On 12/9/2013 4:54 PM, Jorge Villalobos wrote:
> The alternative being proposed is a system where we use code signing to
> determine if an add-on should be installed or not. There are many
> variables to this, so I'll try to explain what I think would work best:
I think we need to be clear about the goals. As I understand it, we have
the following potential goals, and we need to understand which technical
solution meets which goals:
A. Have useful contact information for addons installed into Firefox, so
that if they are causing problems we can reach the authors
B. Be able to block addons after the fact which are determined to not
meet our policies
C. Verify before they are installed that addons meet our policies
D. Use analysis of addon files to help determine whether Firefox updates
will break particular addons, even if they aren't hosted on AMO
== Jorge's Proposal ==
The solution that Jorge has proposed doesn't rely on any global CA
infrastructure: addons are signed by the developer with a certificate
that is self-signed and doesn't necessarily chain to anything. The
developer must provide the cert fingerprint to AMO and the addon IDs
they will be signing. The Firefox, at addon install, checks for correct
signing and also asks AMO to verify that the addon ID and cert
fingerprint are known, and allows installation.
Presumably we'd hook up some sort of revocation system and integrate
this with the blocklist so that we can block things by certificate/ID.
This proposal solves A/B but not C/D. It does require that the computer
have a connection to AMO at the time an addon is installed. The system
does not cost developers anything.
== no-network alternate ==
An alternate system here would be to have AMO be a root certificate for
signing addons.
* Build an AMO root certificate into Firefox.
* When the developer has a new addon, they create an intermediate
certificate specific to that addon's ID and ask AMO to sign it via the
developer UI.
* The developer can then sign multiple versions of that specific addon
with their local certificate.
This would solve the same problems as Jorge's proposal, but would not
require an active connection to AMO at install time. There are some
details to work out, such as how we upgrade the root certificate and
still maintain the offline-install promise.
I'm not sure this is actually worth it, since the problem it solves (AMO
is down or and the user is starting Firefox with a new extension) is not
critical.
The critical difference between both of these proposals and file
registration is that we don't get to do malware checking in advance: we
can block malicious addons much more effectively later, but because we
don't have the files up front we can't do any kind of preemptive review.
I still think this is a pretty big win.
However, we could consider making the install process more complicated
for un-reviewed addons. That is: if the developer has not submitted the
actual addon files to AMO for validation, the install UI could require
more steps or be scarier. For addons that are fully reviewed, we could
streamline the install process. Perhaps we wouldn't even show the system
install prompt for unreviewed addons, so that the only way to enable
these addons would be in the addon manager UI.
--BDS