I haven’t read this full e-mail as it’s a bit dense, but is there any place I can find out about "this latest announcement from Mozilla “?
Thanks in advance, Bernard > Begin forwarded message: > > From: [email protected] > Subject: New extension signing scheme and US government > interference/censorship > Date: 2 June 2015 12:27:28 BST > To: [email protected] > > With this latest announcement from Mozilla it destroys the security and > authenticity of end-to-end encrypted HTML5 applications. For example HTML5 > apps like CryptoCat, ProtonMail, MEGA, Tutanota and so on are all doomed > because of this shortsighted decision. > > Let's take a look at the options for making a truly secure HTML5 crypto > application. > > 1) HTTPS. Actually no, you can't serve your secure end-to-end crypto > application via TLS because an attacker can just modify the JavaScript code > and tweak it to backdoor the encryption. TLS is vulnerable to the NSA/GCHQ as > has been proven in recent leaks. There are new protocol and crypto flaws > appearing in TLS all the time. NSA is on the IETF standards committee, making > sure things stay insecure and improve only at a snails pace. The common > libraries for TLS are poorly written with major crypto flaws e.g. OpenSSL. > The whole design of TLS and Certificate Authorities is awful making > connections completely vulnerable to active MITM attacks by governments or > spy agencies that have access to a root certificate already trusted in the > browser. They can sign for whatever site they feel like, modify the code in > transit as it crosses their networks and nobody is any wiser. Don't even get > me started on government controlled protocols like DANE which utterly fail to > prevent mass surveil > lance as well. Even if you were special and got your app's public key pinned > in all the major browsers your security is only as strong as this broken > protocol. A security product is only as strong as its weakest link. > > 2) Chrome extension. This is no longer possible due to the closed Chrome web > store. All developer's unsigned addons are uploaded as-is to the app store > via the "trustworthy" HTTPS protocol above. Then Google serves it to addon > users signed by Google in their closed source browser. Who in their right > mind trusts Google to serve them a trustworthy version of the application? > Google is a PRISM surveillance partner with the NSA. Also you have to be > crazy to be running a closed source browser in today's world and trying to > have any meaningful security. > > 3) Firefox extension. Actually no longer secure either now after this > announcement takes effect. Mozilla signing an extension has little to no > value at all for an end-to-end encrypted app. Users need to know that the > application they are downloading is actually the application that was made by > the developer. The developer themselves need to sign it to prove it came from > them! Unfortunately we cannot trust Mozilla not to tamper with the code of > secure crypto addons. Mozilla is a US based organisation/corporation and in > the US there are National Security Letters, Patriot Act Demand Letters and > secret FISA court orders. All of which can be used to force Mozilla to hand > over their private signing keys to the NSA who can then secretly backdoor any > application as it's being downloaded from the Firefox app store. They can > then target individuals such as politicians, journalists, activists etc or > use it to infect millions of users with surveillance malware. Think this is > too unbeliev > able? NSA already does it with the Google Play store. > firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/. > Think you're immune to this? Think again. > > I wonder if Mozilla have already received a National Security Letter > demanding that they implement this harebrained signing scheme so that the NSA > can infect anyone running a crypto Firefox extension and backdoor the crypto. > Brendan Eich warned and pleaded with the community to watch the Firefox > source code carefully in case backdoors got added. Even then it appeared they > may have received a secret court order. Mozilla is either compromised by the > US government or Mozilla have gone completely off the rails and lost the plot > completely. From reading the comments on the initial announcement page, 99% > of Firefox users are completely opposed to the idea. You're not acting in the > best interests of the community. Is Mozilla just going to go ahead anyway and > force their stupidity upon everyone? Let this be a warning to Mozilla: the > open source community _can_ fork your software without these restrictions > then take all of your users. You are signing your own death warrant if you > cont > inue down this draconian path. > > Here are some sensible solutions instead: > > 1) Let developers cryptographically sign their own addons. Users can > voluntarily install apps that are not available in the app store by > downloading them from the developer's site or manually loading them into the > browser (drag and drop the extension file). No special pre-release or > development builds should be required for this, just the regular version that > everyone else uses. Maintain a blocklist of malware extensions within the > browser if you need to. Doing this is at the user's own risk so throw a big > warning about loading external extensions so the user is well aware of what > they're doing. > > 2) For inclusion in the app store it should be cryptographically signed by > the developer _also_ reviewed by Mozilla _and_ signed by Mozilla as well. > Users can pin the public key of the developer by obtaining the public key via > a trusted method (e.g. Web of Trust, Namecoin) then loading it into the > browser via a dialog or section in the UI for this. When downloading a new > extension the browser would check the developer's and Mozilla's signatures of > the app at install time and before downloading an automatic update. > > 3) Without options 1) and 2) above, the only remaining option for developing > a secure HTML5 end-to-end crypto app will be to avoid broken HTTPS and app > stores entirely. For example, make a full page HTML5 app that loads from an > index.html file on the local filesystem. Package the app files in a zip file. > Sign the zip file with GnuPG. Serve the zip file from a website along with > the GnuPG signature file. Put the GnuPG public key and fingerprint in the > Namecoin blockchain (or share it with users directly via Web of Trust). Users > can verify the public signing key from the blockchain, download the zip and > signature files, verify it is authentic, finally unzip and run the index.html > file. This is not as user friendly as downloading an extension and just > running it however. > > These solutions are provably secure unlike your new authoritarian, censorship > prone app store design. Go back to the drawing board please and stop > pandering to the US government. > _______________________________________________ > addons-user-experience mailing list > [email protected] > https://lists.mozilla.org/listinfo/addons-user-experience
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
