Hi all, I am looking for some feedback on a proposal I'm working on to improve the security of add-on updates in Mozilla products. Let me give an overview of the problem I wish to solve and then what I have come up with so far as a potential solution.
In the Mozilla applications we have an add-ons installed. I'm ignoring how the add-ons are installed but let's assume that once there we have some faith in them. The application periodically checks for available updates to an add-on by downloading an update file from a url specified by the installed add-on. What I want is to be able to be able to establish some trust that the update file retrieved is correct, and has not been tampered with, intercepted and is as it was originally written by the add-on author. The key problem is that I wish to do this in a way that does not cost the add-on author any money (or at least a very small amount of money), so getting a certificate signed by one of the root CA's is not an option nor is serving the file from an ssl server. The potential solution that I am considering is by using a digital signature. The add-on author, when he first writes the add-on creates a public and private key. The public key is included in the add-on on initial install. After that the private key is used to sign the update file. In this way the application has the author's public key and can use it to verify the signature of the update file. There are a few problems already pointed out: This all assumes that the initial add-on was not tampered with in the first place. This is true however that is really a different problem for the future, right now I have to concentrate on the update mechanism alone. If the add-on author has their private key compromised then of course we lose all security. I don't see a real way around this but we have certain possibilities in place (add-on blacklisting for example) that could be called into play in such an event. Finally the public key for the add-on on the users machine could be changed however in the event that someone has gained access to the users machine I think ensuring the security of updates is a moot point. Now I am not an expert on cryptography so I would appreciate any comments you have on other weaknesses in the proposal or any other solutions or problems you think I might have missed. Cheers Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
