[Project_owners] Signed XPI requirement is imminent

Christopher Ottley xknight at users.sourceforge.net
Wed Dec 22 11:12:25 EST 2004

HJ wrote:

> I guess you've all read this "Microsoft's Peter Torr Attacks Mozilla 
> Firefox Security" article on mozillaZine by now, so guess what; if 
> that isn't going to have any effect...nothing will...

Software trust is a funny thing. When I install an XPI online I'm 
trusting the mirror, the author, the browser and the network. For the 
network, if I really wanted to, I could use https for end-to-end channel 
encryption. The browser has a whitelist so XPIs can be screened before 
installation from the site. The author usually has the source code 
available for review so this trust only a problem if the source is 
unavailable. The mirror is a "weak link" because someone could replace 
the author's XPI with a malicious one if they hacked the mirror. To 
avoid this, yes the XPIs could be signed. Perhaps it would be easier 
however for update.mozilla.org (or whatever sites are whitelisted) to 
have an MD5 or SHA1 hash of the extension available for checking using 
the GUID and version of the extension being installed. That way the copy 
can be automatically verified for those that don't trust the mirror. It 
would save the cost and trouble of signing with a valid certificate each 
of the extensions out there and the extension authors wouldn't have to 
do a thing differently.
    I believe Mr. Torr implies that by using signed executables it is 
logical to trust the code. This is a wrong assumption otherwise all the 
spyware and malware authors wouldn't be able to sign ActiveX controls 
and hijack IE. If the XPIs are to be author signed, that's just wasting 
time, energy and resources.


More information about the Project_owners mailing list