(Previous e-mail was bounced) On Sun, Nov 29, 2009 at 8:05 PM, Adrienne Porter Felt <[email protected]>wrote:
> A fortunate fact of the world is that the vast majority of Firefox >>> extensions do not require the user's full authority. (That is the >>> statement I have a bunch of data to back up.) If the extension >>> ecosystem let authors restrict the privileges of their extensions (and >>> encouraged them to do so), then vulnerabilities in extensions would be >>> less severe because the attacker would obtain less that the user's >>> full authority by compromising an extension. >>> >> >> Furthermore, this would allow the community to better scrutinize the >> security of the smaller number of extensions that would require higher >> privileges. >> > > I generally agree with this point of view. I like the idea of combining > community review and least privilege. If a developer asks for a lot of > privileges (i.e., host system access), then that extension has to go through > a review -- which may slow down getting the app listed. Fewer apps have to > be reviewed, and more developers are willing to request a small amount of > privileges. Only a small number of apps really need host system access, so > that would be great. > > The problem that we run into here, though, is that host system access isn't > the only thing to worry about (although it's the biggest one). Access to > web pages can still be abused, and extensions that want web access should > perhaps still merit review. A lot of extensions want web access, so a lot > of extensions would still need review. I don't know what to do about that. > We don't have the ability to do partial DOM access at the moment so we > can't do a "web site with no password or cookie access" type of privilege. > > One idea might be to force a delay. Like -- if you ask for host > privileges, your app won't even start the review process for a week. If you > ask for arbitrary web access, your app won't start the review process for > another 4 days. If you ask for web access to only five sites or less, your > app starts the review process in 2 days. Etc. That might bug developers > enough to want to use as few privileges as possible. > > Another point I'd like to bring up is that a least privilege system (where > the developer clearly declares all privileges) does make it easier to > review, even if you still have to do a lot of reviews. The reviewer knows > exactly what the worst case scenario is; you don't need to waste time > looking for sneaky evil system calls if you know the extension can't make > any system calls at all. > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
