Re: Firefox Add-ons
Am 08.02.2010 22:40, schrieb Eddy Nigg: On 02/08/2010 09:28 PM, Lucas Adamski: In this case perhaps - in another case you perhaps will stay with the damage and never hear from the developer. The point is even a well legitimate intentioned developer with a code signing cert could ship malware by accident. Right - and I believe that this isn't the problem code signing is intended to solve. However it does protect from tempering as Steven pointed out in the other list. The addons in question were not tampered with, as far as I know. One was malicious to begin with, the other one was just a false positive, i.e. not evil at all. If you aren't trying to make a trust decision based upon the publisher then code signing buys you very little. What it does create is a huge burden on developers that requires them in many countries to be incorporated or at least have a business license, and provide a stack of paper documents to that effect. Today you can get code signing certificates as individuals too. Sometimes that's even better than some Ilse of Man limited liability company hold by one guy and setup through online registration. Why would I want to trust an addon because it says some random guy named Eddy Nigg - suppose I never heard that name before - signed the addon? What happens if somebody with the same name (or a straw man with that name) than the author of a popular addon gets a signing cert? The same name will be shown. If the name of the author is John Smith you better shouldn't develop addons? Or as a user trust an author with this name? Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too? It is a big burden, I wouldn't try to sugar coat it. However code signing doesn't relieve that burden in any way IMHO, they solve orthogonal problems. You are right. But perhaps it might be of help to know that this developer is the same one as last time and he signed his code. Knowing that there is a real person (or organization) behind the code might be of help too. As pointed out already all public (i.e. non-experimental) extensions where reviewed by an editor. Same is true for public updates. If there is obfuscated code or binary components authors have to provide the sources. Experimental addons were not reviewed, only some automated AV checking is performed (that failed in this case). The scans (in number and frequency) were already enhanced after this. Hence they have a warning (which I agree is not strong enough right now). Updates for experimental addons do not get pushed to the users; if you want to update an experimental addon you actually have to go to AMO again and reinstall the new version. When updating an extension you cannot be sure it's still the same guy who signed the prior version. See name collision argument. Transfer of ownership (including name). Furthermore there is no real GUI for showing signing info on updates. And even if there was it would be to noisy (many updates in a list) or two cumbersome (confirm each update). Furthermore most users don't care anyway as with any other information/warning message. Then the author might be evil, but the first few versions didn't contain any malware to build trust. Then a version containing malware is published... to be changed back to a version sans malware a few thousand downloads later to avoid drawing too much attention. I think that code signing is far less useful than using server certs (SSL/TLS), because when using server certs at least the name shown corresponds in some way to the domain name (either the domain name itself or the company name in case of EV). Furthermore TLS security info (cert owner info) is shown far more regularly, so that it is easier to remember. Remembering that https://paypal.com/, a site you visit multiple times a month, shows Paypal is far more easy than remembering that AdblockPlus, an addon with infrequent updates that you forget about in between because it silently does its job, shows Wladimir Palant. You can only hope that somebody would recognize a name change and would report it to the authorities instead of just canceling the install. One could also generate automated notifications to have editors check; but how would this be different then from a regular review? Signing addons is indeed a burden. Not only monetary. You need to manage the cert(s) (which is an administrative burden, especially when you're not the sole developer but actually a team). You might need to change your build-process and build-tools and so on. Lots of hobbyist programmers are knowledgeable enough to build helpful small extensions messing with the DOM here and there, but often they are not as knowledgeable when it comes to security (cryptography), PKI, code signing etc. Why should I, as a user, trust that each and every developer knows how to use that technology correctly and safely? I'm
Re: Firefox Add-ons
On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ I just now noticed that this discussion was not cross-posted to mozilla.dev.extensions. Should not input from extension developers be considered? I'm now cross-posting this reply to mozilla.dev.extensions with follow-ups back to the newsgroups where this originally appeared: mozilla.dev.security and mozilla.dev.security.policy. -- David E. Ross http://www.rossde.com/. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 02/09/2010 11:50 PM, David E. Ross: On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ I just now noticed that this discussion was not cross-posted to mozilla.dev.extensions. Should not input from extension developers be considered? I'm now cross-posting this reply to mozilla.dev.extensions with follow-ups back to the newsgroups where this originally appeared: mozilla.dev.security and mozilla.dev.security.policy. And here just another reason to sign (addon) code: http://blog.ivanristic.com/2010/02/firefox-extension-installation-process-vulnerable-to-mitm-attack-.html Apparently this is going to be fixed, the next issue will come up for sure... -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
Eddy Nigg wrote: no CA was here admitted under these conditions for having the code signing bit turned on. I'm not saying that at some point in PKI history this wasn't done. It's not done today and fee free to publicly name the CA which does that. Last I checked there definitively were some code signing certificates basically issued under the terms of If the credit card check comes back OK, issue it. It's a little while ago thought. But really. It's *hard* to do better than that, better than Send us by fax our doctored ID so that we check if you pass the bar of having minimal photoshop skills. If and when people will have a governmentally issued cryptographic ID card, it will become a lot easier, but then the code signing CA will have little room for added value. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
Last I checked there definitively were some code signing certificates basically issued under the terms of If the credit card check comes back OK, issue it. It's a little while ago thought. But really. It's *hard* to do better than that, better than Send us by fax our doctored ID so that we check if you pass the bar of having minimal photoshop skills. No CA has been admitted to NSS during the last 2+ years based on such a policy and have the code signing bit turned on. Your assumption above is wrong, but if you have any knowledge please share it with us :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On Feb 6, 2010, at 10:43 AM, Eddy Nigg wrote: On 02/06/2010 08:30 PM, Lucas Adamski: I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). In this case perhaps - in another case you perhaps will stay with the damage and never hear from the developer. The point is even a well legitimate intentioned developer with a code signing cert could ship malware by accident. Code signing doesn't prevent malicious code from being inserted into an addon. Yes, it makes it much harder for hobbyist developers to create addons but doesn't stop the bad guys from getting their hands on *some* code signing cert, either by stealing one or via a shell company in some foreign country. Errr...I hope not, otherwise what's the point of code signing certificates anyway. Its not hard for bad guys to get *a* code signing certificate. In a previous life I encountered malicious ActiveX controls that were signed with a valid chained cert. Never figured out if the cert was stolen or if the org was intentionally distributing malware. But that didn't really matter. Code signing is useful when the user is trying to authenticate that the code they have in hand was issued by a specific organization that they trust. If you aren't trying to make a trust decision based upon the publisher then code signing buys you very little. What it does create is a huge burden on developers that requires them in many countries to be incorporated or at least have a business license, and provide a stack of paper documents to that effect. So the bad guys can always steal a cert or buy one via a shell company in Russia, while many of the good guys can't buy one at all. Lucas. The real problem IMHO is that we allow unreviewed addons to be downloaded directly from AMO. Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too? It is a big burden, I wouldn't try to sugar coat it. However code signing doesn't relieve that burden in any way IMHO, they solve orthogonal problems. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 02/08/2010 09:28 PM, Lucas Adamski: In this case perhaps - in another case you perhaps will stay with the damage and never hear from the developer. The point is even a well legitimate intentioned developer with a code signing cert could ship malware by accident. Right - and I believe that this isn't the problem code signing is intended to solve. However it does protect from tempering as Steven pointed out in the other list. If you aren't trying to make a trust decision based upon the publisher then code signing buys you very little. What it does create is a huge burden on developers that requires them in many countries to be incorporated or at least have a business license, and provide a stack of paper documents to that effect. Today you can get code signing certificates as individuals too. Sometimes that's even better than some Ilse of Man limited liability company hold by one guy and setup through online registration. Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too? It is a big burden, I wouldn't try to sugar coat it. However code signing doesn't relieve that burden in any way IMHO, they solve orthogonal problems. You are right. But perhaps it might be of help to know that this developer is the same one as last time and he signed his code. Knowing that there is a real person (or organization) behind the code might be of help too. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
I think such a document could go a long way to help people understand how Mozilla protects them, the limitations that are faced, and what happens when something goes wrong. If they still feel like it isn't enough, then they can be prompted to suggest improvements to the process. Speaking of improving the process, I agree with Daniel Veditz that the experimental add-ons should be made available on another site. Even the term 'experimental' gives the impression (to me anyway) that the add-on is potential beta quality, not potential pwnage. Maybe 'unverified add-on' would be more appropriate. - Bil Sid Stamm wrote on 2/8/2010 3:56 PM: Hi Bil, I don't believe we have a document precisely along the lines of what you suggest (as far as I know) but we have these other documents that are sometimes helpful: https://developer.mozilla.org/en/Security_best_practices_in_extensions https://addons.mozilla.org/en-US/developers/docs/policies https://addons.mozilla.org/en-US/developers/docs/policies/reviews -Sid On 2/7/10 10:02 AM, Bil Corry wrote: Eddy Nigg wrote on 2/6/2010 7:04 AM: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ Not sure if it already exists, but it would be helpful if there was a document that describes the security practices of AMO; something that outlines the responsibilities of Mozilla, of the AMO developers, and the users, along with outlining the risks involved and what happens when they're realized (such as using the block mechanism). That way, when news such as the above is reported, this document can be referenced. Threats to address, that at least I'm aware of: (1) Malware in add-ons (see above article) (2) Trusted add-ons subverting each other http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ (3) Untrusted add-ons doing bad stuff. (4) Fake add-ons posing as a trusted add-on: http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00128.html (5) Trusted add-ons that pose a security risk: http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/ (6) Subverting the update mechanism (this is for FF, but might apply to add-on updates too?): http://ha.ckers.org/blog/20100204/releasesmozillaorg-ssl-and-update-fail/ (7) Subverting the blocklist mechanism (to disable, say, noscript): https://support.mozilla.com/en-US/kb/Add-ons+Blocklist I'm sure there are many many more. BTW, this presentation from OWASP DC names Eddy Nigg, Giorgio Maone, and developers at Mozilla (among others) as The 10 least-likely and most dangerous people on the Internet: http://www.owasp.org/images/1/1f/The_10_least-likely_and_most_dangerous_people_on_the_Internet_-_Robert_Hansen.pdf - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
Dne 6.2.2010 19:43, Eddy Nigg napsal(a): Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too? On AMO you can see two groups of add-ons. Standard add-ons which are reviewed by editors. Even if developer uploads new version. Second group (experimental add-ons) are not reviewed and users can see notification this add-ons wasn't reviewed by editor, use on your own risk. Regards, -- Pavel Cvrček pcvr...@mozilla.cz http://www.mozilla.cz/ ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 2/6/10 8:08 AM, David E. Ross wrote: Add-ons there go through some degree of review before being available to the public; before such reviews are concluded, add-ons require a user to logon to his or her own account and receive a warning that the review is still underway. Unfortunately that's no longer true, the login requirement was deemed too burdensome. Now the user just has to check a box Let me install this experimental addon. A mere speed bump to pwnage. I, too, hated the login requirement -- not because it was too hard but because it was too easy. We're dangling forbidden fruit in front of unsuspecting people (this thing might fit your needs, but you shouldn't install it). The unreviewed addons should go on a completely separate site and not show up in AMO search results, just as Firefox experimental nightly builds aren't available from the product pages on mozilla.com. The checkbox idea is even worse -- everything on the page exudes You're on the trusted Mozilla site, they wouldn't let anything bad happen to you would they? An analogy I've used before: if you went to your favorite bakery and they were offering experimental muffins you might expect them to taste bad. You would not expect them to be laced with heroin because the shop is giving shelf space to anything dropped off at the back door by who knows who. experimental does not cover it. -Dan ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 02/07/2010 09:11 PM, Daniel Veditz: The unreviewed addons should go on a completely separate site and not show up in AMO search results, just as Firefox experimental nightly builds aren't available from the product pages on mozilla.com. Makes sense. An analogy I've used before: if you went to your favorite bakery and they were offering experimental muffins you might expect them to taste bad. You would not expect them to be laced with heroin because the shop is giving shelf space to anything dropped off at the back door by who knows who. experimental does not cover it. Another question is, how thorough is any review Mozilla performs? And with such a review and offering to download the extensions from one of the official Mozilla web sites, Mozilla effectively takes on responsibility and a certain liability. Perhaps a valid question is, if Mozilla wants/should do that. And why not off-load at least some of that burden to proper identity and/or organization validation? I would feel more comfortable if I knew that the developer could be tracked to a legal identity in case of intentional misuse. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ Do you know a source of free verified code signing certificates? Most add-ons are freeware developed by individuals who do it as a hobby. Requiring code-signing subscriber certificates would add a cost that few could afford. For those who are concerned, I suggest that they only install add-ons from https://addons.mozilla.org/en-US/firefox/, which is a Mozilla Corporation site secured with a Verisign-signed site certificate. Add-ons there go through some degree of review before being available to the public; before such reviews are concluded, add-ons require a user to logon to his or her own account and receive a warning that the review is still underway. -- David E. Ross http://www.rossde.com/. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 2/6/2010 8:08 AM, David E. Ross wrote: On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ Do you know a source of free verified code signing certificates? Most add-ons are freeware developed by individuals who do it as a hobby. Requiring code-signing subscriber certificates would add a cost that few could afford. For those who are concerned, I suggest that they only install add-ons from https://addons.mozilla.org/en-US/firefox/, which is a Mozilla Corporation site secured with a Verisign-signed site certificate. Add-ons there go through some degree of review before being available to the public; before such reviews are concluded, add-ons require a user to logon to his or her own account and receive a warning that the review is still underway. Oh! I just read the cited Web page. However, the malicious add-ons were what I described as before such reviews are concluded. Stick with those add-ons from https://addons.mozilla.org/en-US/firefox/ that can be obtained without logging-on. -- David E. Ross http://www.rossde.com/. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). Code signing doesn't prevent malicious code from being inserted into an addon. Yes, it makes it much harder for hobbyist developers to create addons but doesn't stop the bad guys from getting their hands on *some* code signing cert, either by stealing one or via a shell company in some foreign country. The real problem IMHO is that we allow unreviewed addons to be downloaded directly from AMO. As a secondary issue we also need more better AV scanning, but that only gets you so far in the grand scheme of things. Lucas. On Feb 6, 2010, at 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 06/02/2010 15:04, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? I don't know if more details are available than have been published so far, but I don't see how code signing would have helped. Unless I'm missing something code signing just confirms that the code comes from whoever signed it. How does a certificate prevent someone signing malicious code? Michael ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 02/06/2010 08:30 PM, Lucas Adamski: I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). In this case perhaps - in another case you perhaps will stay with the damage and never hear from the developer. Code signing doesn't prevent malicious code from being inserted into an addon. Yes, it makes it much harder for hobbyist developers to create addons but doesn't stop the bad guys from getting their hands on *some* code signing cert, either by stealing one or via a shell company in some foreign country. Errr...I hope not, otherwise what's the point of code signing certificates anyway. The real problem IMHO is that we allow unreviewed addons to be downloaded directly from AMO. Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too? -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 02/06/2010 08:42 PM, Michael Lefevre: On 06/02/2010 15:04, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? I don't know if more details are available than have been published so far, but I don't see how code signing would have helped. Unless I'm missing something code signing just confirms that the code comes from whoever signed it. Correct. How does a certificate prevent someone signing malicious code? No, it doesn't. But I guess you would think twice to sign (malicious) code with your name - any code for that matter. And it obviously doesn't prevent accidents and mistakes, but a certain care would be added by signing the code and probably prevent intentional cases. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 06/02/2010 19:47, Eddy Nigg wrote: But I guess you would think twice to sign (malicious) code with your name - any code for that matter. How hard is it to sign it with a cert you bought with a stolen credit card number, using the name from the card ? A 50$ code signing certificate just brings you 50$ worth of security ... ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Firefox Add-ons
On 02/06/2010 10:58 PM, Jean-Marc Desperrier: On 06/02/2010 19:47, Eddy Nigg wrote: But I guess you would think twice to sign (malicious) code with your name - any code for that matter. How hard is it to sign it with a cert you bought with a stolen credit card number, using the name from the card ? A 50$ code signing certificate just brings you 50$ worth of security ... Scrap it.no CA was here admitted under these conditions for having the code signing bit turned on. I'm not saying that at some point in PKI history this wasn't done. It's not done today and fee free to publicly name the CA which does that. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Firefox add-ons to securely manage passwords
Firefox 3.5 is compatible with several add-ons to help manage your passwords. Some of them are pwgen, Billeo, Password Exporter and Master Password Timeout. https://addons.mozilla.org/en-US/firefox/addon/12715 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security