[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Mozilla extensions: a security nightmare

Am 06.08.2015 um 19:03 schrieb Christoph Gruber:
Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:

that's all fine but

* nothing new, independent of lightning


* how do you imagine a restricted user install a extension otherwise

Real sandboxing, if not possible, give the users the possibility to activate admin-installed extension, and not the possibility to install every shit which comes with a "I am free" or "I am sexy" tag.

the admin-installed extensions would be installed for every user
you can restrict yourself doing so by just only use packed extensions

yum search mozilla | grep -i extension
firefox-esteidpkcs11loader.noarch : Estonian ID card extension for Mozilla
mozilla-adblockplus.noarch : Adblocking extension for Mozilla Firefox,
mozilla-esteid.noarch : Estonian ID card Mozilla extension
mozilla-https-everywhere.noarch : HTTPS/HSTS enforcement extension for Mozilla mozilla-noscript.noarch : JavaScript white list extension for Mozilla Firefox mozvoikko.noarch : Finnish Voikko spell-checker extension for Mozilla programs mozilla-requestpolicy.noarch : Firefox and Seamonkey extension that gives you
spice-xpi.x86_64 : SPICE extension for Mozilla
thunderbird-enigmail.x86_64 : Authentication and encryption extension for

* and no - he must not do that is not a acceptable solution

Yes it is.

security and usability are always a tradeoff

Not always, and if, sometimes security has to win.

frankly, a lot of people hate my security-first attitude but in case of browser extensions i just don't want run to every machine for every extension update and hand out the admin-password is a no-go

hence the topic *is* nonsense

No, it is not

well, depending on the extension (noscript) as example there are very often updates - you are in danger to train users to always and everywhere anter their root-password or skip updates which may be security relevant

Mozilla is solving most of the issues by just only install signed extensions - let's wait how many people switch to the developer version without that restriction because 1 or 2 of their favorite extensions are only available directly from the developer

Attachment: signature.asc
Description: OpenPGP digital signature