Security → Chrome's security alert re extensions

I just started using chrome and noticed the security alert when using extensions. In this case Adblock - the alert states "AdBlock can access your data on all websites and access your tabs and browsing activity" - when looking into this further the definition for the first part is : This item can read every page that you visit -- your bank, your web email, your Facebook page, and so on. Often, this kind of item needs to see all pages so that it can perform a limited task such as looking for RSS feeds that you might want to subscribe to.

Caution: Besides seeing all your pages, this item could use your credentials (cookies) to request or modify your data from websites.

Thinking about it, it seems obvious to me that the site needs to read the pages if it should have chance to suppress any ads. However I am wondering how this works in FF as I don't remember a similar alert. Maybe FF does not provide any warning in this case?

I guess that the latter could be the case...

You're right, that in order to block something it should be able to read/analyze all web pages you visit. So, it seems logical, that it asks for permission to do exactly that.

In Mozilla, an extension can do anything that the browser can do.
An extension is not limited in any manner, or sandboxed in any way.

I'm obviously not smart enough to know, but wouldn't SSL/HTTPS prevent an extension from accessing content?

SSL/HTTPS prevents content from snooping while it's transmitted between web server and browser. Extensions are working within browser and therefore see all content already rendered within it.

I am still a bit baffled and unsure how to evaluate that threat. It sounds quite bad if some extension can follow me to my bank site and capture my passwords (if this is what they mean) - on the other hand adblock as an example is one of the most popular extensions in FF and Chrome - i would have expected this to be an issue in this case but apparently it is not.

I think this is like a proxy - it has to do some filtering in this behavior. While I understand what you are saying, you have 2 choices, use or do not use.
If there is an exploit of the add-ons or extensions here, then it theoretically wouldn't be much different to any other exploit.
Except of course the browser is the door to the world, where-as your localized photo-editing tool doesn't carry so much weight with it.

Good question though, who's vetting the extensions? As there has been a lot of controversy over plug-ins for other software of late, so concern here should be warranted. But as the the end user, there is that 50-50 option - use or don't use. It does really answer your question though I'm afraid.

Well as already noted an extension is just another part of the browser so it can access data.

That said many popular extensions, for FF anyway, are open-source so the chance of them being malicious is reduced (although not eliminated).

I guess it comes down to trust. I haven't heard of any major extension being malicious but you might not find out until its too late.

Reminds me of Sieur Clubin in Victor Hugo's Toilers of the Sea. He was considered extremely honest and trustworthy until the day he disappeared with all the loot.