Linked by davidiwharper on Tue 14th Jan 2014 09:03 UTC
Mozilla & Gecko clones

Mozilla plans to establish an automated process which would verify that binaries contain only the code found in the official source repositories, and not spyware secretly added during the build process at the behest of government intelligence agencies. In a blog post entitled Trust but Verify, CTO Brendan Eich and R&D VP Andreas Gal note that governments "may force service operators [such as Mozilla] to enable surveillance (something that seems to have happened in the Lavabit case)" and pledge to develop systems which will make Firefox resistant to this form of tampering.

Thread beginning with comment 580723
To read all comments associated with this story, please click here.
Stupid or irrelevant
by tomz on Wed 15th Jan 2014 01:50 UTC
tomz
Member since:
2010-05-06

They allow hundreds of CAs and any of those can be compromised (and the xpi extensions are "signed" by those same certs).

Of course everyone trusts the Turkish government! Doesn't Verisign and Google and Apple send their private keys to the NSA as soon as they are generated?

What happened to Diginotar?

They need to fix the SSL/CA system - that is the screen door in back - instead of replacing a steel door with a vault door in front.

And the CA store is probably not part of the binary.

Also note that any "CA approved" javascript in the background can run, so a MITMed images.amazon.com can completely rewrite (Javascript has the power to delete the current page and replace it with anything else) and redirect the amazon.com page. Or if I had a cert for "google-analytics.com" I would own most "SSL-only" sites.

They also need to build-in noscript, or at least have "don't run 3rd party javascript" by default. Some places have over a dozen other sites that supply javascript.

Reply Score: 3

RE: Stupid or irrelevant
by Alfman on Wed 15th Jan 2014 04:18 in reply to "Stupid or irrelevant"
Alfman Member since:
2011-01-28

tomz,

I don't think it's stupid or irrelevant. Javascript, CA's and compromised binaries are all different types of security problems that warrant various solutions. There's no magic bullet to solve them all in one shot.


Or if I had a cert for "google-analytics.com" I would own most "SSL-only" sites.


This actually bugs me a lot since it's so prevalent (including here). Many clients demand web developers link in 3rd party analytic scripts without considering security or privacy. Yet this gives entities like google, along with all the CAs/agencies who might impersonate google, complete access to the websites whether they're SSL protected or not. I am disappointed that this terrible security practice has become the status quo and that everyone is so willing to voluntarily throw away the security of their site.


They also need to build-in noscript, or at least have 'don't run 3rd party javascript' by default


Yea but then you break some legitimate things too. I think javascript ought to incorporated separate sandboxes such that third party scripts would never have the opportunity to directly hijack the first party code or the browser.

I have to ask myself how often this known security flaw gets exploited?

Edited 2014-01-15 04:20 UTC

Reply Parent Score: 3