Hi Bil, I don't believe we have a document precisely along the lines of what you suggest (as far as I know) but we have these other documents that are sometimes helpful:
https://developer.mozilla.org/en/Security_best_practices_in_extensions https://addons.mozilla.org/en-US/developers/docs/policies https://addons.mozilla.org/en-US/developers/docs/policies/reviews -Sid On 2/7/10 10:02 AM, Bil Corry wrote: > Eddy Nigg wrote on 2/6/2010 7:04 AM: >> Isn't it about time that extensions and applications get signed with >> verified code signing certificates? Adblock Plus is doing for a while >> now I think, perhaps other should too? >> >> Because this isn't really comforting: >> http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ > > Not sure if it already exists, but it would be helpful if there was a > document that describes the security practices of AMO; something that > outlines the responsibilities of Mozilla, of the AMO developers, and the > users, along with outlining the risks involved and what happens when they're > realized (such as using the block mechanism). That way, when news such as > the above is reported, this document can be referenced. > > Threats to address, that at least I'm aware of: > > (1) Malware in add-ons (see above article) > > (2) Trusted add-ons subverting each other > > > http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ > > (3) Untrusted add-ons doing bad stuff. > > (4) Fake add-ons posing as a trusted add-on: > > http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00128.html > > (5) Trusted add-ons that pose a security risk: > > > http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/ > > (6) Subverting the update mechanism (this is for FF, but might apply to > add-on updates too?): > > > http://ha.ckers.org/blog/20100204/releasesmozillaorg-ssl-and-update-fail/ > > (7) Subverting the blocklist mechanism (to disable, say, noscript): > > https://support.mozilla.com/en-US/kb/Add-ons+Blocklist > > > I'm sure there are many many more. > > BTW, this presentation from OWASP DC names Eddy Nigg, Giorgio Maone, and > developers at Mozilla (among others) as "The 10 least-likely and most > dangerous people on the Internet": > > > http://www.owasp.org/images/1/1f/The_10_least-likely_and_most_dangerous_people_on_the_Internet_-_Robert_Hansen.pdf > > > - Bil _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
