[Project_owners] Secure Updates for Firefox 3

Douglas E. Warner silfreed at silfreed.net
Wed Jul 18 08:00:59 PDT 2007


On Wednesday 18 July 2007, Scott wrote:
> I hope that there will be a 'show-n-tell' before anything becomes
> mandatory.
>
> I really hate having to go through hoops when I did that already when
> learning how to sign XPI files.
>
> And yes I do have a code signing cert.
>
> I really do not see a better advantage to this because signing the XPI
> code is rock hard security compared to signing just the updates.rdf
>
> If I was to *enforce* anything it would be XPI signing because you can't
> defeat that in any form that I know of.

(not speaking from experience here)
I think the problem is that Firefox does not enforce code signing 
certificates; it only checks them if they're presented.

This means that the certificates only purpose is to verify that *this 
extension* came from *this person/group* - it doesn't verify that it was 
tampered with during the download, or that the file that was originally 
selected to be downloaded was the intended one.

By signing the updates.rdf file with the same key that was installed with the 
extension, the user can be *sure* that the updates.rdf file is from the 
original developer.  This combined with updateHash verifies that the files 
(extensions) downloaded are from the intended source.

This doesn't prevent against problems in the original installation, but this 
hasn't been a focus for Mozilla for Firefox 3.  Currently it's deemed that 
the attack vector for installation of extensions is much, much smaller than 
for updates - update requests happen frequently and are predictable - an 
installation is a user initiated action is much harder for an attacker to 
predict.

-Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070718/83c5fc18/attachment.bin 


More information about the Project_owners mailing list