[Project_owners] Secure Updates for Firefox 3

Scott sgrayban at gmail.com
Wed Jul 18 08:38:16 PDT 2007

Douglas E. Warner wrote:
> On Wednesday 18 July 2007, Scott wrote:
>> I hope that there will be a 'show-n-tell' before anything becomes
>> mandatory.
>> I really hate having to go through hoops when I did that already when
>> learning how to sign XPI files.
>> And yes I do have a code signing cert.
>> I really do not see a better advantage to this because signing the XPI
>> code is rock hard security compared to signing just the updates.rdf
>> If I was to *enforce* anything it would be XPI signing because you can't
>> defeat that in any form that I know of.
> (not speaking from experience here)
> I think the problem is that Firefox does not enforce code signing 
> certificates; it only checks them if they're presented.
> This means that the certificates only purpose is to verify that *this 
> extension* came from *this person/group* - it doesn't verify that it was 
> tampered with during the download, or that the file that was originally 
> selected to be downloaded was the intended one.
I don't think that this is correct. Looking at how the XPI get's signed
the file * META-INF/manifest.mf * holds all the checksums.

Manifest-Version: 1.0
Created-By: Signtool (signtool 3.11.4 Basic ECC)

Name: chrome/clearurlbutton.jar
Digest-Algorithms: MD5 SHA1
MD5-Digest: lcNRNkz7Jky9F3Q3Ln1F9w==
SHA1-Digest: DGCvz7uGassVNqv9nWIh7YY+ej8=

Name: chrome.manifest
Digest-Algorithms: MD5 SHA1
MD5-Digest: xRf6OEmnKpzgzoh/aVFDMw==
SHA1-Digest: t7iZ6C8k4RKOBOoLNRrAHQO+6YQ=

Name: install.rdf
Digest-Algorithms: MD5 SHA1
MD5-Digest: rhTb0Eod5aEwFMN4YLobwQ==
SHA1-Digest: YGEjZmdaG6Vtb65rt0OX/O+pwFk=

Name: License.txt
Digest-Algorithms: MD5 SHA1
MD5-Digest: 5lt8GatwkxDUlHV4tnBjNw==
SHA1-Digest: Symyfwj9y7Sea4PqKJ9Dg/SQIZw=

Name: install.js
Digest-Algorithms: MD5 SHA1
MD5-Digest: U1GrbC/mf/p3JtES1hbYrw==
SHA1-Digest: yoPqyyDDCIrXI8Rf1gAV17kXtaA=

This clearly shows that the XPI and the files can not be altered without
having to re-sign the XPI all over again.
The file * META-INF/zigbert.sf * also holds the same information.

I don't think it is possible to tamper with the XPI file without
completely breaking the update because on my tests here Firefox refused
to install the XPI because the checksums didn't match when it was signed.

> By signing the updates.rdf file with the same key that was installed with the 
> extension, the user can be *sure* that the updates.rdf file is from the 
> original developer.  This combined with updateHash verifies that the files 
> (extensions) downloaded are from the intended source.
> This doesn't prevent against problems in the original installation, but this 
> hasn't been a focus for Mozilla for Firefox 3.  Currently it's deemed that 
> the attack vector for installation of extensions is much, much smaller than 
> for updates - update requests happen frequently and are predictable - an 
> installation is a user initiated action is much harder for an attacker to 
> predict.
> -Doug
> ------------------------------------------------------------------------
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> http://mozdev.org/mailman/listinfo/project_owners

More information about the Project_owners mailing list