On Fri, Nov 27, 2009 at 2:39 AM, Gervase Markham <g...@mozilla.org> wrote: > On 26/11/09 20:32, Adam Barth wrote: >> >> Jetpack is an opportunity to rethink the extension security model. >> Ideally, an extension platform would make it easier for developers to >> write secure extensions. I'm happy to discuss ideas with folks >> off-list. > > Why off-list? This is mozilla.dev.security :-)
I have a bunch of data in a not-yet-published paper that I'm not ready to release publicly, but we can talk in general first and I can follow up with the data in a bit after I polish up the paper. > Every sandbox/restricted permissions system, from Java to Android apps, ends > up having to have a way for apps to ask permission to have certain > capabilities. And you get the inevitable problem that users just say "yes", > because they want the app to work. Your video player needs access to your > phonebook? What are you going to do if that seems odd - not watch videos? > > Similarly, there will be Jetpacks which work with your password store and > those which don't. How do you deal with that? Just let all Jetpacks read the > password store? Or have a permissions model? If you have one, what's to stop > users just clicking "Yes"? It's important to separate two concerns: 1) Malicious extensions 2) Honest extensions that have vulnerabilities (benign-but-buggy) I agree that the malicious extension problem is somewhat intractable because of the above concerns. However, than news article is complaining about vulnerabilities in honest extensions. In the current extension system, any vulnerability in an extension is disaster because every extension runs with the user's full authority. That means if I XSS an extension, I can run arbitrary code on your machine. In the DefCon talk, the presenters make this clear by installing VNC and remotely moving the user's mouse. A fortunate fact of the world is that the vast majority of Firefox extensions do not require the user's full authority. (That is the statement I have a bunch of data to back up.) If the extension ecosystem let authors restrict the privileges of their extensions (and encouraged them to do so), then vulnerabilities in extensions would be less severe because the attacker would obtain less that the user's full authority by compromising an extension. > The only solution to this problem, IMO, is to authenticate authors, not > code. If you know who the author is, to a sufficient level that there's some > chance of a policeman feeling his collar if he turns out to have written > code which steals all your passwords, then there's an incentive for good > behaviour. (This is how EV SSL certs work.) Of course, this works against > "anyone can author an add-on and put it on the web and have people use > it"... For the benign-but-buggy threat, the authors are perfectly nice people. No amount of authenticating them is going to reduce the severity of vulnerabilities in their extensions. Adam _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security