BugTraq
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 03:33PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 06:14PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 05 2015 07:27PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 10:55AM
Reindl Harald (h reindl thelounge net) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:03PM
Christoph Gruber (list guru at) (2 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 06:05PM
Andrew Deck (andrew hastings deck gmail com)
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 05:28PM
Reindl Harald (h reindl thelounge net)


Am 06.08.2015 um 19:03 schrieb Christoph Gruber:
> Reindl Harald <h.reindl (at) thelounge (dot) net [email concealed]> wrote:
>>
>> that's all fine but
>>
>> * nothing new, independent of lightning
>
> ACK
>
>> * how do you imagine a restricted user install a extension otherwise
>
> Real sandboxing, if not possible, give the users the possibility to activate admin-installed extension, and not the possibility to install every shit which comes with a "I am free" or "I am sexy" tag.

the admin-installed extensions would be installed for every user
you can restrict yourself doing so by just only use packed extensions

yum search mozilla | grep -i extension
firefox-esteidpkcs11loader.noarch : Estonian ID card extension for Mozilla
mozilla-adblockplus.noarch : Adblocking extension for Mozilla Firefox,
mozilla-esteid.noarch : Estonian ID card Mozilla extension
mozilla-https-everywhere.noarch : HTTPS/HSTS enforcement extension for
Mozilla
mozilla-noscript.noarch : JavaScript white list extension for Mozilla
Firefox
mozvoikko.noarch : Finnish Voikko spell-checker extension for Mozilla
programs
mozilla-requestpolicy.noarch : Firefox and Seamonkey extension that
gives you
spice-xpi.x86_64 : SPICE extension for Mozilla
thunderbird-enigmail.x86_64 : Authentication and encryption extension for

>> * and no - he must not do that is not a acceptable solution
>
> Yes it is.
>
>> security and usability are always a tradeoff
>
> Not always, and if, sometimes security has to win.

frankly, a lot of people hate my security-first attitude but in case of
browser extensions i just don't want run to every machine for every
extension update and hand out the admin-password is a no-go

>> hence the topic *is* nonsense
>
> No, it is not

well, depending on the extension (noscript) as example there are very
often updates - you are in danger to train users to always and
everywhere anter their root-password or skip updates which may be
security relevant

Mozilla is solving most of the issues by just only install signed
extensions - let's wait how many people switch to the developer version
without that restriction because 1 or 2 of their favorite extensions are
only available directly from the developer

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlXDmToACgkQhmBjz394AnltRQCfcK//r6TIgc8vv3NLn79dlKYq
L9sAn2rjrauEuTVqYEd7SffaSFwh+dCk
=Z9KF
-----END PGP SIGNATURE-----

[ reply ]
Re: [FD] Mozilla extensions: a security nightmare Aug 06 2015 04:08PM
Bruce A. Peters (bpeters se-kure com) (1 replies)
Re: [FD] Mozilla extensions: a security nightmare Aug 15 2015 04:41PM
Stefan Kanthak (stefan kanthak nexgo de)


 

Privacy Statement
Copyright 2010, SecurityFocus