Gervase Markham schrieb: > Nils Maier wrote: >>> But compromised mirrors are by far the most common way that things are >>> trojaned. >>> >>> http://www.internetnews.com/dev-news/article.php/1438341 >>> http://wordpress.org/development/2007/03/upgrade-212/ >>> http://www.afterdawn.com/news/archive/6001.cfm >>> http://www.daemon-tools.cc/dtcc/archive/update-download-com-issue-t5334.html >>> >> >> No, actually compromised mirrors are more common and compromised >> "download information" pages (at the momemnt of course). > > That sentence isn't grammatical, and it could mean either of two > opposite things. Could you restate your point? Thanks :-) > > If you are saying that compromised download information pages are more > common, can you give some examples? > > I agree that Link Fingerprints is less useful in that case - although > often the URL goes out in a release announcement email as well. It only > takes one person to use a fingerprinted URL to raise the alarm. That's > why universal client support isn't necessary to get a lot of the > protection.
Please ignore referred sentence, don't make any sense to me too, now that I read it again. ;) What I really wanted to say is that there isn't any real data of what is in fact more comon. Of the 4 example "news" you gave the first two were about compromised mirrors, where the other two were about whole mirroring systems including info pages being trojaned (see below). >> Actually the DC++ and daemon tools examples you gave is flawed. > > The Daemon Tools one is fine. If the DT website had been linking to > download.com with a link fingerprint, the problem would have been spotted. No, because the the DT site cannot hotlink download.com stuff. So either the download info page d.com provides uses LF or there won't be any. And since a bad packages was up onto d.com LF or not wouldn't have made a difference security-wise anyway. Same goes to AMO. You cannot hotlink xpi's from there, because that will raise the "trusted install locations blahblah" warning which users often simply cannot figure out. So you link to the download info page on AMO. AMO will the provide you with a LF-enabled link, hashed from the trojaned file of course since that the only file amo knows. Until you (the extension dev) figure out there is a compromised package there are likely several hundred if not thousands of copies pushed out. Although solely FX with LF "protection" was used. Actually that is a problem of current AMO/extension checksum mechanisms as well. And signed XPIs, the only way to add authentication to packages, are pretty rare. Most of the major commercial mirrors don't allow you to hotlink because they need the ad-impressions to keep their revenue-stream up. And universities and other "non-profit" mirror-services usually will mirror your stuff only when you're popular open source. >> It >> wasn't just mirrors compromised. Somebody managed to submit trojaned >> packages to these sites. A good analogy would be: Somebody managed to >> submit a trojaned popular extension to amo, which then pushed it out to >> all its mirrors and provided link-fingerprints (of the trojaned package >> of course) via the download/install links. >> Oops. But at least the download wasn't corrupt. > > Right. So in this case, Link Fingerprints doesn't help. And it doesn't > solve world hunger either. What does solve this problem? Identity/Authentication/Authorization and a system of trust. Like digital signatures provide when used correctly. See RPM,DEB and signed XPIs, where latter lacks the system of trust ATM. But this is out of the scope of LF for now. >> But that's not the point. Giving a warning and options how to handle the >> errors will make people aware, too. Security researcher do not need to >> pull out IE just to download and analyze such a trojaned package. > > They can install the extension you are going to write to add an > override. Security researchers are not Firefox's primary audience. But they are audience; and power users are audience as well. And that was just a minor example and not the only reason for choices. >>> But if it's trojaned, it's not "his data". It's someone else's evil >>> data. >> >> Still his copy of said data. And still his choice what to do with it. He >> has been warned. > > What would an ordinary user possibly want to do with a trojaned > executable apart from delete it? Even giving them the option to do > something else is dangerous. They select it to delete it but > accidentally double-click instead of single-click and Boom! I don't know. But OTOH is not up to you or me to tell the user what to do with it. None of our business ;) >>> No, I mean that the person providing the link should not use link >>> fingerprints on it, unless they want you to have that exact version. >> >> And people should not do IE-only websites and stick to standards. >> People will mess up, sooner or later, even if they have good intensions. > > Right. And if they do, they fix the problem. If they use an out of date > SSL certificate, or one with a mismatched hostname, they've missed up - > but Firefox is going to prevent access to the site anyway. I can access hosts with mismatched hostnames just fine (click-click). And, to repeat myself, changing that will cause a lot of trouble. E.g. it will prevent me from accessing parts of the website of my university. OK, the university webmasters messed up, but eventually it would be Firefox making me to switch to another browser to access that website. Same with LF. If Firefox does not let me download because the webmaster messed up I will likely curse FX maybe curse the webmaster as well and switch to another browser which works like it should from my POV. >> There was kinda uproar when Firefox didn't download the Vista Beta >> images, because there was a bug when handling large files in append more >> on Win. Pretty limited user base, but still people where pissed. > > That's a _bug_. It's entirely different. No it is not. It is about user perception. If a user thinks something doesn't work he will not care if it is because of a bug, per design or completely intensional. All he says is that it doesn't work. And will curse the software in the first place, because that is what's at hand. >> Seriously, you cannot know this. And FX user base is generally more >> "sophisticated" than the general public, or at least now a tech-buddy >> they may consult. Proof: Somebody installed Firefox. > > We have 100 million users or more. "Able to install software" is miles > and miles away from "Uses archive-repair tools on a regular basis". And able to download and install software is miles and miles away from writing a word document. So what was your point again? Doesn't change the validity of my statement. >> And providing *all* people, the ordinary and the geeks, which some >> choice seems to hurt that badly. > > Yes. > > http://weblogs.mozillazine.org/gerv/archives/2007/06/choice_considered_harmful.html Seems your readers do not fully agree with you. I'm a subscriber to Joels blog myself, btw. ;) Still you're missing the point with this blogpost. >> In the other thread you claimed that FX already makes a lot of choices, >> but I fail to see many of them. > > Listing choices the user *can* make says nothing about the ones they > can't. You can't see those, because you don't have to make them! > >> You may browse phising sites (Ignore option), you may browse sites with >> self-signed certificates which are meant for another host, > > Not soon. Big mistake IMO. But I stated that already multiple times. >>> So Firefox protected you, you bypassed the protection, and got stuffed. >>> Firefox did its job. >> >> Yep, my fault. >> It is my fault if I used another browser to download, but it is still my >> fault if I decide to ignore that warning message that would be displayed >> when FX asked me what to do with the download. > > But in that case, it's a tragedy we can prevent. In the case where you > choose to use another application, it's not. > > I agree that the error message needs to be informative enough that you > don't just go off and use another client. > > Gerv D'oh. A user will likely try to download that file using another tool. So FX prevented nothing, but made the user angry. And if he doesn't try another tool he is still angry. Great outcome. Nils PS: I still insists to not claim LF had something to do with security. They solely about noticing possible data-corruption during transfers. _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
