On Tue, July 15, 2014 1:11 pm, Tom Ritter wrote: > Is having it in by default useful enough to outweigh the risk? > > When the Dual_EC_DRBG news stories were blowing it, it was revealed > that you could switch to it by just changing the Windows Registry. > It's a Windows-supported backdoor - no malicious code needs to stay > running on your system - just flip that bit, and delete yourself. > After that, you're all set. > > Similarly, having this feature provided by default seems like it > provides a very easy, supported way to extract sensitive key data to > the filesystem or some other covert channel - without invalidating > package signatures, hashes of libraries or binaries, etc. > > Don't get me wrong, it's invaluable to be able to use it for > debugging, but I question to need to have it enabled by default... > > -tom
Either you control your machine, or you do not. Either the OS provides robust controls, or it does not. If an attacker has physical access to your machine and can set this, or if an attacker can control your operating environment such that the environment variable is set, it's all over. This is no different than malware hijacking your browser of choice and hooking the API calls - which we do see for both Firefox and Chrome. Now, we can talk about grades of attacks, and finer nuances, but for a debug bit that has to be set client side, it really seems a no-op, and for which common sense would suggest is not a reasonable threat model. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
