<div dir="ltr">On Mon, Aug 17, 2015 at 6:46 PM, Stephen Cohen <span dir="ltr"><<a href="mailto:stesen-moz@outlook.com" target="_blank">stesen-moz@outlook.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Sorry if this is a double-post. Not sure if it is. Email client misbehaved.<br><br>Forgive me for interjecting as a mere “lurking user” (not certain what the general etiquette is for that on this list), but I’ve been reading this thread and I’m a little confused:<br><br>“Firefox is open source” is a very good point: Here we’re discussing defending the user from malicious add-ons themselves installed by malware, malware which would first have to adjust a setting in Firefox in order to install said malicious add-on. If the malware already has system filesystem access (needed to alter the pref files), haven’t you already lost? At that point could the malware not simply replace Firefox’s binary with a version recompiled by the malware author (Firefox being OSS) to not have the preference/restriction in the first place?<br></div></div></blockquote><div><br></div><div>To a certain extent you're right. If you have malware then you've kind of lost. That doesn't mean that we shouldn't make any attempt to stop malware from being able to take over a user's Firefox. We've gradually increased the difficulty of injecting rogue code into Firefox over time. The other problem is that there are different classes of malware, some obviously harmful, others in a grey area. By raising the level to the point where malware has to physically alter the Firefox install in order to inject an add-on it shows clear ill-intent on the malware's part which can help us engage with anti-virus and OS manufacturers to block the rogue software in ways that Firefox cannot.<br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr">It feels intuitively to me like this is rather like trying to use an umbrella to keep dry in a swimming pool. I feel like I must be missing something here, as I don’t think Mozilla developers are anything close to dumb. Could someone please explain to me why this isn’t futile to begin with? I mainly follow this list to gain insight on the software development process, so I figured I might as well ask.<br><br><br>And assuming that there is working logic there, and I’m replying to this anyway, figured I might as well throw out a crazy suggestion (why not; feel free to ignore):<br><br>How about introducing a class of “secure preferences” that would work thusly:<br>Changing these prefs from defaults requires a Firefox Account.<br>Changes to secure prefs are synced to the Account and persist only for the session.<br>When the Browser starts, these preferences are restricted to hard-coded defaults until the user’s prefs are synced for the session (this would be done before syncing bookmarks/history/etc).<br>There would be no local pref files to manipulate. The malware would need the user’s sync key/login and a connection to the Sync servers.<br></div></div></blockquote><div><br></div><div>The sync login details all have to be held locally of course or Firefox can't connect to the servers. Unless you require users to manually enter a password or use some kind of external authentication token malware can still read all this information just as easily as Firefox can.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr">The only downsides to the user would be the requirement for an account (which is moot as the current solution of submitting to AMO also requires an account there), and a slight delay after browser start before the pref is loaded (followed by unsigned add-ons kicking in).<br></div></div></blockquote><div><br></div><div>This isn't a moot point, the current solution requires only developers to have an AMO account, many developers (I'd like to say most but I don't have the stats to back that up handy) do have an AMO and distribute their add-on there already. Most Firefox users do not have a Firefox account and I don't know how many would be willing to create one. The aim is for all legitimate add-ons to be signed so we'd be supporting this quite complex system for a vanishingly small set of users, users who could just use the unbranded builds that are identical to Firefox releases in every way except for the icons and names.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><br>Just my two-cents!<br><br>—Happy Firefox User. :)<br><br><div><hr>Date: Mon, 17 Aug 2015 18:06:12 -0700<br>Subject: Re: Add-on & Extension signing<br>From: <a href="mailto:dtownsend@mozilla.com" target="_blank">dtownsend@mozilla.com</a><br>To: <a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><div><div class="h5"><br><br><div dir="ltr">On Mon, Aug 17, 2015 at 5:17 PM, Anthony Shipman <span dir="ltr"><<a href="mailto:als@iinet.net.au" target="_blank">als@iinet.net.au</a>></span> wrote:<br><div><div><blockquote style="border-left:1px #ccc solid;padding-left:1ex"><span>On Mon, 2015-08-17 at 14:26 -0700, Dave Townsend wrote:<br>
> On Mon, Aug 17, 2015 at 2:22 PM, Anthony Shipman <<a href="mailto:als@iinet.net.au" target="_blank">als@iinet.net.au</a>><br>
> wrote:<br>
<br>
</span><span>> What if there was a security flag attached to preferences<br>
> which<br>
> prevented the preference from being changed except manually<br>
> through<br>
> the about:config page? Wouldn't this provide protection<br>
> against malware?<br>
><br>
> Preferences are stored in the user profile where any other software on<br>
> the machine can write to them with no special privileges required. it<br>
> doesn't matter what restriction we include in Firefox for changing<br>
> preferences, malware can just overwrite the prefs file directly.<br>
<br>
</span>What if secure preferences were saved in a separate file that is<br>
encrypted or digitally signed to ensure that only FF can update them?<br></blockquote><div><br></div><div>Digitally signing the preferences assumes that we have some private key that only Firefox can access. But if Firefox can access it then so can malware and since Firefox is open source it would be trivial to copy the code we used to sign the preferences. It would only be possible to do this if we required every Firefox user to enter a password or some kind of authentication code whenever we needed to verify or write preferences. <br></div></div></div></div>
<br></div></div><span class="">_______________________________________________
firefox-dev mailing list
<a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a></span></div> </div></div>
<br>_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br></blockquote></div><br></div></div>