[Project_owners] Secure Updates for Firefox 3
Douglas E. Warner
silfreed at silfreed.net
Wed Jul 18 08:00:59 PDT 2007
On Wednesday 18 July 2007, Scott wrote:
> I hope that there will be a 'show-n-tell' before anything becomes
> I really hate having to go through hoops when I did that already when
> learning how to sign XPI files.
> And yes I do have a code signing cert.
> I really do not see a better advantage to this because signing the XPI
> code is rock hard security compared to signing just the updates.rdf
> If I was to *enforce* anything it would be XPI signing because you can't
> defeat that in any form that I know of.
(not speaking from experience here)
I think the problem is that Firefox does not enforce code signing
certificates; it only checks them if they're presented.
This means that the certificates only purpose is to verify that *this
extension* came from *this person/group* - it doesn't verify that it was
tampered with during the download, or that the file that was originally
selected to be downloaded was the intended one.
By signing the updates.rdf file with the same key that was installed with the
extension, the user can be *sure* that the updates.rdf file is from the
original developer. This combined with updateHash verifies that the files
(extensions) downloaded are from the intended source.
This doesn't prevent against problems in the original installation, but this
hasn't been a focus for Mozilla for Firefox 3. Currently it's deemed that
the attack vector for installation of extensions is much, much smaller than
for updates - update requests happen frequently and are predictable - an
installation is a user initiated action is much harder for an attacker to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070718/83c5fc18/attachment.bin
More information about the Project_owners