On 20/03/12 19:12 PM, Ian Bicking wrote:
On Tue, Mar 20, 2012 at 2:08 AM, lkcl<luke.leigh...@gmail.com> wrote:
ok. so. a summary of the problems with using SSL - and CSP,
and "pinning" - is described here:
https://wiki.mozilla.org/Apps/Security#The_Problem_With_Using_SSL
the summary: it's too complex to deploy, and its deployment results in
the site becoming a single-point-of-failure [think: 1,000,000 downloads
of angri burds a day].
I don't think I entirely understand what that section is referring to – in
the first section maybe it is referring to client certificates? I don't
think https alone is unscalable. And yes, there are other kinds of attacks
on SSL; some of which we can actually handle (like with pinning – I'm not
sure why pinning causes problems?)
Ben Francis wrote this:
==========
The Open Web Apps team has proposed a model very similar to the Chrome
Web Store model with three important differences:
1) There shouldn't just be just one web app store run by one
corporation, anyone should be able to run their own web app store and
users should be able to install apps from stores they trust, without the
intervention of Mozilla or anyone else.
2) Web app developers should be able to list their web apps in multiple
app stores and even host their own apps on their own web server and have
a direct relationship of trust with the user.
3) The JSON app manifest and referenced icons should be hosted on the
web, rather than packaged in a funny proprietary zip-like .crx file -
note that Google is actually also now proposing to make this change
themselves, to make projects like Mozilla's Apps project easier!
http://code.google.com/intl/en-US/chrome/apps/docs/no_crx.html
==========END
Now, given that basic layout and assuming that is what is wanted, we
have an issue for the developer. The developer wants to be able to
upload to several sites quickly.
If each site does their own code-review, then they lose. That's because
I can run a site that downloads off that site, and then pass on the
benefit of the code-review. I leach off of the costs incurred off the
primary site, and I can spend my resources on marketing not code review.
Alternatively if we all promise to do X-code review or other barriers,
these are all imposed on the developer. So in order to get broad
exposure across N stores, the developer must incur X*N costs. That's a
woftam.
Occum's razor slices that away. If there is any code review, it will be
done external to the site, and will be uploaded to the site with the
product. The uploading and downloading by the developer and user will
be slick - so the hosting site doesn't do any more than it has to.
Therefore quality of the app must be totally separated from the site.
Sure, Apple does it differently and for their market it makes sense to
build the walled garden. Google gets away one-store-open-uploads only
because of its relationship to Android.
Under the minimalist multi-shop Mozilla scenario, everything travels
with the package (however that is managed). The site is just another
router on the net; albeit a helpful one. It itself cannot do much for
the trust & quality side of the code within.
Under this scenario, SSL adds very little. It hides the download, but
who cares about that? It "authenticates" the download, but the download
must be self-authenticating already as above. SO all it adds is
placebo, and that comes at the cost of scaleability.
BTW, it is Mozilla's firm policy to insist on 2048 bit scaleability
where 1024 slickability would do fine for this application :P But I
didn't say that...
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security