Nils Maier wrote: > Addressing Dave's demand for proposals: Sorry but I didn't actually demand proposals. I gave one and asked for opinions on it. I am of course open to other proposals and a few have been given.
> If there is no workable solution then don't implement one. As far as I can tell there is one, I need to investigate the code more though. > It isn't like there are armies of evil folks out there lurking on wifi > hotspots just to intercept update requests. Maybe not, but given the working demonstration and if we choose to do nothing about it who can say that people won't start to give it a try? > Furthermore the first installation could be hijacked as well, so until > this is addressed the problem persists anyway. Correct, but I'm not convinced it matters which order we tackle these two problems in. > Make it opt-in, not must or opt-out, if there is no solution in reach > which would satisfy all requirements. It will absolutely not be opt-in, that would be equivalent to doing nothing. I seriously hope it will not be opt-out either, so yes I am looking for a solution that applies all the time. The only exception to this could be local machine development. > Try to promote workable solutions, evangelize authors, to use what is > available already (extension code signing, SSL install/updates). Most if > not all high-impact (or better popular) extensions will likely implement > secure updates, especially if they get some guidance from mozilla. > Those are the ones with the highest risk of being "attacked" anyway. This is already in progress I believe. > That community program that gives away software/hardware could be > extended to provide popular extensions with (money for) code-signing > certificates... Worth a thought, I shall flag this for Seth's attention. > Maybe make it easy for authors to add their own self-signed cert that > might check updates. > Thinking of a fuel-esque way to easily add those certificates, and tools > that make creating certs and signing more easy (all those "help me > signing that xpi" threads clearly indicate that it is not easy enough yet). > Maybe even allow to use self-signed certificates for installation, then > asking the user to import the certificate if he trust it. (Admittedly > this raises the question if the users will understand such > confirmation-dialog and not just OK-it away). > > My observation is that none of the distribution systems solved this > trust-issue fully yet. > E.g. DPKG/RPM will warn you but still allow you to install > unsigned/unknown-key-signed packages. I wouldn't consider that much of an indicator. dpkg/rpm aren't exactly for novice users. It would be interesting to know why they allow you to override the security though. As I understand it windows updates are signed and rejected if they fail the signature check. Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
