TB, Electrolysis & Quantum
ben.bucksch at beonex.com
Wed Dec 28 22:29:15 UTC 2016
Am 28.12.2016 um 23:11 schrieb Joshua Cranmer 🐧:
> cubicle wall: it will stop a few half-hearted passive attacks, but any
> serious code execution attack pretty much has full access to your
> machine anyways.
The multi-process - if implemented right - can place the render process
into a jail with lower privileges, on the OS level. Such an OS level
jail can be a very strong protection.
That means the attacker must not only find a code execution attack in
the render engine, but must at the same time also find another,
unrelated security whole that can surpass this OS level barrier. Such a
whole can be either in the OS implementation, or in the Mozilla
implementation of the communication between renderer (tab content) and
shell (UI). That's why a proper design of the latter is critical.
This isn't theoretical. Google Chrome has less critical holes, for that
very reason. Any exploits always have to find 2 holes at the same time.
It's not impossible, but significantly raises the bar.
Joshua is right that this isn't very relevant for Thunderbird (other
than for web tabs). We're unlikely to use separate processes for each
email, esp. when in combination with a Conversation view where dozens on
different emails might be in the same view.
More information about the tb-planning