info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: New extension signing scheme and US government interference/censorship
19 views
Skip to first unread message
bernard
Jun 2, 2015, 4:32:04 PM6/2/15
to dev-p...@lists.mozilla.org
I haven’t read this full e-mail as it’s a bit dense, but is there any place I can find out about "this latest announcement from Mozilla “?
Thanks in advance,
Bernard
> Begin forwarded message:
>
> From: katrina...@gmail.com
> Subject: New extension signing scheme and US government interference/censorship
> Date: 2 June 2015 12:27:28 BST
> To: mozilla-addons-...@lists.mozilla.org
>
> With this latest announcement from Mozilla it destroys the security and authenticity of end-to-end encrypted HTML5 applications. For example HTML5 apps like CryptoCat, ProtonMail, MEGA, Tutanota and so on are all doomed because of this shortsighted decision.
>
> Let's take a look at the options for making a truly secure HTML5 crypto application.
>
> 1) HTTPS. Actually no, you can't serve your secure end-to-end crypto application via TLS because an attacker can just modify the JavaScript code and tweak it to backdoor the encryption. TLS is vulnerable to the NSA/GCHQ as has been proven in recent leaks. There are new protocol and crypto flaws appearing in TLS all the time. NSA is on the IETF standards committee, making sure things stay insecure and improve only at a snails pace. The common libraries for TLS are poorly written with major crypto flaws e.g. OpenSSL. The whole design of TLS and Certificate Authorities is awful making connections completely vulnerable to active MITM attacks by governments or spy agencies that have access to a root certificate already trusted in the browser. They can sign for whatever site they feel like, modify the code in transit as it crosses their networks and nobody is any wiser. Don't even get me started on government controlled protocols like DANE which utterly fail to prevent mass surveil
> lance as well. Even if you were special and got your app's public key pinned in all the major browsers your security is only as strong as this broken protocol. A security product is only as strong as its weakest link.
>
> 2) Chrome extension. This is no longer possible due to the closed Chrome web store. All developer's unsigned addons are uploaded as-is to the app store via the "trustworthy" HTTPS protocol above. Then Google serves it to addon users signed by Google in their closed source browser. Who in their right mind trusts Google to serve them a trustworthy version of the application? Google is a PRISM surveillance partner with the NSA. Also you have to be crazy to be running a closed source browser in today's world and trying to have any meaningful security.
>
> 3) Firefox extension. Actually no longer secure either now after this announcement takes effect. Mozilla signing an extension has little to no value at all for an end-to-end encrypted app. Users need to know that the application they are downloading is actually the application that was made by the developer. The developer themselves need to sign it to prove it came from them! Unfortunately we cannot trust Mozilla not to tamper with the code of secure crypto addons. Mozilla is a US based organisation/corporation and in the US there are National Security Letters, Patriot Act Demand Letters and secret FISA court orders. All of which can be used to force Mozilla to hand over their private signing keys to the NSA who can then secretly backdoor any application as it's being downloaded from the Firefox app store. They can then target individuals such as politicians, journalists, activists etc or use it to infect millions of users with surveillance malware. Think this is too unbeliev
> able? NSA already does it with the Google Play store. firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/. Think you're immune to this? Think again.
>
> I wonder if Mozilla have already received a National Security Letter demanding that they implement this harebrained signing scheme so that the NSA can infect anyone running a crypto Firefox extension and backdoor the crypto. Brendan Eich warned and pleaded with the community to watch the Firefox source code carefully in case backdoors got added. Even then it appeared they may have received a secret court order. Mozilla is either compromised by the US government or Mozilla have gone completely off the rails and lost the plot completely. From reading the comments on the initial announcement page, 99% of Firefox users are completely opposed to the idea. You're not acting in the best interests of the community. Is Mozilla just going to go ahead anyway and force their stupidity upon everyone? Let this be a warning to Mozilla: the open source community _can_ fork your software without these restrictions then take all of your users. You are signing your own death warrant if you cont
> inue down this draconian path.
>
> Here are some sensible solutions instead:
>
> 1) Let developers cryptographically sign their own addons. Users can voluntarily install apps that are not available in the app store by downloading them from the developer's site or manually loading them into the browser (drag and drop the extension file). No special pre-release or development builds should be required for this, just the regular version that everyone else uses. Maintain a blocklist of malware extensions within the browser if you need to. Doing this is at the user's own risk so throw a big warning about loading external extensions so the user is well aware of what they're doing.
>
> 2) For inclusion in the app store it should be cryptographically signed by the developer _also_ reviewed by Mozilla _and_ signed by Mozilla as well. Users can pin the public key of the developer by obtaining the public key via a trusted method (e.g. Web of Trust, Namecoin) then loading it into the browser via a dialog or section in the UI for this. When downloading a new extension the browser would check the developer's and Mozilla's signatures of the app at install time and before downloading an automatic update.
>
> 3) Without options 1) and 2) above, the only remaining option for developing a secure HTML5 end-to-end crypto app will be to avoid broken HTTPS and app stores entirely. For example, make a full page HTML5 app that loads from an index.html file on the local filesystem. Package the app files in a zip file. Sign the zip file with GnuPG. Serve the zip file from a website along with the GnuPG signature file. Put the GnuPG public key and fingerprint in the Namecoin blockchain (or share it with users directly via Web of Trust). Users can verify the public signing key from the blockchain, download the zip and signature files, verify it is authentic, finally unzip and run the index.html file. This is not as user friendly as downloading an extension and just running it however.
>
> These solutions are provably secure unlike your new authoritarian, censorship prone app store design. Go back to the drawing board please and stop pandering to the US government.
> _______________________________________________
> addons-user-experience mailing list
> addons-user...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/addons-user-experience
Thanks in advance,
Bernard
> Begin forwarded message:
>
> From: katrina...@gmail.com
> Subject: New extension signing scheme and US government interference/censorship
> Date: 2 June 2015 12:27:28 BST
> To: mozilla-addons-...@lists.mozilla.org
>
> With this latest announcement from Mozilla it destroys the security and authenticity of end-to-end encrypted HTML5 applications. For example HTML5 apps like CryptoCat, ProtonMail, MEGA, Tutanota and so on are all doomed because of this shortsighted decision.
>
> Let's take a look at the options for making a truly secure HTML5 crypto application.
>
> 1) HTTPS. Actually no, you can't serve your secure end-to-end crypto application via TLS because an attacker can just modify the JavaScript code and tweak it to backdoor the encryption. TLS is vulnerable to the NSA/GCHQ as has been proven in recent leaks. There are new protocol and crypto flaws appearing in TLS all the time. NSA is on the IETF standards committee, making sure things stay insecure and improve only at a snails pace. The common libraries for TLS are poorly written with major crypto flaws e.g. OpenSSL. The whole design of TLS and Certificate Authorities is awful making connections completely vulnerable to active MITM attacks by governments or spy agencies that have access to a root certificate already trusted in the browser. They can sign for whatever site they feel like, modify the code in transit as it crosses their networks and nobody is any wiser. Don't even get me started on government controlled protocols like DANE which utterly fail to prevent mass surveil
> lance as well. Even if you were special and got your app's public key pinned in all the major browsers your security is only as strong as this broken protocol. A security product is only as strong as its weakest link.
>
> 2) Chrome extension. This is no longer possible due to the closed Chrome web store. All developer's unsigned addons are uploaded as-is to the app store via the "trustworthy" HTTPS protocol above. Then Google serves it to addon users signed by Google in their closed source browser. Who in their right mind trusts Google to serve them a trustworthy version of the application? Google is a PRISM surveillance partner with the NSA. Also you have to be crazy to be running a closed source browser in today's world and trying to have any meaningful security.
>
> 3) Firefox extension. Actually no longer secure either now after this announcement takes effect. Mozilla signing an extension has little to no value at all for an end-to-end encrypted app. Users need to know that the application they are downloading is actually the application that was made by the developer. The developer themselves need to sign it to prove it came from them! Unfortunately we cannot trust Mozilla not to tamper with the code of secure crypto addons. Mozilla is a US based organisation/corporation and in the US there are National Security Letters, Patriot Act Demand Letters and secret FISA court orders. All of which can be used to force Mozilla to hand over their private signing keys to the NSA who can then secretly backdoor any application as it's being downloaded from the Firefox app store. They can then target individuals such as politicians, journalists, activists etc or use it to infect millions of users with surveillance malware. Think this is too unbeliev
> able? NSA already does it with the Google Play store. firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/. Think you're immune to this? Think again.
>
> I wonder if Mozilla have already received a National Security Letter demanding that they implement this harebrained signing scheme so that the NSA can infect anyone running a crypto Firefox extension and backdoor the crypto. Brendan Eich warned and pleaded with the community to watch the Firefox source code carefully in case backdoors got added. Even then it appeared they may have received a secret court order. Mozilla is either compromised by the US government or Mozilla have gone completely off the rails and lost the plot completely. From reading the comments on the initial announcement page, 99% of Firefox users are completely opposed to the idea. You're not acting in the best interests of the community. Is Mozilla just going to go ahead anyway and force their stupidity upon everyone? Let this be a warning to Mozilla: the open source community _can_ fork your software without these restrictions then take all of your users. You are signing your own death warrant if you cont
> inue down this draconian path.
>
> Here are some sensible solutions instead:
>
> 1) Let developers cryptographically sign their own addons. Users can voluntarily install apps that are not available in the app store by downloading them from the developer's site or manually loading them into the browser (drag and drop the extension file). No special pre-release or development builds should be required for this, just the regular version that everyone else uses. Maintain a blocklist of malware extensions within the browser if you need to. Doing this is at the user's own risk so throw a big warning about loading external extensions so the user is well aware of what they're doing.
>
> 2) For inclusion in the app store it should be cryptographically signed by the developer _also_ reviewed by Mozilla _and_ signed by Mozilla as well. Users can pin the public key of the developer by obtaining the public key via a trusted method (e.g. Web of Trust, Namecoin) then loading it into the browser via a dialog or section in the UI for this. When downloading a new extension the browser would check the developer's and Mozilla's signatures of the app at install time and before downloading an automatic update.
>
> 3) Without options 1) and 2) above, the only remaining option for developing a secure HTML5 end-to-end crypto app will be to avoid broken HTTPS and app stores entirely. For example, make a full page HTML5 app that loads from an index.html file on the local filesystem. Package the app files in a zip file. Sign the zip file with GnuPG. Serve the zip file from a website along with the GnuPG signature file. Put the GnuPG public key and fingerprint in the Namecoin blockchain (or share it with users directly via Web of Trust). Users can verify the public signing key from the blockchain, download the zip and signature files, verify it is authentic, finally unzip and run the index.html file. This is not as user friendly as downloading an extension and just running it however.
>
> These solutions are provably secure unlike your new authoritarian, censorship prone app store design. Go back to the drawing board please and stop pandering to the US government.
> _______________________________________________
> addons-user-experience mailing list
> addons-user...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/addons-user-experience
Michaela R. Brown
Jun 3, 2015, 9:27:41 AM6/3/15
to bernard, dev-p...@lists.mozilla.org
I believe this is the post you're looking for.
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
Cheers!
> _______________________________________________
> dev-privacy mailing list
> dev-p...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-privacy
>
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
Cheers!
> dev-privacy mailing list
> dev-p...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-privacy
>
WaltS48
Jun 3, 2015, 10:13:10 AM6/3/15
to
On 06/02/2015 04:31 PM, bernard wrote:
> I haven’t read this full e-mail as it’s a bit dense, but is there any place I can find out about "this latest announcement from Mozilla “?
>
> Thanks in advance,
> Bernard
>
>
See [Addons/Extension Signing -
> I haven’t read this full e-mail as it’s a bit dense, but is there any place I can find out about "this latest announcement from Mozilla “?
>
> Thanks in advance,
> Bernard
>
>
MozillaWiki](https://wiki.mozilla.org/Addons/Extension_Signing) and
[AMO/SigningService -
MozillaWiki](https://wiki.mozilla.org/AMO/SigningService)
--
Kubuntu 15.04 | KDE 4.14.8 | Thunderbird 38.0b6 (Beta)
[Visit Pittsburgh](http://www.visitpittsburgh.com/)
[Dollar Bank Three Rivers Arts Festival](http://www.3riversartsfest.org/)
Go Bucs!
0 new messages