On Fri, Feb 13, 2015 at 09:54:25AM +0100, Kurt Roeckx wrote:
> On 2015-02-13 01:14, Botond Ballo wrote:
> >One concern which I don't feel has been sufficiently emphasized, is
> >the way in which this proposal would make our users vulnerable to
> >censorship.
>
> What I've been wondering is who can sign? Is Mozilla the only one that can
> sign it or can a signature from a code signing certificate that is in the
> trust store be used? I think since we're signing code, we should rely on
> any code signing certificate. But for people that find that expensive
> Mozilla could sign it for them.
The linked post indicates that only Mozilla will be signing, and the
attestation is not as to the identity of the originator, but as to the fact
that the code is not malicious. This scheme is one of code whitelisting,
not identity management, thus identity certificates, code signing or
otherwise, are irrelevant.
I too believe that the browser should allow the installation of
locally-trusted keys for distribution of locally signed extensions within an
enterprise or for local development or testing. However, it's not my
codebase, so I'm not going to beat my chest and demand that Something Be
Done (as many of the commenters on the post did). Having to run an
unbranded build just to do extension development seems a bit over the top,
and it re-exposes the user up to the security risks of malicious extensions.
As to censorship, Mozilla already has that capability with its addon
blacklisting, as was mentioned by the article author in the comments.
Whether the censorship could be "quieter" in an extension signing world, by
simply not issuing a signature, as opposed to publishing a blacklist, is
something worth discussing further.
- Matt
--
I tend to think of "solution" as just a pretentious term for "thingy".
Doing that word substitution in my head makes IT marketing literature
somewhat more tolerable.
-- lutchann, in http://lwn.net/Articles/124703/
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
