Re: Extension security?
- Original Message - > From: Jasper St. Pierre > To: Jonathan Wilkes > Cc: Olav Vitters ; "gnome-shell-list@gnome.org" > > Sent: Monday, December 19, 2011 7:36 PM > Subject: Re: Extension security? > > As I said before, this requires a lot of careful security and manual > labor that I'm not comfortable doing. As such, I don't believe the > mechanism, as you would like to see implemented, will be implemented. Thanks for the response. Another (security non-expert) question: How does Debian repository security compare to the current security of the Gnome extension website/system? Specifically-- if a hacker gains entry into a server that hosts a Debian repository and tries to change the data for package foo, won't apt-get/synaptic/etc. complain and by default fail to install the package because either the signature is invalid or the file checksum doesn't check out? I apologize for asking a Debian question on the Gnome list, but I'm having trouble getting a response on #debian (I guess it looks like I'm fishing for security holes or something). -Jonathan > > On Mon, Dec 19, 2011 at 7:34 PM, Jonathan Wilkes > wrote: >> - Original Message - >> >>> From: Olav Vitters >>> To: gnome-shell-list@gnome.org >>> Cc: >>> Sent: Saturday, December 17, 2011 10:51 PM >>> Subject: Re: Extension security? >>> >>> On Sat, Dec 17, 2011 at 04:17:20PM +0100, Pauli Virtanen wrote: >>>> It was clear already in the first post by J. Wilkes that this > thread >>>> was about a key kept on a non-public system. >>> >>> Colour me confused. I thought it already received a reply that it > wasn't >>> implemented. >> >> I'd like to know whether that means it wasn't implemented yet (but > eventually >> will be), wasn't implemented and may or may not be implemented later > on, or >> wasn't and will not be implemented. >> >> Thanks, >> Jonathan >> >>> -- >>> Regards, >>> Olav >>> ___ >>> gnome-shell-list mailing list >>> gnome-shell-list@gnome.org >>> http://mail.gnome.org/mailman/listinfo/gnome-shell-list >>> >> ___ >> gnome-shell-list mailing list >> gnome-shell-list@gnome.org >> http://mail.gnome.org/mailman/listinfo/gnome-shell-list > > > > -- > Jasper > ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
As I said before, this requires a lot of careful security and manual labor that I'm not comfortable doing. As such, I don't believe the mechanism, as you would like to see implemented, will be implemented. On Mon, Dec 19, 2011 at 7:34 PM, Jonathan Wilkes wrote: > - Original Message - > >> From: Olav Vitters >> To: gnome-shell-list@gnome.org >> Cc: >> Sent: Saturday, December 17, 2011 10:51 PM >> Subject: Re: Extension security? >> >> On Sat, Dec 17, 2011 at 04:17:20PM +0100, Pauli Virtanen wrote: >>> It was clear already in the first post by J. Wilkes that this thread >>> was about a key kept on a non-public system. >> >> Colour me confused. I thought it already received a reply that it wasn't >> implemented. > > I'd like to know whether that means it wasn't implemented yet (but eventually > will be), wasn't implemented and may or may not be implemented later on, or > wasn't and will not be implemented. > > Thanks, > Jonathan > >> -- >> Regards, >> Olav >> ___ >> gnome-shell-list mailing list >> gnome-shell-list@gnome.org >> http://mail.gnome.org/mailman/listinfo/gnome-shell-list >> > ___ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
- Original Message - > From: Olav Vitters > To: gnome-shell-list@gnome.org > Cc: > Sent: Saturday, December 17, 2011 10:51 PM > Subject: Re: Extension security? > > On Sat, Dec 17, 2011 at 04:17:20PM +0100, Pauli Virtanen wrote: >> It was clear already in the first post by J. Wilkes that this thread >> was about a key kept on a non-public system. > > Colour me confused. I thought it already received a reply that it wasn't > implemented. I'd like to know whether that means it wasn't implemented yet (but eventually will be), wasn't implemented and may or may not be implemented later on, or wasn't and will not be implemented. Thanks, Jonathan > -- > Regards, > Olav > ___ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list > ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
On Sat, Dec 17, 2011 at 7:36 AM, Pauli Virtanen wrote: > 17.12.2011 03:04, Jasper St. Pierre kirjoitti: > >> If the website is hacked, the attacker has the GPG key anyway, so they >> can sign a rogue extension. Unless I'm not understanding how the >> website is supposed to automatically sign extensions after they've >> been approved. > > > I don't understand where GPG comes into this discussion, if the Gnome shell > client, which downloads and installs the extension does not check any > signatures? > > The point with cryptographic signatures would be that the extensions would > *not* be signed automatically on the machine where the web service runs. > Rather, after review, an extensions.gnome.org maintainer (who might not be > the same person as the reviewer) would use a different, non-public, machine > where the private key is kept, and do the signing there. More work, yes, > more secure, yes. Chances are, it would be me who would do this work. I do not trust myself to keep a signature private. > But it seems this was discussed previously, and Gnome shell authors decided > not to do it this way (why?). > > > -- > Pauli Virtanen > > ___ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
On Sat, Dec 17, 2011 at 04:17:20PM +0100, Pauli Virtanen wrote: > It was clear already in the first post by J. Wilkes that this thread > was about a key kept on a non-public system. Colour me confused. I thought it already received a reply that it wasn't implemented. -- Regards, Olav ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
17.12.2011 13:42, Olav Vitters kirjoitti: [clip] This is not what you initially suggested. What I commented on is that a signature by itself on the website does not add much extra security. > > What you're proposing now is something totally different than just a > signature. It was clear already in the first post by J. Wilkes that this thread was about a key kept on a non-public system. But it seems this was discussed previously, and Gnome shell authors decided not to do it this way (why?). Because practically speaking it is a lot of hard work. Now suddenly there has to be an entire infrastructure around handling signatures to trust, revoking, authorizing, etc. If you want to know why, suggest to read the archives. Search for messages by Owen Taylor. My memory is too vague and why ask if you can find the exact answers... Apparently around here: http://article.gmane.org/gmane.comp.gnome.desktop/45733 -- Pauli Virtanen ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
On Sat, Dec 17, 2011 at 01:36:28PM +0100, Pauli Virtanen wrote: > 17.12.2011 03:04, Jasper St. Pierre kirjoitti: > >If the website is hacked, the attacker has the GPG key anyway, so they > >can sign a rogue extension. Unless I'm not understanding how the > >website is supposed to automatically sign extensions after they've > >been approved. > > I don't understand where GPG comes into this discussion, if the > Gnome shell client, which downloads and installs the extension does > not check any signatures? GPG: You brought up signatures. GNOME shell checks the extensions.gnome.org certificate. If that website is broken into, the certificate is pointless. As is any other signature added by the website. > The point with cryptographic signatures would be that the extensions > would *not* be signed automatically on the machine where the web > service runs. Rather, after review, an extensions.gnome.org > maintainer (who might not be the same person as the reviewer) would > use a different, non-public, machine where the private key is kept, > and do the signing there. More work, yes, more secure, yes. This is not what you initially suggested. What I commented on is that a signature by itself on the website does not add much extra security. What you're proposing now is something totally different than just a signature. > But it seems this was discussed previously, and Gnome shell authors > decided not to do it this way (why?). Because practically speaking it is a lot of hard work. Now suddenly there has to be an entire infrastructure around handling signatures to trust, revoking, authorizing, etc. If you want to know why, suggest to read the archives. Search for messages by Owen Taylor. My memory is too vague and why ask if you can find the exact answers... -- Regards, Olav ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
17.12.2011 03:04, Jasper St. Pierre kirjoitti: If the website is hacked, the attacker has the GPG key anyway, so they can sign a rogue extension. Unless I'm not understanding how the website is supposed to automatically sign extensions after they've been approved. I don't understand where GPG comes into this discussion, if the Gnome shell client, which downloads and installs the extension does not check any signatures? The point with cryptographic signatures would be that the extensions would *not* be signed automatically on the machine where the web service runs. Rather, after review, an extensions.gnome.org maintainer (who might not be the same person as the reviewer) would use a different, non-public, machine where the private key is kept, and do the signing there. More work, yes, more secure, yes. But it seems this was discussed previously, and Gnome shell authors decided not to do it this way (why?). -- Pauli Virtanen ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
If the website is hacked, the attacker has the GPG key anyway, so they can sign a rogue extension. Unless I'm not understanding how the website is supposed to automatically sign extensions after they've been approved. On Fri, Dec 16, 2011 at 8:14 PM, Pauli Virtanen wrote: > 16.12.2011 20:44, Olav Vitters kirjoitti: > >> On Fri, Dec 16, 2011 at 08:38:03AM -0800, Jonathan Wilkes wrote: >>> >>> So when someone hacks the extension website and changes the code for >>> "Popular Extension #1" to log the user's keystrokes, how >>> >>> does my Gnome Shell know to reject that rogue extension when I try to >>> install it? >> >> >> If the website is hacked, the GPG signature would still be added. > > > What does this mean? The client as it is in Gnome 3.2.1 does not seem to > contain any code checking GPG signatures --- so if the site is hacked, enjoy > your keylogger? > > -- > Pauli Virtanen > > > ___ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
16.12.2011 20:44, Olav Vitters kirjoitti: On Fri, Dec 16, 2011 at 08:38:03AM -0800, Jonathan Wilkes wrote: So when someone hacks the extension website and changes the code for "Popular Extension #1" to log the user's keystrokes, how does my Gnome Shell know to reject that rogue extension when I try to install it? If the website is hacked, the GPG signature would still be added. What does this mean? The client as it is in Gnome 3.2.1 does not seem to contain any code checking GPG signatures --- so if the site is hacked, enjoy your keylogger? -- Pauli Virtanen ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
On Fri, Dec 16, 2011 at 08:38:03AM -0800, Jonathan Wilkes wrote: > So when someone hacks the extension website and changes the code for > "Popular Extension #1" to log the user's keystrokes, how > > does my Gnome Shell know to reject that rogue extension when I try to install > it? If the website is hacked, the GPG signature would still be added. -- Regards, Olav ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
> > From: Pauli Virtanen >To: gnome-shell-list@gnome.org >Sent: Tuesday, December 13, 2011 4:58 AM >Subject: Re: Extension security? > >13.12.2011 02:31, Jonathan Wilkes kirjoitti: >> So are all reviewed extensions signed with a key that is not kept on a >> public system, as Alan Cox proposed? I couldn't tell from the "About" page, >> nor from the discussions referenced in above responses. > >There does not seem to be additional signature checks on the client >side, apart from relying on the https certificate for the whole site: > >http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionSystem.js So when someone hacks the extension website and changes the code for "Popular Extension #1" to log the user's keystrokes, how does my Gnome Shell know to reject that rogue extension when I try to install it? -Jonathan > >___ >gnome-shell-list mailing list >gnome-shell-list@gnome.org >http://mail.gnome.org/mailman/listinfo/gnome-shell-list > > > ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
13.12.2011 02:31, Jonathan Wilkes kirjoitti: > So are all reviewed extensions signed with a key that is not kept on a public > system, as Alan Cox proposed? I couldn't tell from the "About" page, nor > from the discussions referenced in above responses. There does not seem to be additional signature checks on the client side, apart from relying on the https certificate for the whole site: http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionSystem.js ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
RE: Extension security?
Hello, So are all reviewed extensions signed with a key that is not kept on a public system, as Alan Cox proposed? I couldn't tell from the "About" page, nor from the discussions referenced in above responses. ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
RE: Extension security?
Ok, thank you to both of you! Cheers, Gabriel -Original Message- From: gnome-shell-list-boun...@gnome.org [mailto:gnome-shell-list-boun...@gnome.org] On Behalf Of Jasper St. Pierre Sent: 05 December 2011 23:30 To: Milan Bouchet-Valat Cc: gnome-shell-list Subject: Re: Extension security? Also: https://bugzilla.gnome.org/show_bug.cgi?id=665452 On Mon, Dec 5, 2011 at 5:23 PM, Milan Bouchet-Valat wrote: > Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit : >> Hi all, >> >> I may be missing something, but the really nifty extensions site >> prompted me to ask this, are there not potential security issues with >> extensions being able to be installed by clicking on a webpage? Ans >> since extensions are able to modify the way the UI behaves, could >> someone not make one that steals users' info, make screenshots, steal >> passwords (like emulating the login screen for example), etc? > (Note this applies to any random third-party package users might install > by clicking on a link and providing their password.) > >> I'm sure you thought of all this so I be interested in knowing how you >> protect us (sandboxing, limiting the things API can do, not allowing >> access to the HD except thought given functions, etc). > This has been discussed on this list previously. See > http://lwn.net/Articles/459786/ for a summary and links. > > Basically, the Shell ensures the extension comes from > extensions.gnome.org, which requires a review of the code by other > hackers; and it will never install/update extensions without user action > (modal dialog). But once installed, extensions are not sandboxed and can > do whatever they want to the Shell, or to your files (just like any app > on the system). > > > Cheers > ___ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list This email and any attachments are confidential and access to this email or attachment by anyone other than the addressee is unauthorised. If you are not the intended recipient please notify the sender and delete the email including any attachments. You must not disclose or distribute any of the contents to any other person. Personal views or opinions are solely those of the author and not of Trafigura. Trafigura does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. By communicating with anyone at Trafigura by email, you consent to the monitoring or interception of such email by Trafigura in accordance with its internal policies. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
Also: https://bugzilla.gnome.org/show_bug.cgi?id=665452 On Mon, Dec 5, 2011 at 5:23 PM, Milan Bouchet-Valat wrote: > Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit : >> Hi all, >> >> I may be missing something, but the really nifty extensions site >> prompted me to ask this, are there not potential security issues with >> extensions being able to be installed by clicking on a webpage? Ans >> since extensions are able to modify the way the UI behaves, could >> someone not make one that steals users' info, make screenshots, steal >> passwords (like emulating the login screen for example), etc? > (Note this applies to any random third-party package users might install > by clicking on a link and providing their password.) > >> I'm sure you thought of all this so I be interested in knowing how you >> protect us (sandboxing, limiting the things API can do, not allowing >> access to the HD except thought given functions, etc). > This has been discussed on this list previously. See > http://lwn.net/Articles/459786/ for a summary and links. > > Basically, the Shell ensures the extension comes from > extensions.gnome.org, which requires a review of the code by other > hackers; and it will never install/update extensions without user action > (modal dialog). But once installed, extensions are not sandboxed and can > do whatever they want to the Shell, or to your files (just like any app > on the system). > > > Cheers > ___ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Re: Extension security?
Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit : > Hi all, > > I may be missing something, but the really nifty extensions site > prompted me to ask this, are there not potential security issues with > extensions being able to be installed by clicking on a webpage? Ans > since extensions are able to modify the way the UI behaves, could > someone not make one that steals users' info, make screenshots, steal > passwords (like emulating the login screen for example), etc? (Note this applies to any random third-party package users might install by clicking on a link and providing their password.) > I'm sure you thought of all this so I be interested in knowing how you > protect us (sandboxing, limiting the things API can do, not allowing > access to the HD except thought given functions, etc). This has been discussed on this list previously. See http://lwn.net/Articles/459786/ for a summary and links. Basically, the Shell ensures the extension comes from extensions.gnome.org, which requires a review of the code by other hackers; and it will never install/update extensions without user action (modal dialog). But once installed, extensions are not sandboxed and can do whatever they want to the Shell, or to your files (just like any app on the system). Cheers ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list
Extension security?
Hi all, I may be missing something, but the really nifty extensions site prompted me to ask this, are there not potential security issues with extensions being able to be installed by clicking on a webpage? Ans since extensions are able to modify the way the UI behaves, could someone not make one that steals users' info, make screenshots, steal passwords (like emulating the login screen for example), etc? I'm sure you thought of all this so I be interested in knowing how you protect us (sandboxing, limiting the things API can do, not allowing access to the HD except thought given functions, etc). Thanks, Gabriel ___ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list