<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Perhaps a compromise is to have a dual authentication system:<br>
<br>
* Support signed extensions as-is.<br>
* Support unsigned extensions using the master password and a
key-pair for signing.<br>
<br>
In the unsigned extension case, generate a local extension signature
and store it in a local database. Sign that database using a
generated key-pair. This way, the database can be read by everyone
(i.e. without prompting for the password) and it can only be updated
after unlocking the private key with the master password.<br>
<br>
To get around the case where malware could replace the database and
public key, have the key-pair issued by a remote Mozilla service so
that the public key can be validated as authentic. If an invalid
public key is found, invalidate the database and disable the now
unsigned extensions until the user manually re-enables them. If the
public key was also stored behind the master password, then it could
be restored without issuing a new pair.<br>
<br>
<div class="moz-cite-prefix">On 08/17/2015 09:06 PM, Dave Townsend
wrote:<br>
</div>
<blockquote
cite="mid:CAPMxTNoS+4M_iXy93V5XTbxH9r+o0J0aAbYVX6_ppDw775xWeA@mail.gmail.com"
type="cite">
<div dir="ltr">On Mon, Aug 17, 2015 at 5:17 PM, Anthony Shipman <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:als@iinet.net.au" target="_blank">als@iinet.net.au</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On Mon, 2015-08-17 at 14:26 -0700, Dave
Townsend wrote:<br>
> On Mon, Aug 17, 2015 at 2:22 PM, Anthony Shipman
<<a moz-do-not-send="true"
href="mailto:als@iinet.net.au">als@iinet.net.au</a>><br>
> wrote:<br>
<br>
</span><span class="">> What if there was a
security flag attached to preferences<br>
> which<br>
> prevented the preference from being changed
except manually<br>
> through<br>
> the <a class="moz-txt-link-freetext" href="about:config">about:config</a> page? Wouldn't this
provide protection<br>
> against malware?<br>
><br>
> Preferences are stored in the user profile where
any other software on<br>
> the machine can write to them with no special
privileges required. it<br>
> doesn't matter what restriction we include in
Firefox for changing<br>
> preferences, malware can just overwrite the prefs
file directly.<br>
<br>
</span>What if secure preferences were saved in a separate
file that is<br>
encrypted or digitally signed to ensure that only FF can
update them?<br>
</blockquote>
<div><br>
</div>
<div>Digitally signing the preferences assumes that we have
some private key that only Firefox can access. But if
Firefox can access it then so can malware and since
Firefox is open source it would be trivial to copy the
code we used to sign the preferences. It would only be
possible to do this if we required every Firefox user to
enter a password or some kind of authentication code
whenever we needed to verify or write preferences. <br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
firefox-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bluefang-Logic Networks:
Scaled for your pleasure.</pre>
</body>
</html>