On Tue, Apr 25, 2017 at 5:41 AM, Henri Sivonen <hsivo...@hsivonen.fi> wrote:
> What problem did you mean to address by code signing? The reason I suggested code signing is because loading libvoikko would provide an easy way for people to inject code into Firefox. For a while we've been trying to make it difficult for semi-legit-but-not-quite-malware parties to load crappy code into Firefox (I'm thinking of crappy antivirus software, adware, etc.). Removing binary XPCOM components and NPAPI support, and requiring add-on signing, are all facets of this. If we simply load and run code from any file named voikko.dll on the user's computer, then we've opened up another door. It's a less powerful door since we probably (I hope) wouldn't give them access to XPCOM. But they could still open windows that look like they came from Firefox and I imagine there's other bad stuff I haven't thought of. People often object to this argument by saying that, without libvoikko, these bad actors could just replace libxul or something. But I think in practice it would be harder for them to pull that off, both technically and socially. From a technical perspective, it's harder to replace core parts of Firefox while still leaving it in a working state, especially if the updater is still allowed to run. And socially, I think it makes their software look a lot more like malware if they replace parts of Firefox rather than simply install a new DLL that we then load. Overall, though, I agree with Ehsan that this discussion isn't very worthwhile unless we what the voikko people want to do. -Bill _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
