unlisted extension signing and sideloading

[Dan Stillman]

Just wanted to pull out a specific question from the whitelisting
discussion.

Mike Connor wrote:
> it's not really about Zotero users trusting Zotero developers, it's
> about Firefox users trusting Zotero developers to the same extent as
> they trust Mozilla, since a malicious add-on claiming to be Zotero
> could be sideloaded on any user's machine and defeat any protection
> tied to signing

Is there a mechanism for Firefox to know whether an unlisted extension
has been signed as allowing sideloading? Given that sideloading is a
separate option in the AMO UI, my understanding was that there was,
which would seem to address the above concern.

Given that the validator can already be trivially circumvented without
whitelisting, this seems like an important capability, limiting the
effect of any compromise (of credentials, say) to the users of the given
extension. In the context of whitelisting, Mozilla would not be
requiring all Firefox users to trust the developers of a whitelisted
extension, merely the users whose trust they've already gained.

[Mike Connor]

Ah, I was under the impression (I'm not sure why) that Zotero had a client
+ add-on bundle. So the threat is only "I can get tricked into installing
something malicious that is masquerading as Zotero" at this point. For
Zotero, at least.

It's worth noting that a huge proportion of the unlisted add-ons being
distributed do need to be sideloaded (i.e. bundled with AV software, Skype,
etc). So that's a consideration in any proposal. Whitelisting sideloaded
add-ons is a big problem.

-- Mike

> _______________________________________________
> addons-user-experience mailing list
> addons-user...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/addons-user-experience
>

[Dan Stillman]

On 11/16/15 5:54 PM, Mike Connor wrote:
> Ah, I was under the impression (I'm not sure why) that Zotero had a
> client + add-on bundle. So the threat is only "I can get tricked into
> installing something malicious that is masquerading as Zotero" at this
> point. For Zotero, at least.

We do offer a standalone app that works with lightweight extensions as
an alternative to the full-featured Firefox extension, but we don't
sideload anything — you still need to come to our site and install your
browser extension of choice. So if Zotero were whitelisted it would just
be users continuing to trust us as they always have (assuming Firefox
enforces the sideload privilege).

>
> It's worth noting that a huge proportion of the unlisted add-ons being
> distributed do need to be sideloaded (i.e. bundled with AV software,
> Skype, etc). So that's a consideration in any proposal. Whitelisting
> sideloaded add-ons is a big problem.

My concern is not having to discontinue Zotero on December 15th, so I'm
not going to address the whitelisting of sideloaded extensions. If
someone else with a sideloaded extension wants to raise the issue they
can, but I haven't been advocating for that, and I don't think it should
hold up the much more straightforward whitelisting of front-loaded
extensions.

[Jorge Villalobos]

On 11/16/15 4:43 PM, Dan Stillman wrote:
> Just wanted to pull out a specific question from the whitelisting
> discussion.
>
> Mike Connor wrote:
>> it's not really about Zotero users trusting Zotero developers, it's
>> about Firefox users trusting Zotero developers to the same extent as
>> they trust Mozilla, since a malicious add-on claiming to be Zotero
>> could be sideloaded on any user's machine and defeat any protection
>> tied to signing
>
> Is there a mechanism for Firefox to know whether an unlisted extension
> has been signed as allowing sideloading? Given that sideloading is a
> separate option in the AMO UI, my understanding was that there was,
> which would seem to address the above concern.

Yes, add-ons that require sideloading have a signature that is
distinguishable from the ones that don't, and Firefox enforces that.