lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Aug 2015 19:28:26 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: bugtraq@...urityfocus.com
Subject: Re: [FD] Mozilla extensions: a security nightmare



Am 06.08.2015 um 19:03 schrieb Christoph Gruber:
> Reindl Harald <h.reindl@...lounge.net> wrote:
>>
>> that's all fine but
>>
>> * nothing new, independent of lightning
>
> ACK
>
>> * how do you imagine a restricted user install a extension otherwise
>
> Real sandboxing, if not possible, give the users the possibility to activate admin-installed extension, and not the possibility to install every shit which comes with a "I am free" or "I am sexy" tag.

the admin-installed extensions would be installed for every user
you can restrict yourself doing so by just only use packed extensions

yum search mozilla | grep -i extension
firefox-esteidpkcs11loader.noarch : Estonian ID card extension for Mozilla
mozilla-adblockplus.noarch : Adblocking extension for Mozilla Firefox,
mozilla-esteid.noarch : Estonian ID card Mozilla extension
mozilla-https-everywhere.noarch : HTTPS/HSTS enforcement extension for 
Mozilla
mozilla-noscript.noarch : JavaScript white list extension for Mozilla 
Firefox
mozvoikko.noarch : Finnish Voikko spell-checker extension for Mozilla 
programs
mozilla-requestpolicy.noarch : Firefox and Seamonkey extension that 
gives you
spice-xpi.x86_64 : SPICE extension for Mozilla
thunderbird-enigmail.x86_64 : Authentication and encryption extension for


>> * and no - he must not do that is not a acceptable solution
>
> Yes it is.
>
>> security and usability are always a tradeoff
>
> Not always, and if, sometimes security has to win.

frankly, a lot of people hate my security-first attitude but in case of 
browser extensions i just don't want run to every machine for every 
extension update and hand out the admin-password is a no-go

>> hence the topic *is* nonsense
>
> No, it is not

well, depending on the extension (noscript) as example there are very 
often updates - you are in danger to train users to always and 
everywhere anter their root-password or skip updates which may be 
security relevant

Mozilla is solving most of the issues by just only install signed 
extensions - let's wait how many people switch to the developer version 
without that restriction because 1 or 2 of their favorite extensions are 
only available directly from the developer




Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists