lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 1 Mar 2006 20:28:59 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: Evil side of Firefox extensions


azurIt wrote:

>  But everything has an other side..

  Same goes for any other executable.  This isn't news and it isn't unique
to firefox.  If you download and install programs, or extensions, or
plugins, or active x objects, or any other kind of executable code, it can
be malicious.  Why aren't you issuing a report about a vulnerability in
cmd.exe?

> connection and send data through it to the internet. The worst of all
> is that _anyone_, who has physical access to your computer, can
> install extensions into your browser _without_ your notification.

  No, that's not the worst of all.  Anyone who has physical access to your
computer can do ANYTHING they want to it.  " If a bad guy has unrestricted
physical access to your computer, it's not your computer anymore."

> Solution
> --------
> I think that the solution for this should be in the ability of
> locking the installation of extensions with a password. Every user
> will be able to read hash of the password (so the browser can verify
> it) and only system administrator will be allowed to change it (it
> can be stored for example in registers [Windows] or somewhere in /etc
> dir [Linux]).

  Should it also prevent your bookmarks being changed, or your proxy
settings?  Should Windows not let you install software without a password?
Should everything on your computer be read-only?

  It's unfair to blame Firefox for this problem that is inherent to and 
generic across every single computer, operating system and application in 
the entire world, and trying to tackle just one particular instance of the 
problem in one particular feature of one particular browser is a) 
ineffective and b) missing the point.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ