On 2/18/15 2:24 PM, Jim Porter wrote:
> On 02/18/2015 10:10 AM, Jorge Villalobos wrote:
>> Silently dropping an add-on in a user's profile vs. having to install
>> and run a new program that isn't branded as Firefox AND changing the
>> signing pref AND silently installing the add-on AND having the user
>> be warned about an unsigned extension. I think that's a big
>> difference. If a user is adamant on using an unsigned extension they
>> will surely find the way, but there are much more hoops to jump
>> through.
>
> I think most of the arguments against this proposal are only against the first step ("having to install and run a new program that isn't branded as Firefox"). I haven't seen any objections to the other steps. If we're concerned about malware authors automating all the other steps, what's to stop them from telling you to install Firefox Developer Edition and then automating those steps anyway? The end result is that the user only faces a single hurdle.
The argument is not only about what the user is willing to do, but also
to what extent is a malware developer going to go to accomplish what
they want. Is this approach sufficiently effective to be worth the cost?
There's also the point that Mike has brought up a couple of times on
this thread, which is that the line between acceptable and unacceptable
behavior is much clearer after we implement this. A piece of software
that goes into all of this effort to trick the user is clearly malicious
and should be dealt with at the AV / OS level.
>
> To be clear: I don't think anyone is arguing against requiring add-ons to be signed by default; they're only arguing against requiring users to download a different build to run unsigned add-ons.
I think there are many objections about other parts of this proposal,
like the centralization of control and the efficiency of the signing
process.
> These proposals seem to be assuming that malware authors don't have access to Firefox's Program Files folder (or similar for other platforms, but let's focus on Windows since that's where the userbase is), or at least that we have some recourse if malware authors just patched the Firefox binary. Doesn't this imply that *any* solution that requires write access to Firefox's Program Files folder would be equally good?
1) There's plenty of malware that acts without admin access.
2) Even if the malware runs with admin access, there are some things we
can do about it, like making it sufficiently difficult for the malware
to be practical, and making it sufficiently clear that the malware is
hacking into Firefox or tricking the user into installing other software
rather than just changing a configuration setting that happens to be in
the programs folder.
>
> For instance, if we took something like Jeff Lyon's proposal of generating a crypto token from a Mozilla website, but required users to personally place the token in Firefox's Program Files folder, doesn't this provide as much security as downloading a new build? In either case, Windows' UAC will prevent this activity from being automated. In effect, by adding the token, you're installing a new "build" of Firefox, but with the benefit that you're still on the same version as before. This way, users/developers could still use the release channel as needed and be able to run unsigned code, which I see as a hard requirement for add-on development.
>
>> As to whether most users will be less willing to go through various
>> hoops rather than almost none in order to install malware on their
>> system, I don't think there's formal research we've done on that.
>
> That's the kind of research that I think needs to happen, e.g. getting some users into an office and trying to convince them to install malware under a few different systems (the status quo, this new proposal, something like Jeff Lyon's proposal, etc). I think it's extremely risky to assume that we can actually predict how persistent users will be (and in how much they'll refuse to read anything that we say to warn them!).
>
> Without this kind of research, we're choosing to restrict the freedoms of other users based on only a guess. I think we have a responsibility to do better than that. We should only restrict the freedoms of a class of users because we *know* it will help the majority.*
>
> - Jim
>
I don't think that getting a few users to try this out is enough to
reach any useful conclusions. There's certainly value in doing user
research, but I think that the kind of study that would be needed to
confirm this would be costlier and take much more time. I'm not in a
position to say if that's something we could invest money on, but I
wouldn't be in favor of delaying this project anymore (it has existed in
one form or another for years).
> * And even then, we should try our best to minimize the restrictions
provided we can get similar levels of protection.
If you look at the past history of this list, you'll see how I've been
fighting to do that for a very long time. I think this signature
proposal strikes a very good balance of giving developers the freedom to
create and distribute the add-ons they want, giving users the freedom to
install what they want, and giving us some level of control over
malicious add-on distribution.
Jorge