Re: Firefox Add-ons

Am 08.02.2010 22:40, schrieb Eddy Nigg: > On 02/08/2010 09:28 PM, Lucas Adamski: >>> In this case perhaps - in another case you perhaps will stay with the >>> damage and never hear from the "developer". >> >> >> The point is even a well legitimate intentioned developer with a code >> signing cert c

Re: Firefox Add-ons

On 02/09/2010 11:50 PM, David E. Ross: On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting

Re: Firefox Add-ons

On 2/6/2010 7:04 AM, Eddy Nigg wrote: > Isn't it about time that extensions and applications get signed with > verified code signing certificates? Adblock Plus is doing for a while > now I think, perhaps other should too? > > Because this isn't really comforting: > http://www.theregister.co.uk/

Re: Firefox Add-ons

I think such a document could go a long way to help people understand how Mozilla protects them, the limitations that are faced, and what happens when something goes wrong. If they still feel like it isn't enough, then they can be prompted to suggest improvements to the process. Speaking of im

Re: Firefox Add-ons

On 02/07/2010 08:02 PM, Bil Corry: BTW, this presentation from OWASP DC names Eddy Nigg, Giorgio Maone, and developers at Mozilla (among others) as "The 10 least-likely and most dangerous people on the Internet": http://www.owasp.org/images/1/1f/The_10_least-likely_and_most_dangerous_

Re: Firefox Add-ons

Hi Bil, I don't believe we have a document precisely along the lines of what you suggest (as far as I know) but we have these other documents that are sometimes helpful: https://developer.mozilla.org/en/Security_best_practices_in_extensions https://addons.mozilla.org/en-US/developers/docs/policie

Re: Firefox Add-ons

On 02/08/2010 09:28 PM, Lucas Adamski: In this case perhaps - in another case you perhaps will stay with the damage and never hear from the "developer". The point is even a well legitimate intentioned developer with a code signing cert could ship malware by accident. Right - and I believe t

Re: Firefox Add-ons

On Feb 6, 2010, at 10:43 AM, Eddy Nigg wrote: On 02/06/2010 08:30 PM, Lucas Adamski: I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating wi

Re: Firefox Add-ons

Last I checked there definitively were some code signing certificates basically issued under the terms of "If the credit card check comes back OK, issue it". It's a little while ago thought. But really. It's *hard* to do better than that, better than "Send us by fax our doctored ID so that w

Re: Firefox Add-ons

Eddy Nigg wrote: no CA was here admitted under these conditions for having the code signing bit turned on. I'm not saying that at some point in PKI history this wasn't done. It's not done today and fee free to publicly name the CA which does that. Last I checked there definitively were some co

Re: Firefox Add-ons

On 2/6/10 12:50 PM, David E. Ross wrote: > At , you can even enter bug reports > against the addons.mozilla.org site. However, there is no provision for > entering bug reports against individual add-ons. Not for garden variety bugs, true. But for security problems M

Re: Firefox Add-ons

On 02/07/2010 09:11 PM, Daniel Veditz: The unreviewed addons should go on a completely separate site and not show up in AMO search results, just as Firefox "experimental" nightly builds aren't available from the product pages on mozilla.com. Makes sense. An analogy I've used before: if yo

Re: Firefox Add-ons

On 2/6/10 8:08 AM, David E. Ross wrote: > Add-ons there go through some degree of review before being available to > the public; before such reviews are concluded, add-ons require a user to > logon to his or her own account and receive a warning that the review is > still underway. Unfortunately t

Re: Firefox Add-ons

Eddy Nigg wrote on 2/6/2010 7:04 AM: > Isn't it about time that extensions and applications get signed with > verified code signing certificates? Adblock Plus is doing for a while > now I think, perhaps other should too? > > Because this isn't really comforting: > http://www.theregister.co.uk/201

Re: Firefox Add-ons

Dne 6.2.2010 19:43, Eddy Nigg napsal(a): Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too? On AMO you can see two groups of add-ons. Standard add-ons which are reviewed by editors. Even if dev

Re: Firefox Add-ons

On 02/06/2010 10:58 PM, Jean-Marc Desperrier: On 06/02/2010 19:47, Eddy Nigg wrote: But I guess you would think twice to sign (malicious) code with your name - any code for that matter. How hard is it to sign it with a cert you bought with a stolen credit card number, using the name from the

Re: Firefox Add-ons

On 06/02/2010 19:47, Eddy Nigg wrote: But I guess you would think twice to sign (malicious) code with your name - any code for that matter. How hard is it to sign it with a cert you bought with a stolen credit card number, using the name from the card ? A 50$ code signing certificate just br

Re: Firefox Add-ons

On 02/06/2010 08:42 PM, Michael Lefevre: On 06/02/2010 15:04, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? I don't know if more details are avai

Re: Firefox Add-ons

On 02/06/2010 08:30 PM, Lucas Adamski: I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). In this case perhaps - in another case you

Re: Firefox Add-ons

On 06/02/2010 15:04, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? I don't know if more details are available than have been published so far, bu

Re: Firefox Add-ons

I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). Code signing doesn't prevent malicious code from being inserted into an addon.

Re: Firefox Add-ons

On 02/06/2010 06:08 PM, David E. Ross: Do you know a source of free "verified code signing certificates"? I think some CAs provide to open source projects code singing certificates for free. Otherwise the cheapest I know are around 50 US$, a bit cheaper when purchased as a group. Most a

Re: Firefox Add-ons

On 2/6/2010 8:08 AM, David E. Ross wrote: > On 2/6/2010 7:04 AM, Eddy Nigg wrote: >> Isn't it about time that extensions and applications get signed with >> verified code signing certificates? Adblock Plus is doing for a while >> now I think, perhaps other should too? >> >> Because this isn't rea

Re: Firefox Add-ons

On 2/6/2010 7:04 AM, Eddy Nigg wrote: > Isn't it about time that extensions and applications get signed with > verified code signing certificates? Adblock Plus is doing for a while > now I think, perhaps other should too? > > Because this isn't really comforting: > http://www.theregister.co.uk/

Firefox Add-ons

Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting: http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ -- Reg

Firefox add-ons to securely manage passwords

Firefox 3.5 is compatible with several add-ons to help manage your passwords. Some of them are pwgen, Billeo, Password Exporter and Master Password Timeout. https://addons.mozilla.org/en-US/firefox/addon/12715 ___ dev-security mailing list dev-security@li