Is installing addons secure?

General project discussion

Moderator: satrow

Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
Isengrim
Keeps coming back
Keeps coming back
Posts: 997
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Is installing addons secure?

Post by Isengrim » 2019-09-07, 10:30

While I agree that we aren't a likely target for MITM attacks on add-on downloads, I should point out that security by obscurity is never a safe bet. It just takes some script kiddie to pull off an attack and sully our reputation for being sane, stable, and safe... again.

Our add-on download security should at least be comparable to our browser binary download security (see this topic). Providing a verifiable hash would be a good step forward if we don't do this already.
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6205
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Is installing addons secure?

Post by New Tobin Paradigm » 2019-09-07, 11:50

I am acceding to the will of the privsec nutjobs. I ran through several possible alternatives but none of them will satisfy increasing requirements and the best one would also piss off the no-js freaks.

Pale Moon and Basilisk Add-ons Sites and any other future Add-ons Site will be served by https-only, provided they have a cert and the feature is added to the specific application add-ons site feature array in the code.

Don't ask me for anything else regarding the Add-ons Server, Sites, or Software for at LEAST six months.

As an additional note: Interlink won't be served on https because I don't have a cert.. yet. Don't ask. I'll tend to it in my own good time.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Keeps coming back
Keeps coming back
Posts: 757
Joined: 2015-12-09, 15:45
Location: Australia

Re: Is installing addons secure?

Post by moonbat » 2019-09-07, 12:13

Isengrim wrote:
2019-09-07, 10:30
While I agree that we aren't a likely target for MITM attacks on add-on downloads, I should point out that security by obscurity is never a safe bet. It just takes some script kiddie to pull off an attack and sully our reputation for being sane, stable, and safe... again.
This does matter. As it is people keep repeating the same canards about PM being obsolete (omg, they're 'only' at version 28 while Firefox is at 70, and obviously bigger version = better, amirite?!) or a 'rebuild' despite the well updated clarifications. The recent archive server hack was also spun as implying there was something wrong with the browser itself. And in the end, impressions and marketing mater a lot more than technical excellence, sadly (there are tons of examples out there). Can't afford to have PM being criticized for this of all things, however improbable the chances of it happening.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6205
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Is installing addons secure?

Post by New Tobin Paradigm » 2019-09-07, 19:15

RESOLVED FIXED unless you find an error. You can report that here.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 458
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Is installing addons secure?

Post by F22 Simpilot » 2019-09-08, 07:02

Why not just provide a SHA256 hash on the website that provides the XPI and call it a day? If one day a flock of unicorns all start craping Skittles and and your ARP cache somehow gets poisoned, then the hash won't match. Problem solved. No need for a 15+ post topic about this.

T0o be quite honest. You're only going to get a MiTM attack on an open WiFi connection or kicking it back at a hotel in Vegas during the DEFCON convention using the hotel's WiFi. This can all be mitigated by using a good, reputable VPN, a good, reputable software-based firewall that prevents ARP cache poisoning and perhaps changing the DNS servers in your NIC to that of OpenDNS or CloudFlare, etc. (I don't mention BS 8.8.8.8 for reasons...) And about a VPN, make sure its jurisdiction is beyond the five eyes. Two good VPNs are ProtonVPN or VPN.AC. I use both myself. But that's beyond the scope of this topic and now it will be inundated by spam.

To summarize: Provide a hash along with the XPI and call it a day. Just keep checking your IP at Shodan and fix your CVE shit on the server if it comes up. To the NSA (if your concerned about that) they look at just the smallest of unfixed vulnerability and pry it open. A good hacker would probably do the same thing and infect all or most of the XPIs hosted on the server. I shouldn't have to mention that the hash value should be served up independent of the XPI hosting server.
If you're that smart and act like a dork, then you're not that smart after all. :geek:

Statistically every 22.3 years a tragedy turns into a comedy.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6205
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Is installing addons secure?

Post by New Tobin Paradigm » 2019-09-08, 08:06

Except the hash isn't that useful when you are doing installables. Only downloadables. You expect people to save link as then open up a seperate application to compare a hash then install the xpi locally?

That is tedious as all hell. No. It is now ALL https. That is what was requested and has been off and on for a while now by more than a disney popstar no one has cared about for 20 years.

It's done time to move on to other things.

The only additional change that might happen is I may switch it to use a js InstallTrigger instruction rather than a plain navigational link which will instruct the application to download and additionally compare the hash during the process. But the no-js people will freak but I may do it anyway.

So basically, request denied.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24887
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Is installing addons secure?

Post by Moonchild » 2019-09-08, 08:45

To clarify, before more people offer alternatives as suggestions: Tobin and I have discussed this at length this weekend (while I was away from home, at that; as you can see I do take these things serious enough to interrupt my free time to discuss these things) and gone over all potential alternatives, including changing the XPI installer to automatically request and check a hash over a secure connection during the installation process, or using a more secure way to call the install trigger, and other ways to make it secure over http, but in the end we realized that people aren't going to accept it because it's not https and they aren't going to budge on that point. I also independently remarked that it not being a problem because we're a small market browser and therefore extremely unlikely to be a target for the kind of setup required to make extension installation interception a factor is not a good argument.

So the simplest solution, while less desired from the point of view of the infrastructure we have and required extra expenses for certs and potential server upgrades if we're going to need more processing power for uncached encrypted connections, is also the one that will provide the best indication that we are doing what should be done when dealing with code that gets installed directly as opposed to downloaded.
I do note that we might still be implementing one of the discussed alternatives and a rewrite of the installation interaction with users in the future to further improve extension installation safety, because we're not going to be complacent with having https being a reason to reduce awareness or pro-active administration/development. Not in the least because https is not a magic wand, especially if you're dealing with networking environments where there is already a compromise risk.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Post Reply