[Go Faster] Updating and installing new system add-ons

Mike Connor mconnor at mozilla.com
Tue Sep 8 17:03:09 UTC 2015


Nothing so grand, just serving an older version with known vulnerabilities
would suffice.
On Sep 8, 2015 12:58 PM, "Dave Townsend" <dtownsend at mozilla.com> wrote:

> Mostly for my own understanding, I'm happy to do hashing anyway, but how
> would this help an attacker? They could MITM the CDN but they'd still have
> to deliver an XPI signed by the special AMO signing root which is different
> to the one that signs normal add-ons. I guess if you want to assume the
> worst case of AMO being compromised...
>
> On Tue, Sep 8, 2015 at 9:54 AM, Ben Hearsum <bhearsum at mozilla.com> wrote:
>
>> This is a good point. If we only had signatures, and served the bits over
>> http, someone could perform a downgrade attack by MITM the CDN that serves
>> the bits.
>>
>> On Tue, Sep 08, 2015 at 12:43:10PM -0400, Mike Connor wrote:
>> > Yeah, it's at a minimum backwards compat for updating from older
>> clients.
>> >
>> > That said, file hashes are a great way of ensuring that we don't get the
>> > wrong artifact in transit. It's not necessarily enough to assume that
>> > "signed == correct", unless it's prohibitive I think checking that it's
>> the
>> > correct file is a worthwhile bit of protection.
>> >
>> > Belt and suspenders FTW.
>> >
>> > On 8 September 2015 at 12:35, Ben Hearsum <bhearsum at mozilla.com> wrote:
>> >
>> > > Fine with me as long as the security folks are good with it. Worth
>> noting
>> > > that we include both hashes plus mar signatures for Gecko updates,
>> though
>> > > that may simply be because we didn't used to have signed mars...
>> > >
>> > > On Tue, Sep 08, 2015 at 09:27:51AM -0700, Dave Townsend wrote:
>> > > > I was making the assumption that since system add-ons will be
>> signed the
>> > > > hashes may not be necessary, but that's easy to include if needed.
>> > > >
>> > > > On Tue, Sep 8, 2015 at 9:22 AM, Ben Hearsum <bhearsum at mozilla.com>
>> > > wrote:
>> > > >
>> > > > > We'll need hashes+filesizes here for verification purposes too,
>> but
>> > > that's
>> > > > > just a minor detail.
>> > > > >
>> > > > > On Tue, Sep 08, 2015 at 09:12:43AM -0700, Dave Townsend wrote:
>> > > > > > After discussions with Ben I've updated the section of the
>> client
>> > > plan on
>> > > > > > how we update system add-ons:
>> > > > > >
>> > > > >
>> > >
>> https://wiki.mozilla.org/Firefox/Go_Faster/Client_Implementation_Plan#Discovering_system_add-ons
>> > > > > >
>> > > > > > It shows the actual server response we will be reading and is
>> > > essentially
>> > > > > > the same update mechanism that GMP uses.
>> > > > >
>> > > > > > _______________________________________________
>> > > > > > Gofaster mailing list
>> > > > > > Gofaster at mozilla.org
>> > > > > > https://mail.mozilla.org/listinfo/gofaster
>> > > > >
>> > > > >
>> > >
>> > > > _______________________________________________
>> > > > Gofaster mailing list
>> > > > Gofaster at mozilla.org
>> > > > https://mail.mozilla.org/listinfo/gofaster
>> > >
>> > >
>> > > _______________________________________________
>> > > Gofaster mailing list
>> > > Gofaster at mozilla.org
>> > > https://mail.mozilla.org/listinfo/gofaster
>> > >
>> > >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/gofaster/attachments/20150908/99164c3d/attachment-0001.html>


More information about the Gofaster mailing list