> > So now you trust a user writable reference over a non writable installed > > CA crt (I hope soon to be replaced by website provided keys signed by > > mozilla/Google) > > Are you trying to say that there is a meaningful class of attacks that can > modify user's bookmark store and still not be able to install additional > plugins, add-ons or browser extensions? Perhaps the attacker does not have a > local exploit to edit keys saved in the system but he can pretty much always > divert the browser to use other stuff. Notice that all(?) browsers also allow > adding additional CAs by the user...
There are various restrictions a browser imposes and even plugins on ssl connections. Doing this could bypass all of them without the attacker gaining root and on some systems (RBAC/linux or schg/OpenBSD) even root exploits may not help or atleast make the attacker have the more difficult task of attacking the memory. A user may restart the browser use another browser or even restart the computer before doing banking etc.. that an editable CA file could thrawt and requiring new checks or making lockdown of a profile more important. >From experience of the MITM proxies such as OpenBSD's relayd's recently added support for replacing the ssl with it's own keyed connection to allow monitoring within a hopefully secure local network. I believe there are warnings about added CA's (there should be if there isn't). -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
