Re: Dan Stillman's concerns about Extension Signing

On 27/11/15 15:50, Gavin Sharp wrote: > No, that's not right. There's an important distinction between > "finding malicious JS code" and "finding _all_ malicious JS code". The > latter is impossible, but the former isn't. > > Proving "the validator won't catch everything" isn't particularly >

Re: Dan Stillman's concerns about Extension Signing

On 11/30/15 1:53 PM, Ehsan Akhgari wrote: > On 2015-11-30 10:29 AM, David Rajchenbach-Teller wrote: >> Could we perhaps organize a MozLando workshop to discuss add-ons >> security? > > I think you need to reach out to the add-ons team. I was not involved > in any of the design process; I just

Re: Dan Stillman's concerns about Extension Signing

On 29/11/2015 02:56, Dan Stillman wrote: You can block known malware signatures with the scanner if you think that's a good use of time. But that doesn't require blocking valid APIs and patterns that have legitimate uses. That's what we're discussing here. AV software doesn't result in long

Re: Dan Stillman's concerns about Extension Signing

That's one of the suggestions Dan Stillman makes in his post, and it seems like a fine idea to me. Gavin On Mon, Nov 30, 2015 at 11:15 AM, Jonathan Kew wrote: > On 30/11/15 15:45, Gavin Sharp wrote: >>> >>> and it's definitely the wrong thing to do. >> >> >> Fundamentally

Re: Dan Stillman's concerns about Extension Signing

Hi Am 27.11.2015 um 16:50 schrieb Gavin Sharp: > On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham wrote: >> But the thing is, members of our security group are now piling into the >> bug pointing out that trying to find malicious JS code by static code >> review is literally

Re: Dan Stillman's concerns about Extension Signing

It looks to me like you're arguing about a separate point (AMO review requirements for add-on updates), when the subject at hand is the add-on signing system's reliance on the AMO validator as the only prerequisite for automatic signing. Gavin On Mon, Nov 30, 2015 at 10:30 AM, Thomas Zimmermann

Re: Dan Stillman's concerns about Extension Signing

> and it's definitely the wrong thing to do. Fundamentally the add-on signing system was designed with an important trade-off in mind: security (ensuring no malicious add-ons are installed/executed) vs. maintaining a healthy add-on ecosystem (ensuring that building and distributing add-ons is as

Re: Dan Stillman's concerns about Extension Signing

On 30/11/15 15:45, Gavin Sharp wrote: and it's definitely the wrong thing to do. Fundamentally the add-on signing system was designed with an important trade-off in mind: security (ensuring no malicious add-ons are installed/executed) vs. maintaining a healthy add-on ecosystem (ensuring that

Re: Dan Stillman's concerns about Extension Signing

Could we perhaps organize a MozLando workshop to discuss add-ons security? ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform

Re: Dan Stillman's concerns about Extension Signing

Hi Am 30.11.2015 um 16:40 schrieb Gavin Sharp: > It looks to me like you're arguing about a separate point (AMO review > requirements for add-on updates), when the subject at hand is the add-on > signing system's reliance on the AMO validator as the only prerequisite for > automatic signing. OK.

Re: Dan Stillman's concerns about Extension Signing

(Gingerly wading into this thread and hoping not to get sucked in) Given the fundamental limits of static analysis, dynamic analysis might be a better approach. I think we can do a reasonable job (with the help of interpositions) of monitoring the various escape points at which addon code might

Re: Dan Stillman's concerns about Extension Signing

On 2015-11-30 10:29 AM, David Rajchenbach-Teller wrote: Could we perhaps organize a MozLando workshop to discuss add-ons security? I think you need to reach out to the add-ons team. I was not involved in any of the design process; I just happened to note the same issues as Dan noticed after

Re: Dan Stillman's concerns about Extension Signing

On Monday, November 30, 2015 at 8:57:42 PM UTC+1, Dan Stillman wrote: > On 11/30/15 6:24 AM, Gijs Kruitbosch wrote: > > This seems like something we should be able to get data about. (I do > > not have such data.) Have you asked anyone? > > If it's only Zotero that's affected by this, then we

Re: Dan Stillman's concerns about Extension Signing

Just to give some context here, we've been asking for a "trusted author" whitelist for three months. Gijs even helpfully proposed specific rules. The reason things came to this point is that it was still being argued as of last week that the whitelist was inherently more dangerous by allowing

Re: Dan Stillman's concerns about Extension Signing

We have data on pre-signing add-ons that we consider malware, but we have no way of knowing (structurally, besides incidental reports on bugzilla with the malware uploaded) the contents of the XPIs in question and/or whether they would have passed the validator - they wouldn't go through the

Re: Dan Stillman's concerns about Extension Signing

On 28/11/2015 19:42, Dan Stillman wrote: On 11/28/15 5:06 AM, Gijs Kruitbosch wrote: On 27/11/2015 23:46, dstill...@zotero.org wrote: The issue here is that this new system -- specifically, an automated scanner sending extensions to manual review -- has been defended by Jorge's saying, from

Re: Dan Stillman's concerns about Extension Signing

On 2015-11-28 2:06 AM, Gavin Sharp wrote: The assumption that the validator must catch all malicious code for add-on signing to be beneficial is incorrect, and seems to be what's fueling most of this thread. It would be really helpful if we can get past defending the add-on validator; the

Re: Dan Stillman's concerns about Extension Signing

On 2015-11-28 8:28 PM, Mike Hoye wrote: On 2015-11-28 2:40 PM, Eric Rescorla wrote: How odd that your e-mail was in response to mine, then. Thanks, super helpful, really moved the discussion forward, high five. To Ehsan's point that "malicious code here might look like this:

Re: Dan Stillman's concerns about Extension Signing

On Sat, Nov 28, 2015 at 5:28 PM, Mike Hoye wrote: > One key claim Stillman made, that " A system that takes five minutes to > circumvent does not “raise the bar” in any real way", is perhaps true in an > academic sense, but not in a practical one. We know a lot more than we

Re: Dan Stillman's concerns about Extension Signing

On 27/11/2015 23:46, dstill...@zotero.org wrote: The issue here is that this new system -- specifically, an automated scanner sending extensions to manual review -- has been defended by Jorge's saying, from March when I first brought this up until yesterday on the hardening bug [1], that he

Re: Dan Stillman's concerns about Extension Signing

On 11/28/15 2:06 AM, Gavin Sharp wrote: The assumption that the validator must catch all malicious code for add-on signing to be beneficial is incorrect, and seems to be what's fueling most of this thread. Validation being a prerequisite for automatic signing is not primarily a security

Re: Dan Stillman's concerns about Extension Signing

On Fri, Nov 27, 2015 at 11:06 PM, Gavin Sharp wrote: > The assumption that the validator must catch all malicious code for add-on > signing to be beneficial is incorrect, and seems to be what's fueling most > of this thread. > I'm not sure how you got that out of my

Re: Dan Stillman's concerns about Extension Signing

On Sat, Nov 28, 2015 at 2:06 AM, Gijs Kruitbosch wrote: > On 27/11/2015 23:46, dstill...@zotero.org wrote: > >> The issue here is that this new system -- specifically, an automated >> scanner sending extensions to manual review -- has been defended by >> Jorge's saying,

Re: Dan Stillman's concerns about Extension Signing

I wasn't suggesting that you had made that incorrect assumption. Gavin On Sat, Nov 28, 2015 at 10:31 AM, Eric Rescorla wrote: > On Fri, Nov 27, 2015 at 11:06 PM, Gavin Sharp > wrote: > >> The assumption that the validator must catch all malicious code for

Re: Dan Stillman's concerns about Extension Signing

On Sat, Nov 28, 2015 at 11:30 AM, Kartikaya Gupta wrote: > So it seems to me that people are actually in general agreement about > what the validator can and cannot do, but have different evaluations > of the cost-benefit tradeoff. > > On the one hand we have the camp (let's

Re: Dan Stillman's concerns about Extension Signing

How odd that your e-mail was in response to mine, then. -Ekr On Sat, Nov 28, 2015 at 11:34 AM, Gavin Sharp wrote: > I wasn't suggesting that you had made that incorrect assumption. > > Gavin > > On Sat, Nov 28, 2015 at 10:31 AM, Eric Rescorla wrote: > >>

Re: Dan Stillman's concerns about Extension Signing

On 11/28/15 5:06 AM, Gijs Kruitbosch wrote: On 27/11/2015 23:46, dstill...@zotero.org wrote: The issue here is that this new system -- specifically, an automated scanner sending extensions to manual review -- has been defended by Jorge's saying, from March when I first brought this up until

Re: Dan Stillman's concerns about Extension Signing

On 11/28/15 2:30 PM, Kartikaya Gupta wrote: So it seems to me that people are actually in general agreement about what the validator can and cannot do, but have different evaluations of the cost-benefit tradeoff. On the one hand we have the camp (let's say camp A) that believes the validator

Re: Dan Stillman's concerns about Extension Signing

So it seems to me that people are actually in general agreement about what the validator can and cannot do, but have different evaluations of the cost-benefit tradeoff. On the one hand we have the camp (let's say camp A) that believes the validator provides negligible actual benefit, because it

Re: Dan Stillman's concerns about Extension Signing

On 2015-11-28 2:40 PM, Eric Rescorla wrote: How odd that your e-mail was in response to mine, then. Thanks, super helpful, really moved the discussion forward, high five. To Ehsan's point that "malicious code here might look like this: console.log("success"); [and] It's impossible to tell by

Re: Dan Stillman's concerns about Extension Signing

On Sat, Nov 28, 2015 at 5:28 PM, Mike Hoye wrote: > On 2015-11-28 2:40 PM, Eric Rescorla wrote: > >> How odd that your e-mail was in response to mine, then. >> >> Thanks, super helpful, really moved the discussion forward, high five. Glad I could help. To Ehsan's point

Re: Dan Stillman's concerns about Extension Signing

On 11/28/15 8:28 PM, Mike Hoye wrote: To Ehsan's point that "malicious code here might look like this: console.log("success"); [and] It's impossible to tell by looking at the code whether that line prints a success message on the console, or something entirely different, such as running

Re: Dan Stillman's concerns about Extension Signing

On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham wrote: > But the thing is, members of our security group are now piling into the > bug pointing out that trying to find malicious JS code by static code > review is literally _impossible_ (and perhaps hinting that they'd have >

Re: Dan Stillman's concerns about Extension Signing

On 26/11/15 17:13, Mike Hoye wrote: > Stillman wrote some new code and put it through a process meant to catch > problems in old code, and it passed. That's unfortunate, but does it > really surprise anyone that security is an evolving process? That it > might be be full of hard tradeoffs? There

Re: Dan Stillman's concerns about Extension Signing

On 27/11/2015 12:16, Gervase Markham wrote: On 26/11/15 17:13, Mike Hoye wrote: Stillman wrote some new code and put it through a process meant to catch problems in old code, and it passed. That's unfortunate, but does it really surprise anyone that security is an evolving process? That it

Re: Dan Stillman's concerns about Extension Signing

On 27/11/2015 13:41, Frederik Braun wrote: On 27.11.2015 13:16, Gervase Markham wrote: On 26/11/15 17:13, Mike Hoye wrote: Stillman wrote some new code and put it through a process meant to catch problems in old code, and it passed. That's unfortunate, but does it really surprise anyone that

Re: Dan Stillman's concerns about Extension Signing

Hi Am 26.11.2015 um 18:13 schrieb Mike Hoye: > Stillman wrote some new code and put it through a process meant to > catch problems in old code, and it passed. That's unfortunate, but > does it really surprise anyone that security is an evolving process? > That it might be be full of hard

Re: Dan Stillman's concerns about Extension Signing

On 27.11.2015 13:16, Gervase Markham wrote: > On 26/11/15 17:13, Mike Hoye wrote: >> Stillman wrote some new code and put it through a process meant to catch >> problems in old code, and it passed. That's unfortunate, but does it >> really surprise anyone that security is an evolving process? That

Re: Dan Stillman's concerns about Extension Signing

On Friday, November 27, 2015 at 7:59:37 AM UTC-5, Gijs Kruitbosch wrote: > On 27/11/2015 12:16, Gervase Markham wrote: > > On 26/11/15 17:13, Mike Hoye wrote: > >> Stillman wrote some new code and put it through a process meant to catch > >> problems in old code, and it passed. That's unfortunate,

Re: Dan Stillman's concerns about Extension Signing

On 2015-11-27 8:41 AM, Frederik Braun wrote: On 27.11.2015 13:16, Gervase Markham wrote: On 26/11/15 17:13, Mike Hoye wrote: Stillman wrote some new code and put it through a process meant to catch problems in old code, and it passed. That's unfortunate, but does it really surprise anyone that

Re: Dan Stillman's concerns about Extension Signing

On Fri, Nov 27, 2015 at 4:09 PM, Ehsan Akhgari wrote: > On Fri, Nov 27, 2015 at 10:50 AM, Gavin Sharp > wrote: > > > On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham > wrote: > > > But the thing is, members of our security group

Re: Dan Stillman's concerns about Extension Signing

On Fri, Nov 27, 2015 at 10:50 AM, Gavin Sharp wrote: > On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham wrote: > > But the thing is, members of our security group are now piling into the > > bug pointing out that trying to find malicious JS code by static

Re: Dan Stillman's concerns about Extension Signing

The assumption that the validator must catch all malicious code for add-on signing to be beneficial is incorrect, and seems to be what's fueling most of this thread. Validation being a prerequisite for automatic signing is not primarily a security measure, but rather just a way of eliminating

Re: Dan Stillman's concerns about Extension Signing

Am 26.11.2015 um 18:14 schrieb WaltS48: > Perhaps you missed. > > Add-ons/Extension Signing - MozillaWiki - > > > I've noticed a couple new items there about how an extension developer > can get their extension signed if it isn't hosted on

Re: Dan Stillman's concerns about Extension Signing

Am 25.11.2015 um 20:16 schrieb Jeff Gilbert: > On Wed, Nov 25, 2015 at 3:16 AM, Till Schneidereit > wrote: >> FWIW, I received questions about this via private email and phone calls >> from two people working on extensions that support their products. Their >>

Re: Dan Stillman's concerns about Extension Signing

On Thu, Nov 26, 2015 at 10:02 AM, Thomas Zimmermann wrote: > Am 25.11.2015 um 20:16 schrieb Jeff Gilbert: > > On Wed, Nov 25, 2015 at 3:16 AM, Till Schneidereit > > wrote: > >> FWIW, I received questions about this via private email and phone

Re: Dan Stillman's concerns about Extension Signing

Hi Am 26.11.2015 um 13:56 schrieb Till Schneidereit: > I read the blog post, too, and if that were the final, uncontested word on > the matter, I think I would agree. As it is, this assessment strikes me as > awfully harsh: many people have put a lot of thought and effort into this, > so calling

Re: Dan Stillman's concerns about Extension Signing

On Thu, Nov 26, 2015 at 8:50 AM, Thomas Zimmermann wrote: > For anything non-AMO, the user is on > their own. > I don't know if that would fly. As I understand it, a large part of the purpose of extension signing is to protect users from malicious add-ons that get

Re: Dan Stillman's concerns about Extension Signing

Another data point that we seem to have overlooked is that users want to be able to side load their extensions for many different reasons. We see this with apps on phones and with extensions currently. I appreciate that users have grown to be warning blind but, as others have pointed out, this

Re: Dan Stillman's concerns about Extension Signing

Hi, I haven't followed the overall discussion closely, but I'm very concerned about this change and that we're driving away extension developers. I hope that some of the relevant people read this thread, as I'd like to propose a different strategy for extension signing. 1) As dburns mentioned in

Re: Dan Stillman's concerns about Extension Signing

On 26/11/2015 16:07, Thomas Zimmermann wrote: Hi, I haven't followed the overall discussion closely, but I'm very concerned about this change and that we're driving away extension developers. I hope that some of the relevant people read this thread, as I'd like to propose a different strategy

Re: Dan Stillman's concerns about Extension Signing

On 2015-11-26 11:07 AM, Thomas Zimmermann wrote: I haven't followed the overall discussion closely, but This is not OK. Does anyone here actually think that the team that's been busting their asses over this for months _doesn't_ have better information and more insight into this problem

Re: Dan Stillman's concerns about Extension Signing

On 11/26/2015 11:07 AM, Thomas Zimmermann wrote: Hi, I haven't followed the overall discussion closely, but I'm very concerned about this change and that we're driving away extension developers. I hope that some of the relevant people read this thread, as I'd like to propose a different

Re: Dan Stillman's concerns about Extension Signing

For what it's worth, this thread was not meant to point fingers, but specifically to get an answer from said team. I see concern about Extension Signing, and I see points made by add-on developers and which appear valid to me and which I am unable to answer. That doesn't mean that we have done

Re: Dan Stillman's concerns about Extension Signing

On 27/11/2015 00:07, Thomas Zimmermann wrote: > I haven't followed the overall discussion closely, but I'm very > concerned about this change and that we're driving away extension > developers. I hope that some of the relevant people read this thread, as > I'd like to propose a different strategy

Re: Dan Stillman's concerns about Extension Signing

On 11/26/15 11:51 AM, David Rajchenbach-Teller wrote: > For what it's worth, this thread was not meant to point fingers, but > specifically to get an answer from said team. I see concern about > Extension Signing, and I see points made by add-on developers and which > appear valid to me and which

Re: Dan Stillman's concerns about Extension Signing

On 11/25/15 11:16 AM, Jeff Gilbert wrote: I doubt anyone is going to switch to Firefox because our extension signing is safe. (though I do think we should have some form of signing) But they will gladly switch away when anything breaks, particularly when we reduce the activation energy needed to

Re: Dan Stillman's concerns about Extension Signing

On Wed, Nov 25, 2015 at 3:16 AM, Till Schneidereit wrote: > FWIW, I received questions about this via private email and phone calls > from two people working on extensions that support their products. Their > extensions sit in the review queue with not chance of getting

Dan Stillman's concerns about Extension Signing

I admit I have followed extension signing/scanning only very remotely, but Dan Stillman has a number of good points: http://danstillman.com/2015/11/23/firefox-extension-scanning-is-security-theater Could someone who's actually involved in this feature provide an answer? Cheers, David

Re: Dan Stillman's concerns about Extension Signing

On Wed, Nov 25, 2015 at 10:14:09AM +0100, David Rajchenbach-Teller wrote: > I admit I have followed extension signing/scanning only very remotely, > but Dan Stillman has a number of good points: > > http://danstillman.com/2015/11/23/firefox-extension-scanning-is-security-theater > > Could

Re: Dan Stillman's concerns about Extension Signing

And didn't receive any reply, afaict. On 25/11/15 10:30, Mike Hommey wrote: > On Wed, Nov 25, 2015 at 10:14:09AM +0100, David Rajchenbach-Teller wrote: >> I admit I have followed extension signing/scanning only very remotely, >> but Dan Stillman has a number of good points: >> >>

Re: Dan Stillman's concerns about Extension Signing

FWIW, I received questions about this via private email and phone calls from two people working on extensions that support their products. Their extensions sit in the review queue with not chance of getting through it before the signing requirement kicks in. This puts them into a situation where