[Project_owners] XPI security issues
ben.bucksch.news at beonex.com
Fri Jan 23 11:20:48 EST 2004
Erwin Wessels wrote:
> HJ wrote:
>> Are we concerned about security?
A lot. Which is why I am currently generally not installing extensions.
>> Should we use a signed XPI installation or not?
> Not sure if I have much faith in signing. So John Doe signed this
> extension, what does this mean to me? It's a matter of trust, and
> signing alone doesn't make me trust something..
True. But at least I know it came from HJ (or not). As-is, any
man-in-the-middle could insert malicious code.
If you use signing, you have to sign *all* downloads (at least from a
given project), *always*. If there are valid releases without valid
signature, users aren't suspicious anymore, if there is a malice
download without signature.
>> Who benefits from this policy?
> From a security policy in general, I would say especially less savvy
> users benefit. The hard-core users are smart enough to dodge most bullets.
> If you can say that something is secure
You can't :).
>> What do we need for this?
> Trust. I don't want to bomb this initiative, but I do think signing
> alone is not the answer.
>> One day we might need so called 'TRUSTED" project owners to scan
>> sources on mozdev.org
Signing is a relatively easy solution to one problem, an alteration
between developer machine and user machine.
I see 2 hard-to-solve security problems at mozdev.org:
* No checks for projects owners or source code
Any malice person could create a project on mozdev, maybe just
something very simple but useful like a new context menu item, and
hide malicious code in there.
Also, many project owners are not very proficient in security
matters and may unintentionally introduce holes.
* Server security
mozdev.org servers have been rooted at least twice. This is in
part due to the large number of services running on these hosts.
As soon as a CVS server is rooted, you have to treat *all* the
code in the CVS repository (that means *all* source code in *all*
projects) as untrusted and potentially malicious, even the source
for your own project.* That's why I think it's best to have CVS on
a dedicated machine, where *only* CVS runs.
*When the Debian download servers got rooted (which is bad enough), they
re-installed most servers from scratch and checked all downloads against
More information about the Project_owners