On Feb 6, 2010, at 10:43 AM, Eddy Nigg wrote:
On 02/06/2010 08:30 PM, Lucas Adamski:
I don't think it would have made a tremendous difference here. One
of them was likely infected accidentally (only one version of the
addon contained malware and the developer is actively communicating
with us).
In this case perhaps - in another case you perhaps will stay with
the damage and never hear from the "developer".
The point is even a well legitimate intentioned developer with a code
signing cert could ship malware by accident.
Code signing doesn't prevent malicious code from being inserted
into an addon. Yes, it makes it much harder for hobbyist
developers to create addons but doesn't stop the bad guys from
getting their hands on *some* code signing cert, either by stealing
one or via a shell company in some foreign country.
Errr...I hope not, otherwise what's the point of code signing
certificates anyway.
Its not hard for bad guys to get *a* code signing certificate. In a
previous life I encountered malicious ActiveX controls that were
signed with a valid chained cert. Never figured out if the cert was
stolen or if the org was intentionally distributing malware. But that
didn't really matter. Code signing is useful when the user is trying
to authenticate that the code they have in hand was issued by a
specific organization that they trust. If you aren't trying to make a
trust decision based upon the publisher then code signing buys you
very little. What it does create is a huge burden on developers that
requires them in many countries to be incorporated or at least have a
business license, and provide a stack of paper documents to that
effect. So the bad guys can always steal a cert or buy one via a
shell company in Russia, while many of the good guys can't buy one at
all.
Lucas.
The real problem IMHO is that we allow unreviewed addons to be
downloaded directly from AMO.
Yes, but is it feasible to review every add-on? Maybe it's not such
a burden - and what about modifications of existing add-ons? Are
they reviewed too?
It is a big burden, I wouldn't try to sugar coat it. However code
signing doesn't relieve that burden in any way IMHO, they solve
orthogonal problems.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security