Re: [FD] Mozilla extensions: a security nightmare

From: Reindl Harald <h.reindl@thelounge.net>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: [FD] Mozilla extensions: a security nightmare
Date:




Am 06.08.2015 um 19:03 schrieb Christoph Gruber:
> Reindl Harald <h.reindl@thelounge.net> wrote:
>>
>> that's all fine but
>>
>> * nothing new, independent of lightning
>
> ACK
>
>> * how do you imagine a restricted user install a extension otherwise
>
> Real sandboxing, if not possible, give the users the possibility to activate admin-installed extension, and not the possibility to install every shit which comes with a "I am free" or "I am sexy" tag.

the admin-installed extensions would be installed for every user
you can restrict yourself doing so by just only use packed extensions

yum search mozilla | grep -i extension
firefox-esteidpkcs11loader.noarch : Estonian ID card extension for Mozilla
mozilla-adblockplus.noarch : Adblocking extension for Mozilla Firefox,
mozilla-esteid.noarch : Estonian ID card Mozilla extension
mozilla-https-everywhere.noarch : HTTPS/HSTS enforcement extension for 
Mozilla
mozilla-noscript.noarch : JavaScript white list extension for Mozilla 
Firefox
mozvoikko.noarch : Finnish Voikko spell-checker extension for Mozilla 
programs
mozilla-requestpolicy.noarch : Firefox and Seamonkey extension that 
gives you
spice-xpi.x86_64 : SPICE extension for Mozilla
thunderbird-enigmail.x86_64 : Authentication and encryption extension for


>> * and no - he must not do that is not a acceptable solution
>
> Yes it is.
>
>> security and usability are always a tradeoff
>
> Not always, and if, sometimes security has to win.

frankly, a lot of people hate my security-first attitude but in case of 
browser extensions i just don't want run to every machine for every 
extension update and hand out the admin-password is a no-go

>> hence the topic *is* nonsense
>
> No, it is not

well, depending on the extension (noscript) as example there are very 
often updates - you are in danger to train users to always and 
everywhere anter their root-password or skip updates which may be 
security relevant

Mozilla is solving most of the issues by just only install signed 
extensions - let's wait how many people switch to the developer version 
without that restriction because 1 or 2 of their favorite extensions are 
only available directly from the developer







Copyright © 1995-2019 LinuxRocket.net. All rights reserved.