TB, Electrolysis & Quantum

Ben Bucksch ben.bucksch at beonex.com
Wed Dec 28 22:29:15 UTC 2016


Am 28.12.2016 um 23:11 schrieb Joshua Cranmer 🐧:
> cubicle wall: it will stop a few half-hearted passive attacks, but any 
> serious code execution attack pretty much has full access to your 
> machine anyways.


The multi-process - if implemented right - can place the render process 
into a jail with lower privileges, on the OS level. Such an OS level 
jail can be a very strong protection.

That means the attacker must not only find a code execution attack in 
the render engine, but must at the same time also find another, 
unrelated security whole that can surpass this OS level barrier. Such a 
whole can be either in the OS implementation, or in the Mozilla 
implementation of the communication between renderer (tab content) and 
shell (UI). That's why a proper design of the latter is critical.

This isn't theoretical. Google Chrome has less critical holes, for that 
very reason. Any exploits always have to find 2 holes at the same time. 
It's not impossible, but significantly raises the bar.

Joshua is right that this isn't very relevant for Thunderbird (other 
than for web tabs). We're unlikely to use separate processes for each 
email, esp. when in combination with a Conversation view where dozens on 
different emails might be in the same view.

Ben



More information about the tb-planning mailing list