[Project_owners] XPI security issues

Erwin Wessels erwin at transpontine.com
Thu Jan 22 12:02:41 EST 2004



HJ wrote:

>Hi folks,
>
>Are we concerned about security?
>  
>
Always. Especially when you're dealing with (potentially) private issues 
like people's email, like for TB, or peoples online banking.

>Should we use a signed XPI installation or not?
>  
>
Not sure if I have much faith in signing. So John Doe signed this 
extension, what does this mean to me? It's a matter of trust, and 
signing alone doesn't make me trust something..

>Who benefits from this policy?
>  
>
 From a security policy in general, I would say especially less savvy 
users benefit. The hard-core users are smart enough to dodge most 
bullets. Since we're working on making Mozilla* more end-user friendly, 
I do believe it's a sane thing to do _something_. Also, to put it 
simply, security sells. If you can say that something is secure, it 
earns you bonus points.

>What do we need for this?
>  
>
Trust. I don't want to bomb this initiative, but I do think signing 
alone is not the answer. Alternatively (or rather in addition) we might 
want to look at trusted delivery methods - if there are only a few 
sources for extensions, rotten apples are easily and swiftly sniffed.

>Are you willing to change your XPIinstall process?
>  
>
Sure. Why not? It's not that complicated.

>note: remember this, not all source code is avalable, you have to download many XPI's before you can take a look at it.
>  
>
Even if you do, can you _always_ examen _all_ source code?

>One day we might need so called 'TRUSTED" project owners to scan sources on mozdev.org
>  
>
That would only work for mozdev project. Not all extensions are 
*.mozdev.org ... Also, even this would be no guarantee that a _release_ 
wouldn't be dirty anyway - you can just add code outside the CVS.

-Erwin

-- 
This is a signature.



More information about the Project_owners mailing list