Bugtraq mailing list archives
Re: [FD] Mozilla extensions: a security nightmare
From: Reindl Harald <h.reindl () thelounge net>
Date: Thu, 6 Aug 2015 19:28:26 +0200
Am 06.08.2015 um 19:03 schrieb Christoph Gruber:
Reindl Harald <h.reindl () thelounge net> wrote:that's all fine but * nothing new, independent of lightningACK* how do you imagine a restricted user install a extension otherwiseReal sandboxing, if not possible, give the users the possibility to activate admin-installed extension, and not the possibility to install every shit which comes with a "I am free" or "I am sexy" tag.
the admin-installed extensions would be installed for every user you can restrict yourself doing so by just only use packed extensions yum search mozilla | grep -i extension firefox-esteidpkcs11loader.noarch : Estonian ID card extension for Mozilla mozilla-adblockplus.noarch : Adblocking extension for Mozilla Firefox, mozilla-esteid.noarch : Estonian ID card Mozilla extensionmozilla-https-everywhere.noarch : HTTPS/HSTS enforcement extension for Mozilla mozilla-noscript.noarch : JavaScript white list extension for Mozilla Firefox mozvoikko.noarch : Finnish Voikko spell-checker extension for Mozilla programs mozilla-requestpolicy.noarch : Firefox and Seamonkey extension that gives you
spice-xpi.x86_64 : SPICE extension for Mozilla thunderbird-enigmail.x86_64 : Authentication and encryption extension for
* and no - he must not do that is not a acceptable solutionYes it is.security and usability are always a tradeoffNot always, and if, sometimes security has to win.
frankly, a lot of people hate my security-first attitude but in case of browser extensions i just don't want run to every machine for every extension update and hand out the admin-password is a no-go
hence the topic *is* nonsenseNo, it is not
well, depending on the extension (noscript) as example there are very often updates - you are in danger to train users to always and everywhere anter their root-password or skip updates which may be security relevant
Mozilla is solving most of the issues by just only install signed extensions - let's wait how many people switch to the developer version without that restriction because 1 or 2 of their favorite extensions are only available directly from the developer
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Mozilla extensions: a security nightmare Stefan Kanthak (Aug 04)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 05)
- Re: [FD] Mozilla extensions: a security nightmare Ansgar Wiechers (Aug 05)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Bruce A. Peters (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 17)
- Re: [FD] Mozilla extensions: a security nightmare Christoph Gruber (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Andrew Deck (Aug 06)
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 05)
- Message not available
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- Message not available
- Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 06)
- RE: [FD] Mozilla extensions: a security nightmare Steve Friedl (Aug 06)
- RE: [FD] Mozilla extensions: a security nightmare Frank Waarsenburg (Aug 07)
- Re: [FD] Mozilla extensions: a security nightmare Jakob Holderbaum (Aug 07)
- Re: [FD] Mozilla extensions: a security nightmare Teddy A PURWADI (Aug 07)
- Re: [FD] Mozilla extensions: a security nightmare Reindl Harald (Aug 07)