Re: Firefox Add-ons

Sun, 07 Feb 2010 10:02:58 -0800 

Eddy Nigg wrote on 2/6/2010 7:04 AM: 
> Isn't it about time that extensions and applications get signed with
> verified code signing certificates? Adblock Plus is doing for a while
> now I think, perhaps other should too?
> 
> Because this isn't really comforting:
> http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/

Not sure if it already exists, but it would be helpful if there was a document 
that describes the security practices of AMO; something that outlines the 
responsibilities of Mozilla, of the AMO developers, and the users, along with 
outlining the risks involved and what happens when they're realized (such as 
using the block mechanism).  That way, when news such as the above is reported, 
this document can be referenced.

Threats to address, that at least I'm aware of:

(1) Malware in add-ons (see above article)

(2) Trusted add-ons subverting each other

        
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/
        
(3) Untrusted add-ons doing bad stuff.

(4) Fake add-ons posing as a trusted add-on:

        http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00128.html

(5) Trusted add-ons that pose a security risk:

        
http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/

(6) Subverting the update mechanism (this is for FF, but might apply to add-on 
updates too?):

        
http://ha.ckers.org/blog/20100204/releasesmozillaorg-ssl-and-update-fail/

(7) Subverting the blocklist mechanism (to disable, say, noscript):

        https://support.mozilla.com/en-US/kb/Add-ons+Blocklist


I'm sure there are many many more.

BTW, this presentation from OWASP DC names Eddy Nigg, Giorgio Maone, and 
developers at Mozilla (among others) as "The 10 least-likely and most dangerous 
people on the Internet":

        
http://www.owasp.org/images/1/1f/The_10_least-likely_and_most_dangerous_people_on_the_Internet_-_Robert_Hansen.pdf


- Bil
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security

Reply via email to