Hey Mike. On Fri, 2014-11-28 at 00:44 +0900, Mike Hommey wrote: > a) it's not in any release of Debian, and it's not in any upcoming > release of Debian either. It's in a package from experimental. Well but you know that a lot of people actually run unstable as their normal suite and many of them pull in iceweasel from experimental, just as you guys suggest here http://mozilla.debian.net/
Since these versions are usually up to date with what Mozilla ships, there's also not that big problem with the missing security support in experimental. > b) everyone knows what's actually contained in that binary blob, since > it's built from open source code, and the build is (supposed to be) > reproductible. Well but since the blob is still fetched from cisco, they could simply replace it for certain users, and once you're hacked there's basically no way to tell whether you had a "good" version or not. > c) the binary blob is verified against a sha256 checksum downloaded from > a mozilla server through HTTPS with certificate pinning. Ah,.. I was actually looking for that in the code for something like that, but couldn't find it a the place where the download apparently happens - but I only had a very short glance on it. Could you perhaps please elaborate a bit more on how that actually works: - the checksum over the binary download is stored on a mozilla server? - downloaded via https? (at that point, the way of verifying should in principle also protect against downgrade attacks, as SSL/TLS should protect against replaying... BUT this alone doesn't protect against blocking attacks) - and you say certificate pinning? since that could mean a lot, what exactly? Is there a hardcoded cert known to be controlled by Mozilla? Is there a hardcoded CA from the Mozilla CA bundle (which would then in principle still allow that CA to issue a forged cert to someone else)? Or is it pinning in the sense of HSTS, i.e. pinning of any cert (from any "trusted" CA - even CNNIC) on the first access (which is quite insecure IMHO)? - has someone really checked that reproducibility? > So it's not as bad as you make it sound. Well,.. admittedly, when you say that there *is* some hash sum verification (which I just didn't find)... then it's less worse as I've though. Nevertheless, it's still at least remotely possible that this could have been used to compromise systems, and even if there aren't masses who run at experimental, these people are probably still unhappy about that chance. If the bug would have been set to a higher severity, then people with apt-listbugs would have at least noticed it :-( > And it's not going to stay that way anyways. It's really good we have the Iceweasel "fork" for things like these. Actually I'd also like to see that in Debian we remove certain trusted CAs, which are basically never used on the web and which are clearly untrustworthy. Can't you make a quit release where the codec is disabled, or at least fresh downloading of it? What will be the policy in Debian when Mozilla adds more and more proprietary/binary stuff to FF? Like e.g. the Adobe DRM stuff. Is that going to be removed from the beginning or will I have to take care that I don't accidentally get DRM-root-kitted with one of the first iceweasel-experimental releases? Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature