Am 08.02.2010 22:40, schrieb Eddy Nigg: > On 02/08/2010 09:28 PM, Lucas Adamski: >>> In this case perhaps - in another case you perhaps will stay with the >>> damage and never hear from the "developer". >> >> >> The point is even a well legitimate intentioned developer with a code >> signing cert could ship malware by accident. > > Right - and I believe that this isn't the problem code signing is > intended to solve. However it does protect from tempering as Steven > pointed out in the other list. > The addons in question were not tampered with, as far as I know. One was malicious to begin with, the other one was just a false positive, i.e. not evil at all.
>> If you aren't trying to make a trust decision based upon the publisher >> then code signing buys you very little. What it does create is a huge >> burden on developers that requires them in many countries to be >> incorporated or at least have a business license, and provide a stack >> of paper documents to that effect. > > Today you can get code signing certificates as individuals too. > Sometimes that's even better than some Ilse of Man limited liability > company hold by one guy and setup through online registration. > Why would I want to trust an addon because it says some random guy named "Eddy Nigg" - suppose I never heard that name before - signed the addon? What happens if somebody with the same name (or a straw man with that name) than the author of a popular addon gets a signing cert? The same name will be shown. If the name of the author is "John Smith" you better shouldn't develop addons? Or as a user trust an author with this name? >>> Yes, but is it feasible to review every add-on? Maybe it's not such a >>> burden - and what about modifications of existing add-ons? Are they >>> reviewed too? >>> >> >> It is a big burden, I wouldn't try to sugar coat it. However code >> signing doesn't relieve that burden in any way IMHO, they solve >> orthogonal problems. > > You are right. But perhaps it might be of help to know that this > developer is the same one as last time and he signed his code. Knowing > that there is a real person (or organization) behind the code might be > of help too. > As pointed out already all public (i.e. non-experimental) extensions where reviewed by an editor. Same is true for public updates. If there is obfuscated code or binary components authors have to provide the sources. Experimental addons were not reviewed, only some automated AV checking is performed (that failed in this case). The scans (in number and frequency) were already enhanced after this. Hence they have a warning (which I agree is not strong enough right now). Updates for experimental addons do not get pushed to the users; if you want to update an experimental addon you actually have to go to AMO again and reinstall the new version. When updating an extension you cannot be sure it's still the same guy who signed the prior version. See name collision argument. Transfer of ownership (including name). Furthermore there is no real GUI for showing signing info on updates. And even if there was it would be to noisy (many updates in a list) or two cumbersome (confirm each update). Furthermore most users don't care anyway as with any other information/warning message. Then the author might be evil, but the first few versions didn't contain any malware to build trust. Then a version containing malware is published... to be changed back to a version sans malware a few thousand downloads later to avoid drawing too much attention. I think that code signing is far less useful than using server certs (SSL/TLS), because when using server certs at least the name shown corresponds in some way to the domain name (either the domain name itself or the company name in case of EV). Furthermore TLS security info (cert owner info) is shown far more regularly, so that it is easier to remember. Remembering that https://paypal.com/, a site you visit multiple times a month, shows Paypal is far more easy than remembering that AdblockPlus, an addon with infrequent updates that you forget about in between because it silently does its job, shows "Wladimir Palant". You can only hope that somebody would recognize a name change and would report it to the "authorities" instead of just canceling the install. One could also generate automated notifications to have editors check; but how would this be different then from a regular review? Signing addons is indeed a burden. Not only monetary. You need to manage the cert(s) (which is an administrative burden, especially when you're not the sole developer but actually a team). You might need to change your build-process and build-tools and so on. Lots of hobbyist programmers are knowledgeable enough to build helpful small extensions messing with the DOM here and there, but often they are not as knowledgeable when it comes to security (cryptography), PKI, code signing etc. Why should I, as a user, trust that each and every developer knows how to use that technology correctly and safely? I'm not saying that code signing is completely useless. But the effort of getting a code signing cert and learning the process and tools and updating the build process compared to the use of code signing isn't justified in my eyes. We already have a form of identity/authentication: AMO accounts, which are as good as or even better than code signing; having the password stolen or having the cert priv key + possible passphrase stolen isn't such a difference in reality provided the development system is breached. I have to trust mozilla (server cert (s.a.) and system integrity) and the author (via account and associated information such a reviews) in this case instead of trusting only the author (cert) and the issuing CA. Having said all this I don't get why addons are suddenly so special. I don't hear people screaming that Microsoft Windows should only allow signed components to run because there is malware. Or *nix should only run software that you compiled yourself from digitally signed sources. Addons are software. They are as easy or hard to execute as every other piece of software. What's the difference from, say, downloading a .exe PE binary from some random software archive (with or without reputation) and running it and downloading and running an extension from AMO? I mean other than that extensions on AMO are either reviewed or clearly marked as not having been reviewed at all (be careful, the red is there for a reason), something that is not necessarily true for the random software archive. Cheers Nils _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
