Is installing addons secure?

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
hannahmontana

Is installing addons secure?

Unread post by hannahmontana » 2019-08-26, 14:31

Whenever I try to install an addon there's this label saying "(Author not verified)", moreover addons are by default fetched over plain http (not https). Which leaves me wondering, are addons delivered in a secure manner? Are they signed and if so, who does the signing and are the signatures actually verified?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Is installing addons secure?

Unread post by Moonchild » 2019-08-26, 14:41

(Author not verified) is a remnant from the days when Mozilla had not busted author-supplied signatures. It should actually be removed/redone since it's broken beyond repair in its current state.
Addons can be downloaded from the https version of the addons site if you wish, if you are worried about hijacking of download links. (note that our addons site itself does not serve the XPI file downloads over https, regardless, but automatic update requests and responses are always served over https)
Addons are NOT signed, neither by the authors, nor by us (which would provide a false sense of security and binds addon authors to the distribution platform, which we do not want to do). So make sure you know and trust the source you get your extensions from, or examine the extension source in case of doubt.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

John connor

Re: Is installing addons secure?

Unread post by John connor » 2019-08-27, 05:45

Don't know if this will work or not, but you could always scan the XPI at Virus Total. However, since they use such a large amount of anti-virus engines you're bound to have a false positive or few.

Edit-

Just scanned a few extensions and a theme and no false positives. I see others have already scanned what I had based on its hash.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Is installing addons secure?

Unread post by Moonchild » 2019-08-27, 07:10

F22 Simpilot wrote:
2019-08-27, 05:45
Virus Total.
That's unlikely to do any good unless someone slipped a malicious binary in there.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Is installing addons secure?

Unread post by moonbat » 2019-08-27, 08:31

Moonchild wrote:
2019-08-27, 07:10
That's unlikely to do any good unless someone slipped a malicious binary in there.
A few times I've had antivirus alerts for downloaded Javascript files in my Chrome/Chromium folder (on Windows). Cross browser malicious javascript and bitcoin miners are such fun (not). And the only extension I keep on Chrome is uBO. Strangely I've never seen that happen with any other browser.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

New Tobin Paradigm

Re: Is installing addons secure?

Unread post by New Tobin Paradigm » 2019-08-27, 11:53

For clairification sake: On HTTPS enabled Add-ons Sites (not every project has a cert but Pale Moon and Basilisk projects do). All XPI files are transfered over http as Moonchild said. This includes updates.

WHAT is always done over https (if https enabled site) is the update REQUEST and RESPONSE. The response (update.rdf) contains an http link to the XPI file to fetch and that is verified against a sha256 hash from update.rdf. If it doesn't match then the update is rejected and discarded.

This allows us to have verification over an encrypted channel but not waste resources inefficiently with file transfers.

As for browsing and installing, Moonchild hit it on the head. YOU need to be responsible for what you download and install and from where determining if YOU trust the source. Which is needed much more now that the HTTPS Everywhere crowd seems to have won this conflict and rendered "secure" useless as a consideration for evaluating "safety".

As for me? If you think you have a man in the middle.. Stay off my servers. I don't want him there anymore than you do :P

hannahmontana

Re: Is installing addons secure?

Unread post by hannahmontana » 2019-08-27, 13:57

Moonchild wrote:
2019-08-26, 14:41
Addons are NOT signed, neither by the authors, nor by us (which would provide a false sense of security and binds addon authors to the distribution platform, which we do not want to do).
I beg to differ. Even signing addons in an automated mode on the server would provide some level of security, this way when downloading an addon I'd at least know that that's what was uploaded to the server, not whatever anyone between me and the server decided to put there. Although serving the catalogue over https (especially with certificate pinning) would provide about the same level of security. Why does it default to http?
So make sure you know and trust the source you get your extensions from, or examine the extension source in case
I know and trust the official addons catalogue (to not serve any malicious addons), but does that make any difference if what I retrieve from there can easily be tampered with along the way?

hannahmontana

Re: Is installing addons secure?

Unread post by hannahmontana » 2019-08-27, 14:01

New Tobin Paradigm wrote:
2019-08-27, 11:53
WHAT is always done over https (if https enabled site) is the update REQUEST and RESPONSE. The response (update.rdf) contains an http link to the XPI file to fetch and that is verified against a sha256 hash from update.rdf. If it doesn't match then the update is rejected and discarded.
This is fine, but when downloading an addon for the first time... it just isn't verified in any way, is it?

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Is installing addons secure?

Unread post by moonbat » 2019-08-27, 14:12

hannahmontana wrote:
2019-08-27, 14:01
This is fine, but when downloading an addon for the first time... it just isn't verified in any way, is it?
If you mean whether there's a moderation team to sit and verify each added extension, then no. The purpose of the hash check is to verify the integrity of the XPI binary, no more. It could also be corrupted while downloading, not necessarily only because of being modified by a MITM. As Moonchild says, you'll have to decide whether you want to trust an extension or not. As it is we have a very active community here with extension developers themselves participating, so it's not as though something that's off will go unnoticed.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

New Tobin Paradigm

Re: Is installing addons secure?

Unread post by New Tobin Paradigm » 2019-08-27, 14:54

Actually, every add-on submitted is reviewed by someone before it is enabled and accessable on the add-ons site. Advanced and trusted developers who are prolific get to have their add-ons enabled on AUS and by direct link but remain unlisted until it is reviewed.

Updates to add-ons are not constantly reviewed but are kept an eye on and reports from you will trigger a re-evaluation by the Add-ons Team who may deactivate an add-on until a situation is resolved.

If someone does something malicious they will be exterminated from the add-ons sites and the offending extension will be added to the blocklist.

In any event, we aren't here to police submissions but we do keep an eye out to both what is on the Add-ons Sites and to reports from users.

As an aside, malicious signed xpi files sent over secure https are still malicious. So it effectively means jack point shit in any event. That is what I tried to explain and it was ignored it.

person45
Fanatic
Fanatic
Posts: 104
Joined: 2017-10-20, 07:00

Re: Is installing addons secure?

Unread post by person45 » 2019-08-30, 17:55

You can try first installing the add-on in a sandbox to see what it does. It should stay separated from your system files.

Https doesn't even guarantee security.

https://news.netcraft.com/archives/2016 ... tacks.html
"95% of HTTPS servers vulnerable to trivial MITM attacks".

Anything can happen. It's possible for a "zero-day" exploit on Intel chips to damage our computers. Be alert and use common sense.

It's good practice to make backups on a flash drive or external hard drive. Something like FreeFileSync makes it easy with a click of a button to backup your pictures or documents.

Another option is to create a backup image of your drive. This makes it easy to restore everything if you get malware.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Is installing addons secure?

Unread post by Moonchild » 2019-08-30, 19:32

person45 wrote:
2019-08-30, 17:55
Https doesn't even guarantee security.
https://news.netcraft.com/archives/2016 ... tacks.html
"95% of HTTPS servers vulnerable to trivial MITM attacks".
For clarity: these statements are unrelated. It's true that https on its own doesn't guarantee security, but it's not true that 95% of HTTPS servers are vulnerable to trivial MitM attacks.
First, that article is 3.5 years old, second, it is purely written to promote HSTS and calling any server not having it "vulnerable to trivial MitM attacks". Without HSTS, https is still perfectly secure (barring non-trivial attacks). It's only when you are going to assume that people send sensitive information over http connection unless HSTS is enabled that you're having this "95%" situation :P That's a very one-sided and biased angle to approach this from. So, it's just propaganda, pretty much.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

hannahmontana

Re: Is installing addons secure?

Unread post by hannahmontana » 2019-09-07, 00:22

New Tobin Paradigm wrote:
2019-08-27, 14:54
As an aside, malicious signed xpi files sent over secure https are still malicious. So it effectively means jack point shit in any event. That is what I tried to explain and it was ignored it.
Signed xpi files or xpi files sent over secure https won't be made malicious along the way, that's the whole point. If files aren't delivered securely, then reviewing them server-side doesn't make much difference.

New Tobin Paradigm

Re: Is installing addons secure?

Unread post by New Tobin Paradigm » 2019-09-07, 00:37

Okay, I want you guys to start funding Regolith (the server) and I will make it obey whichever scheme you choose to use.

I been paying for this server for four or five years now. I need 180 dollars for a year of service (it runs me 15 a month). You want the extra processing overhead on the server, you pay for it.

Seems fair, yes?

hannahmontana

Re: Is installing addons secure?

Unread post by hannahmontana » 2019-09-07, 03:18

New Tobin Paradigm wrote:
2019-09-07, 00:37
You want the extra processing overhead on the server, you pay for it.
Seems fair, yes?
I didn't know that https is now charged additionally. Well, if that is the case, then leaving unwitting palemoon users vulnerable to MiTM attacks that allow arbitrary code execution seems like a good decision.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Is installing addons secure?

Unread post by moonbat » 2019-09-07, 03:23

hannahmontana wrote:
2019-09-07, 03:18

I didn't know that https is now charged additionally.
There is a processing overhead involved with the SSL handshake that adds up over time and across multiple users. This is in addition to the recurring annual cost of a server certificate.
hannahmontana wrote:
2019-09-07, 03:18
Well, if that is the case, then leaving unwitting palemoon users vulnerable to MiTM attacks that allow arbitrary code execution seems like a good decision.
How exactly would this exploit work in this case?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

hannahmontana

Re: Is installing addons secure?

Unread post by hannahmontana » 2019-09-07, 03:41

moonbat wrote:
2019-09-07, 03:23
There is a processing overhead involved with the SSL handshake that adds up over time and across multiple users. This is in addition to the recurring annual cost of a server certificate.
Because in 2019 tls overhead is not negligible. Orders of magnitude. A server certificate is already present by the way.
moonbat wrote:
2019-09-07, 03:23
How exactly would this exploit work in this case?
Like any other MiTM works? Plain http is not encrypted or tamper-resistant at all. Anyone who can get in between you and the server: your ISP, anyone who owns your wifi router or anyone who can spoof your SSID (which isn't hard at all), anyone on an unsecured public wifi, etc, can just feed your machine a malicious xpi, and since xpis aren't signed, you can't detect it and will happily proceed to install it. That's it, you're pwned. It's especially severe because palemoon extensions aren't sandboxed like webextensions and can do pretty much anything (not saying it's a bad thing unto itself).

New Tobin Paradigm

Re: Is installing addons secure?

Unread post by New Tobin Paradigm » 2019-09-07, 04:51

Ignoring your blaintant misconceptions of reality for a second...

What you are asking is that we increase processing overhead not just by the handshake but encrypting larger files and the encryption can't be cached, can't be multithreaded, can't be multiprocessed. It is a single thread operation every request that has to be done again and again to files ranging from 250kb to a literal 5 megabytes.

It is amazingly inefficient at scale. You want this and you want me to do this and add additional testing and reconfiguration and recoding to make this happen then show me you want it. That you need it. Cover the cost of the server for the next year at the very least and I will make it happen.

You think it is important not just for your self but for everyone's benefit. Then pull out your wallet and/or take up a collection. I am only asking you for only one aspect, the server cost, out of what I have done for five years.

I'll be honest, I don't want to do this and the case in my opinion is paranoid and overblown. You feel differently but likely don't want to take responsibly for it.

Well in the world you sometimes need to compromise. Take responsibility for helping with funding of server you want to work harder for your benefit.

Your choice.
Last edited by New Tobin Paradigm on 2019-09-07, 05:07, edited 1 time in total.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Is installing addons secure?

Unread post by moonbat » 2019-09-07, 05:06

@Tobin - server costs aside, how bad is the threat of a MITM here otherwise?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

New Tobin Paradigm

Re: Is installing addons secure?

Unread post by New Tobin Paradigm » 2019-09-07, 05:16

We aren't important enough for it to be a specific likely target for one. Two who the fuck else besides us gives a shit about xul extensions. Three your computer or network security issue that is almost certainly caused by bad software already on a system OR trusting public or illegally connected unsecured wireless networks is really not our emergency.

I am willing to satisfy the request but I want something in return. ELSE howabout don't install add-ons when you aren't home and stay off my server if your system or network is compromised.

How about I expose the hash and you save link as instead. Then you can verify the file and install locally. This is what Add-ons Update Service does.

In fact, I am not sure but I think the install from search results in the Add-ons Manager also verifies hash. I will get back to you on that.

Locked