Gervase Markham schrieb: > Nils Maier wrote: >> Easy way of download verification like md5sums or other tools provide as >> well, but "built-in", easy-to-use and transparent. > > Yes. > >> But not to mix up with real signatures (GPG), which are much stronger. >> I don't see LF as a way to actually prevent trojaned stuff (unless, of >> course, in case of just compromised mirrors). > > But compromised mirrors are by far the most common way that things are > trojaned. > > http://www.internetnews.com/dev-news/article.php/1438341 > http://wordpress.org/development/2007/03/upgrade-212/ > http://www.afterdawn.com/news/archive/6001.cfm > http://www.daemon-tools.cc/dtcc/archive/update-download-com-issue-t5334.html
No, actually compromised mirrors are more common and compromised "download information" pages (at the momemnt of course). Actually the DC++ and daemon tools examples you gave is flawed. It wasn't just mirrors compromised. Somebody managed to submit trojaned packages to these sites. A good analogy would be: Somebody managed to submit a trojaned popular extension to amo, which then pushed it out to all its mirrors and provided link-fingerprints (of the trojaned package of course) via the download/install links. Oops. But at least the download wasn't corrupt. > > All of these could have been spotted much, much quicker if the download > links used link fingerprints. As soon as someone had tried downloading > this with Firefox, the download would have failed and they would have > contacted a site admin. > Example above: No, as the link fingerprints would have been correct. But that's not the point. Giving a warning and options how to handle the errors will make people aware, too. Security researcher do not need to pull out IE just to download and analyze such a trojaned package. >> Informing the user about problems and letting him decide about proper >> actions. >> Not messing with his data without permission. > > But if it's trojaned, it's not "his data". It's someone else's evil data. > Still his copy of said data. And still his choice what to do with it. He has been warned. Unless of course you're arguing here that the user is infringing on the rights of the bad guys :p >>>> Deleting my DVD iso of the newest bleeding edge Linux I spend days >>>> downloading on a dialup line without even asking feels wrong. >>> Then don't use Link Fingerprints for such downloads. >>> >> Err, right?! I downloaded crap not even knowing about LF and the browser >> deletes that data. And then, afterwards, after everything is gone >> already, you come along to tell me that I shouldn't have used LF in the >> first place? > > No, I mean that the person providing the link should not use link > fingerprints on it, unless they want you to have that exact version. And people should not do IE-only websites and stick to standards. People will mess up, sooner or later, even if they have good intensions. There was kinda uproar when Firefox didn't download the Vista Beta images, because there was a bug when handling large files in append more on Win. Pretty limited user base, but still people where pissed. Now consider a bad link fingerprint for the latest and greatest Ubuntu release, or Windows service pack, or whatever, that goes unnoticed for a day or two. I'm sure it would even piss a hell lot of more people, and they will blame Firefox as it was FX which deleted the good data instead of asking what to do. Not the publisher. >>> What are the possible options as to what has happened? >>> >>> 1) The download is corrupt. So you might as well delete it, because it's >>> no use to you. >>> >> Probably, but not certainly. It might have been an archive I just need >> some files from and am able to recover. Or I got a tool to repair it >> manually, or... >> Actually I did such repair (media files mostly) some times already. > > And 99.999% of users aren't going to attempt either of these things. > And I say 10% won't. See I can make up numbers as well. Seriously, you cannot know this. And FX user base is generally more "sophisticated" than the general public, or at least now a tech-buddy they may consult. Proof: Somebody installed Firefox. >>> 2) The download has been trojaned. So you definitely want to delete it. >> >> Maybe I want to recheck using another tool (md5sums, GPG) to see if LF >> messed up... > > a) If the feature gets it wrong, that's a bug and we need to fix it, not > a reason for destroying the security model. LF are not secure, but insecure by design, as the source where they came from cannot be trusted. > b) 99.999% of users are not going to do this. > > If you personally want to override this, write an extension to do so. > But the default behaviour in Firefox should be to delete, because we are > building Firefox for ordinary people. I am not ordinary, in this way, > and neither are you. And neither is anyone who knows what the md5sum > program does, or who uses archive repair tools. And providing *all* people, the ordinary and the geeks, which some choice seems to hurt that badly. In the other thread you claimed that FX already makes a lot of choices, but I fail to see many of them. You may browse phising sites (Ignore option), you may browse sites with self-signed certificates which are meant for another host, you may disable the popup blocker, integrate with insecure versions of java or flash, store passwords without a master password, install each and every trojaned extension, post your personal and sensible information without the spell-checker kicking-in, download each and every piece of malware. But hey, when there is a LF mismatch, then you won't get to choose at all. >>> 3) The person supplying the Link Fingerprint URL screwed up. In which >>> case, it's their fault, and if they didn't mind you getting different >>> data, they shouldn't have used Link Fingerprints, or they should have >>> tested their URLs. >> >> In which case I got a fine download I'm about to throw away. > > But you don't _know_ it's fine. You can't tell the difference between > case 3 and case 2. > >> Then I redownload stuff just to get same error. And again... >> In the end the webmaster is not in reach and I pull out good old IE just >> to download that file for me without deleting it after the download >> completes. > > ...and get trojaned, because it was actually case 2, not case 3. > > So Firefox protected you, you bypassed the protection, and got stuffed. > Firefox did its job. Yep, my fault. It is my fault if I used another browser to download, but it is still my fault if I decide to ignore that warning message that would be displayed when FX asked me what to do with the download. >> If you operate a rather small site you might be able to pass >> double-checked links along. >> Once sites get bigger and more complex or even automated stuff might get >> wrong more easily. > > Automated stuff gets this sort of thing wrong _less_ easily. > > Gerv Sure, automated stuff probably get is wrong less likely, but if it breaks, then hell on earth. Image download.com to embed LF incorrectly, for all it's download cause automated. :p Oh, and since you still talk about security concerns; you gave 2 examples of a perfectly valid scenario of bad files offered with good automatically created LF, and I added a third. I won't even think of promoting LF as a security-enhancement to the "ordinal" user who, what you correctly pointed out, does not know about all this stuff and the actual implications behind. Nils PS: Yesterday I implemented md5/sha1 verification in dTa. shaXXX will follow; just need the hash length. Screen of the (unpolished) work-in-progress: http://code.downthemall.net/maierman/070605-mismatch.png _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
