[Go Faster] Updating and installing new system add-ons

Dave Townsend dtownsend at mozilla.com
Tue Sep 8 16:58:15 UTC 2015


Mostly for my own understanding, I'm happy to do hashing anyway, but how
would this help an attacker? They could MITM the CDN but they'd still have
to deliver an XPI signed by the special AMO signing root which is different
to the one that signs normal add-ons. I guess if you want to assume the
worst case of AMO being compromised...

On Tue, Sep 8, 2015 at 9:54 AM, Ben Hearsum <bhearsum at mozilla.com> wrote:

> This is a good point. If we only had signatures, and served the bits over
> http, someone could perform a downgrade attack by MITM the CDN that serves
> the bits.
>
> On Tue, Sep 08, 2015 at 12:43:10PM -0400, Mike Connor wrote:
> > Yeah, it's at a minimum backwards compat for updating from older clients.
> >
> > That said, file hashes are a great way of ensuring that we don't get the
> > wrong artifact in transit. It's not necessarily enough to assume that
> > "signed == correct", unless it's prohibitive I think checking that it's
> the
> > correct file is a worthwhile bit of protection.
> >
> > Belt and suspenders FTW.
> >
> > On 8 September 2015 at 12:35, Ben Hearsum <bhearsum at mozilla.com> wrote:
> >
> > > Fine with me as long as the security folks are good with it. Worth
> noting
> > > that we include both hashes plus mar signatures for Gecko updates,
> though
> > > that may simply be because we didn't used to have signed mars...
> > >
> > > On Tue, Sep 08, 2015 at 09:27:51AM -0700, Dave Townsend wrote:
> > > > I was making the assumption that since system add-ons will be signed
> the
> > > > hashes may not be necessary, but that's easy to include if needed.
> > > >
> > > > On Tue, Sep 8, 2015 at 9:22 AM, Ben Hearsum <bhearsum at mozilla.com>
> > > wrote:
> > > >
> > > > > We'll need hashes+filesizes here for verification purposes too, but
> > > that's
> > > > > just a minor detail.
> > > > >
> > > > > On Tue, Sep 08, 2015 at 09:12:43AM -0700, Dave Townsend wrote:
> > > > > > After discussions with Ben I've updated the section of the client
> > > plan on
> > > > > > how we update system add-ons:
> > > > > >
> > > > >
> > >
> https://wiki.mozilla.org/Firefox/Go_Faster/Client_Implementation_Plan#Discovering_system_add-ons
> > > > > >
> > > > > > It shows the actual server response we will be reading and is
> > > essentially
> > > > > > the same update mechanism that GMP uses.
> > > > >
> > > > > > _______________________________________________
> > > > > > Gofaster mailing list
> > > > > > Gofaster at mozilla.org
> > > > > > https://mail.mozilla.org/listinfo/gofaster
> > > > >
> > > > >
> > >
> > > > _______________________________________________
> > > > Gofaster mailing list
> > > > Gofaster at mozilla.org
> > > > https://mail.mozilla.org/listinfo/gofaster
> > >
> > >
> > > _______________________________________________
> > > Gofaster mailing list
> > > Gofaster at mozilla.org
> > > https://mail.mozilla.org/listinfo/gofaster
> > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/gofaster/attachments/20150908/554abec3/attachment.html>


More information about the Gofaster mailing list