I've updated the wiki page with the information presented in e-mails today - definition of app instance / version - link to B2G/App security model feature page - benefits of mirroring Debian package management system - link to Jim's permission manager bug - complications of using SSL as authentication mechanism - open question about what to sign
See https://wiki.mozilla.org/Apps/Security David Chan ----- Original Message ----- > From: "Lucas Adamski" <[email protected]> > To: "Fabrice Desré" <[email protected]> > Cc: [email protected], "David Barrera" > <[email protected]>, [email protected], "Jim > Straus" <[email protected]>, "lkcl luke" <[email protected]>, > "Mozilla B2G mailing list" > <[email protected]>, "ptheriault" <[email protected]>, > [email protected], "Jonas Sicking" > <[email protected]> > Sent: Wednesday, March 14, 2012 3:37:20 PM > Subject: Re: [b2g] OpenWebApps/B2G Security model > > At this point I'm just raising possibilities. If we go with > something close to option b), then we have to figure out > how to deal with a set of threats not really present in other app > stores. It doesn't preclude us from doing so, but we > might for example have to require a relatively strict CSP policy for > apps to reduce the risk of MITM attacks for > example, or CA pinning. > > I don't know of any way to mitigate the risk of server compromise > without code signing, though. Short of having a two > tier system (more privilege for "installed" apps, less for "remote" > apps), but I'd really like to avoid that. > Lucas. > > On 3/14/2012 2:50 PM, Fabrice Desré wrote: > > Lucas, > > > > Are you considering signing the html/js/css/other-content from > > apps? > > > > I can understand the nice properties that would give us, but that > > looks extremely impractical in real life. Web sites > > change all the time, which is not the case of native apps > > distributed from a store. > > > > Fabrice > > > > On 03/14/2012 02:35 PM, Lucas Adamski wrote: > >> My understanding is that there will be multiple app stores. But > >> code signing has another benefit: reducing systemic > >> risk. > >> > >> This assume code signing and sane key management, but lets say > >> there's a very popular app with significant privileges. > >> To compromise a large number of people, you'd need to: > >> a) compromise the site hosting the app > >> b) compromise the key signing the app (assuming you require app > >> updates to be signed with the same key) > >> c) compromise or trigger the update mechanism for the app > >> d) wait for updates to trickle out > >> > >> This is a tedious process that slows down exploitation, and that's > >> no fun. > >> > >> If app authentication relies only on SSL, then you just need to > >> pop a web server (which isn't hard, really). Everyone > >> using the app gets owned simultaneously. > >> Lucas. > > > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
