[Project_owners] XPI security issues

Ben Bucksch ben.bucksch.news at beonex.com
Fri Jan 23 11:20:48 EST 2004


Erwin Wessels wrote:

> HJ wrote:
>
>> Are we concerned about security?
>
A lot. Which is why I am currently generally not installing extensions.

>> Should we use a signed XPI installation or not?
>
> Not sure if I have much faith in signing. So John Doe signed this 
> extension, what does this mean to me? It's a matter of trust, and 
> signing alone doesn't make me trust something..

True. But at least I know it came from HJ (or not). As-is, any 
man-in-the-middle could insert malicious code.

If you use signing, you have to sign *all* downloads (at least from a 
given project), *always*. If there are valid releases without valid 
signature, users aren't suspicious anymore, if there is a malice 
download without signature.

>> Who benefits from this policy?
>
> From a security policy in general, I would say especially less savvy 
> users benefit. The hard-core users are smart enough to dodge most bullets.

How so?

> If you can say that something is secure

You can't :).

>> What do we need for this?
>
> Trust. I don't want to bomb this initiative, but I do think signing 
> alone is not the answer.

True.

>> One day we might need so called 'TRUSTED" project owners to scan 
>> sources on mozdev.org
>
Yes.

Signing is a relatively easy solution to one problem, an alteration 
between developer machine and user machine.

I see 2 hard-to-solve security problems at mozdev.org:

    * No checks for projects owners or source code
      Any malice person could create a project on mozdev, maybe just
      something very simple but useful like a new context menu item, and
      hide malicious code in there.
      Also, many project owners are not very proficient in security
      matters and may unintentionally introduce holes.
    * Server security
      mozdev.org servers have been rooted at least twice. This is in
      part due to the large number of services running on these hosts.
      As soon as a CVS server is rooted, you have to treat *all* the
      code in the CVS repository (that means *all* source code in *all*
      projects) as untrusted and potentially malicious, even the source
      for your own project.* That's why I think it's best to have CVS on
      a dedicated machine, where *only* CVS runs.

*When the Debian download servers got rooted (which is bad enough), they 
re-installed most servers from scratch and checked all downloads against 
other copies.



More information about the Project_owners mailing list