On 4/11/17 11:59 AM, anonym wrote:
Hi,
In Tails we've been wondering what to do about Firefox's mandatory
extension signing [1] in FF52ESR since the opt-out preference that we have been using for FF45ESR will be removed from released versions.
I think that xpinstall.signatures.required still works in Firefox 52 ESR although I have not been able to find where it is documented. Maybe someone who is on this list else knows.
I'd also like to ask if you have analysed the security implications of introducing this exception list since I couldn't find any such discussion on the relevant ticket [3]. So, have you? Personally I reacted on that it is a simple match vs the extension's id, e.g. something we should consider attacker-controlled. I haven't looked at the code closely, but I'd expect attackers can deliver their malicious code in extensions that only need to have that same id as some extension with an exception to completely bypass the code signing check. Think, for instance, about an "upgraded" Torbutton.
Georg can answer better than me, but the main reason we enable the signing check is to protect users who they try to install extensions that we do not bundle with Tor Browser. It should be difficult for an attacker to replace the extensions for which we include exceptions with their own code: updates are disabled for Tor Launcher and Torbutton, and HTTPS-E updates are protected by the updateKey mechanism (https://developer.mozilla.org/en-US/Add-ons/Install_Manifests#updateKey).