
- Preferred Alternative: Transition users to uBlock Origin (also by Raymond Hill) in "Medium Mode" or "Hard Mode." This provides similar granular blocking capabilities but is actively maintained and updated against modern threats.
Confidence Assessment
Confidence: 95%
I am highly confident that the "malware" findings are false positives caused by the presence of blocklists. The analysis of the developer and the tool's known functionality directly contradicts the automated risk score. The remaining 5% uncertainty accounts for the theoretical possibility of a supply-chain attack on the specific binary analyzed, which can only be ruled out by comparing the file hash against the official source.
Disclaimer
This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.
Source Code Not Available
Source code is not available for this version of the extension.
Frequently Asked Questions
Similar Extensions
Related extensions from the same publisher or marketplace