<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 08/17/2015 11:10 PM, Dave Townsend wrote:<br>
<blockquote
cite="mid:CAPMxTNrPT-N87gqTuNDXs6rH6kaNBOc8orLy5EPaOD-hsG3bOg@mail.gmail.com"
type="cite">
<div dir="ltr">On Mon, Aug 17, 2015 at 7:38 PM, Matthew Turnbull <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sparky@bluefang-logic.com" target="_blank">sparky@bluefang-logic.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Perhaps a
compromise is to have a dual authentication system:<br>
<br>
* Support signed extensions as-is.<br>
* Support unsigned extensions using the master password
and a key-pair for signing.<br>
<br>
In the unsigned extension case, generate a local
extension signature and store it in a local database.
Sign that database using a generated key-pair. This way,
the database can be read by everyone (i.e. without
prompting for the password) and it can only be updated
after unlocking the private key with the master
password.<br>
<br>
To get around the case where malware could replace the
database and public key, have the key-pair issued by a
remote Mozilla service so that the public key can be
validated as authentic. If an invalid public key is
found, invalidate the database and disable the now
unsigned extensions until the user manually re-enables
them. If the public key was also stored behind the
master password, then it could be restored without
issuing a new pair.</div>
</blockquote>
<div><br>
</div>
<div>This is a complex system to support what should be a
small number of users as we expect most legitimate add-ons
to be signed. If users need to use add-ons that don't fall
into that set then they can use the unbranded builds which
are identical to Firefox releases in every way except that
they have different icons and naming and can be configured
to allow unsigned add-ons.<br>
</div>
</div>
</div>
</div>
</blockquote>
I would hazard a guess that the typical Firefox user wouldn't know
how to take their 'broken' extension, change the UUID, and submit it
for signing. Unless there was a "force enable" button in the Add-on
Manager that automated the whole process.<br>
<br>
I would also hazard a guess that the typical Firefox user wouldn't
know how to find the unbranded builds. And even if they could, I
would think that they would be put-off enough with installing a
'different' browser that they would actually just install a
completely different browser.<br>
<br>
Maybe hindsight is 20/20, but at least to me, implementing a
password based system would have been simpler than implementing all
of the signing infrastructure across multiple system, requiring devs
change their process, and potentially disrupting users ability to
access the extensions they want.<br>
<br>
(and Mozilla would also avoid looking like they're trying to play
evil gatekeeper - actual policy and practice aside)<br>
<br>
Sorry if this was already covered somewhere, but are there reliable
metrics on installed extensions, and what percentage of them aren't
hosted on AMO? I suppose that would be the ultimate tell of how much
trauma this would cause.<br>
<br>
<blockquote
cite="mid:CAPMxTNrPT-N87gqTuNDXs6rH6kaNBOc8orLy5EPaOD-hsG3bOg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">On 08/17/2015 09:06 PM, Dave Townsend
wrote:<br>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">On Mon, Aug 17, 2015 at 5:17 PM,
Anthony Shipman <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:als@iinet.net.au"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:als@iinet.net.au">als@iinet.net.au</a></a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"><span>On Mon,
2015-08-17 at 14:26 -0700, Dave Townsend
wrote:<br>
> On Mon, Aug 17, 2015 at 2:22 PM,
Anthony Shipman <<a
moz-do-not-send="true"
href="mailto:als@iinet.net.au"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:als@iinet.net.au">als@iinet.net.au</a></a>><br>
> wrote:<br>
<br>
</span><span>> What if there
was a security flag attached to
preferences<br>
> which<br>
> prevented the preference
from being changed except manually<br>
> through<br>
> the <a
moz-do-not-send="true"><a class="moz-txt-link-freetext" href="about:config">about:config</a></a>
page? Wouldn't this provide protection<br>
> against malware?<br>
><br>
> Preferences are stored in the user
profile where any other software on<br>
> the machine can write to them with
no special privileges required. it<br>
> doesn't matter what restriction we
include in Firefox for changing<br>
> preferences, malware can just
overwrite the prefs file directly.<br>
<br>
</span>What if secure preferences were
saved in a separate file that is<br>
encrypted or digitally signed to ensure
that only FF can update them?<br>
</blockquote>
<div><br>
</div>
<div>Digitally signing the preferences
assumes that we have some private key that
only Firefox can access. But if Firefox
can access it then so can malware and
since Firefox is open source it would be
trivial to copy the code we used to sign
the preferences. It would only be possible
to do this if we required every Firefox
user to enter a password or some kind of
authentication code whenever we needed to
verify or write preferences. <br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span class="">
<pre>_______________________________________________
firefox-dev mailing list
<a moz-do-not-send="true" href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a>
<a moz-do-not-send="true" href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a>
</pre>
</span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<pre cols="72">--
Bluefang-Logic Networks:
Scaled for your pleasure.</pre>
</font></span></div>
<br>
_______________________________________________<br>
firefox-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/firefox-dev"
rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
firefox-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bluefang-Logic Networks:
Scaled for your pleasure.</pre>
</body>
</html>