I actually liked the idea of "more privilege for "installed" apps, less for "remote" apps" - the number of apps that will need elevated permissions are a very small percentage (and I think that was B2G's original plan?) . As I understand it, Gaia apps are already static HTML apps (i.e. it would be easier to package and sign these applications than normal websites), and these would be the main apps which require critical privileges. I suppose that developers will not want to be tied down to a static HTML model though.
Maybe it doesn't have to be a two-tier system - but I think it makes sense for there to be specific security requirements that need to be met in order to be granted critical permissions. I think trying to enforce a blanket set of requirements across the gamut of permissions will result in model that compromises on both ends (it will be heavy handed for apps which don't require permissions, and not strict enough for critical permission) - Paul > > On 3/14/2012 2:50 PM, Fabrice Desré wrote: >> Lucas, >> >> Are you considering signing the html/js/css/other-content from apps? >> >> I can understand the nice properties that would give us, but that looks >> extremely impractical in real life. Web sites >> change all the time, which is not the case of native apps distributed from a >> store. >> >> Fabrice >> >> On 03/14/2012 02:35 PM, Lucas Adamski wrote: >>> My understanding is that there will be multiple app stores. But code >>> signing has another benefit: reducing systemic >>> risk. >>> >>> This assume code signing and sane key management, but lets say there's a >>> very popular app with significant privileges. >>> To compromise a large number of people, you'd need to: >>> a) compromise the site hosting the app >>> b) compromise the key signing the app (assuming you require app updates to >>> be signed with the same key) >>> c) compromise or trigger the update mechanism for the app >>> d) wait for updates to trickle out >>> >>> This is a tedious process that slows down exploitation, and that's no fun. >>> >>> If app authentication relies only on SSL, then you just need to pop a web >>> server (which isn't hard, really). Everyone >>> using the app gets owned simultaneously. >>> Lucas. >> _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
