And IMO this in turn means we should not let ourselves get distracted to the point of single-mindedness by the whole issue of SSL certs and what protection they provide (or should provide), but rather also focus on minimizing the possibility that Firefox and other Mozilla-related products will be vectors for getting keystroke loggers and similar programs onto users' systems. This means not only addressing bugs causing vulnerabilities but also securing the "distribution chain" for Firefox-related code, particularly extensions, including whatever role code object signing might play in that.
That would mean distributing signed executable ? It would not be such a big deal to distribute the win32 executable signed by a Verisign/Thawte code signing certificate, as this is the prefered distribution mecanism for this OS.
I would *in addition* include in the download page some reference to the code signing certificate mozilla.org uses saying that for complete security, users should make sure they are not installing software that is signed by another certificate, even when the signature verifies.
Securing extensions would require more work.
There's a bug about signing FF extension in bugzilla, that what closed WONTFIX. There was some comments by the FF developers that digitally signing ActiveX has not proved effective against spyware.
I agree with that but I maintain digital signing is still the solution only with some additional measures, in one word making sure an *effective* revocation framework is in place.
At the moment, no commercial provider of code signing offers a proper solution for that, so I think this would mean mozilla.org would have to roll out and only accepts it's own authority for emitting the certificates to sign extensions. As long as the only intended market is mozilla's intrinsic use, this is not such a big deal, and you could find competence to do that on this group.
We don't need to garantee then that all extensions signed with those certificates will be proper, only that there is a channel that enables to report and get revoked any certificate that was used in an abusive manner. Commercial CAs are not very good for that, because there's a conflict between doing it, and satisfying their clients, the signing certificates buyers. On the contrary, mozilla.org purpose is to satisfy FF's users, if the CA policy says it has the final say on any decision, there's is then no risk someone can sucessfully abuse signed extensions.
The next step is to make sure the crl that includes the revocation information gets widely distributed to FF users. There's already a mecanism in FF to check for security update, it could be expanded to also check/download/install the latest version of that crl (without user prompts). We could find other distribution channel if needed.
I don't expect this crl will get large. If signed spyware extension don't work, attackers will very fast give up and try something else.
One last thing : I see one weakness in the current signature mechanism for extensions. Only the content of the extension is signed, no title or description. You could therefore push someone to install a validly signed extension that doesn't do at all what he expects.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
