I believe this is the post you're looking for. https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
Cheers! On Tue, 2 Jun 2015 16:32 bernard <[email protected]> wrote: > I haven’t read this full e-mail as it’s a bit dense, but is there any > place I can find out about "this latest announcement from Mozilla “? > > Thanks in advance, > Bernard > > > > Begin forwarded message: > > > > From: [email protected] > > Subject: New extension signing scheme and US government > interference/censorship > > Date: 2 June 2015 12:27:28 BST > > To: [email protected] > > > > With this latest announcement from Mozilla it destroys the security and > authenticity of end-to-end encrypted HTML5 applications. For example HTML5 > apps like CryptoCat, ProtonMail, MEGA, Tutanota and so on are all doomed > because of this shortsighted decision. > > > > Let's take a look at the options for making a truly secure HTML5 crypto > application. > > > > 1) HTTPS. Actually no, you can't serve your secure end-to-end crypto > application via TLS because an attacker can just modify the JavaScript code > and tweak it to backdoor the encryption. TLS is vulnerable to the NSA/GCHQ > as has been proven in recent leaks. There are new protocol and crypto flaws > appearing in TLS all the time. NSA is on the IETF standards committee, > making sure things stay insecure and improve only at a snails pace. The > common libraries for TLS are poorly written with major crypto flaws e.g. > OpenSSL. The whole design of TLS and Certificate Authorities is awful > making connections completely vulnerable to active MITM attacks by > governments or spy agencies that have access to a root certificate already > trusted in the browser. They can sign for whatever site they feel like, > modify the code in transit as it crosses their networks and nobody is any > wiser. Don't even get me started on government controlled protocols like > DANE which utterly fail to prevent mass surveil > > lance as well. Even if you were special and got your app's public key > pinned in all the major browsers your security is only as strong as this > broken protocol. A security product is only as strong as its weakest link. > > > > 2) Chrome extension. This is no longer possible due to the closed Chrome > web store. All developer's unsigned addons are uploaded as-is to the app > store via the "trustworthy" HTTPS protocol above. Then Google serves it to > addon users signed by Google in their closed source browser. Who in their > right mind trusts Google to serve them a trustworthy version of the > application? Google is a PRISM surveillance partner with the NSA. Also you > have to be crazy to be running a closed source browser in today's world and > trying to have any meaningful security. > > > > 3) Firefox extension. Actually no longer secure either now after this > announcement takes effect. Mozilla signing an extension has little to no > value at all for an end-to-end encrypted app. Users need to know that the > application they are downloading is actually the application that was made > by the developer. The developer themselves need to sign it to prove it came > from them! Unfortunately we cannot trust Mozilla not to tamper with the > code of secure crypto addons. Mozilla is a US based > organisation/corporation and in the US there are National Security Letters, > Patriot Act Demand Letters and secret FISA court orders. All of which can > be used to force Mozilla to hand over their private signing keys to the NSA > who can then secretly backdoor any application as it's being downloaded > from the Firefox app store. They can then target individuals such as > politicians, journalists, activists etc or use it to infect millions of > users with surveillance malware. Think this is too unbeliev > > able? NSA already does it with the Google Play store. > firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/. > Think you're immune to this? Think again. > > > > I wonder if Mozilla have already received a National Security Letter > demanding that they implement this harebrained signing scheme so that the > NSA can infect anyone running a crypto Firefox extension and backdoor the > crypto. Brendan Eich warned and pleaded with the community to watch the > Firefox source code carefully in case backdoors got added. Even then it > appeared they may have received a secret court order. Mozilla is either > compromised by the US government or Mozilla have gone completely off the > rails and lost the plot completely. From reading the comments on the > initial announcement page, 99% of Firefox users are completely opposed to > the idea. You're not acting in the best interests of the community. Is > Mozilla just going to go ahead anyway and force their stupidity upon > everyone? Let this be a warning to Mozilla: the open source community _can_ > fork your software without these restrictions then take all of your users. > You are signing your own death warrant if you cont > > inue down this draconian path. > > > > Here are some sensible solutions instead: > > > > 1) Let developers cryptographically sign their own addons. Users can > voluntarily install apps that are not available in the app store by > downloading them from the developer's site or manually loading them into > the browser (drag and drop the extension file). No special pre-release or > development builds should be required for this, just the regular version > that everyone else uses. Maintain a blocklist of malware extensions within > the browser if you need to. Doing this is at the user's own risk so throw a > big warning about loading external extensions so the user is well aware of > what they're doing. > > > > 2) For inclusion in the app store it should be cryptographically signed > by the developer _also_ reviewed by Mozilla _and_ signed by Mozilla as > well. Users can pin the public key of the developer by obtaining the public > key via a trusted method (e.g. Web of Trust, Namecoin) then loading it into > the browser via a dialog or section in the UI for this. When downloading a > new extension the browser would check the developer's and Mozilla's > signatures of the app at install time and before downloading an automatic > update. > > > > 3) Without options 1) and 2) above, the only remaining option for > developing a secure HTML5 end-to-end crypto app will be to avoid broken > HTTPS and app stores entirely. For example, make a full page HTML5 app that > loads from an index.html file on the local filesystem. Package the app > files in a zip file. Sign the zip file with GnuPG. Serve the zip file from > a website along with the GnuPG signature file. Put the GnuPG public key and > fingerprint in the Namecoin blockchain (or share it with users directly via > Web of Trust). Users can verify the public signing key from the blockchain, > download the zip and signature files, verify it is authentic, finally unzip > and run the index.html file. This is not as user friendly as downloading an > extension and just running it however. > > > > These solutions are provably secure unlike your new authoritarian, > censorship prone app store design. Go back to the drawing board please and > stop pandering to the US government. > > _______________________________________________ > > addons-user-experience mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/addons-user-experience > > _______________________________________________ > dev-privacy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-privacy > _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
