On Nov 27, 7:42 pm, Adam Barth <[email protected]> wrote:
> It's important to separate two concerns: > > 1) Malicious extensions > 2) Honest extensions that have vulnerabilities (benign-but-buggy) Absolutely. And I also completely agree with the rest of Adam's post (below). Just let me add my 2cents - two more advantages to introduce a `real` protection mechanism for extensions: 1. It would allow Mozilla and the community to inspect more carefully sensitive extensions (these requiring strong capabilities), for vulnerabilities (and intentional abuse / trapdoors). 2. It would allow users or user agents to decide whether to install a specific extension based on its `capabilities profile`. Yes, naive users may not be able to do this, but sysadmins may define defaults for an organization, and anti-virus programs etc. can set up such values. So, I think this is a good idea. It may require significant work to do this well, though... but this can be fun! Best, Amir Herzberg > > I agree that the malicious extension problem is somewhat intractable > because of the above concerns. However, than news article is > complaining about vulnerabilities in honest extensions. > > In the current extension system, any vulnerability in an extension is > disaster because every extension runs with the user's full authority. > That means if I XSS an extension, I can run arbitrary code on your > machine. In the DefCon talk, the presenters make this clear by > installing VNC and remotely moving the user's mouse. > > A fortunate fact of the world is that the vast majority of Firefox > extensions do not require the user's full authority. (That is the > statement I have a bunch of data to back up.) If the extension > ecosystem let authors restrict the privileges of their extensions (and > encouraged them to do so), then vulnerabilities in extensions would be > less severe because the attacker would obtain less that the user's > full authority by compromising an extension. > > > The only solution to this problem, IMO, is to authenticate authors, not > > code. If you know who the author is, to a sufficient level that there's some > > chance of a policeman feeling his collar if he turns out to have written > > code which steals all your passwords, then there's an incentive for good > > behaviour. (This is how EV SSL certs work.) Of course, this works against > > "anyone can author an add-on and put it on the web and have people use > > it"... > > For the benign-but-buggy threat, the authors are perfectly nice > people. No amount of authenticating them is going to reduce the > severity of vulnerabilities in their extensions. > > Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
