[tbb-dev] TBB vs mandatory extension signing

Mark Smith mcs at pearlcrescent.com
Tue Apr 11 19:42:58 UTC 2017

On 4/11/17 11:59 AM, anonym wrote:
> Hi,
> In Tails we've been wondering what to do about Firefox's mandatory
extension signing [1] in FF52ESR since the opt-out preference that we
have been using for FF45ESR will be removed from released versions.

I think that xpinstall.signatures.required still works in Firefox 52 ESR
although I have not been able to find where it is documented. Maybe
someone who is on this list else knows.

> I'd also like to ask if you have analysed the security implications
> of introducing this exception list since I couldn't find any such
> discussion on the relevant ticket [3]. So, have you? Personally I
> reacted on that it is a simple match vs the extension's id, e.g.
> something we should consider attacker-controlled. I haven't looked at
> the code closely, but I'd expect attackers can deliver their malicious
> code in extensions that only need to have that same id as some extension
> with an exception to completely bypass the code signing check. Think,
> for instance, about an "upgraded" Torbutton.

Georg can answer better than me, but the main reason we enable the
signing check is to protect users who they try to install extensions
that we do not bundle with Tor Browser. It should be difficult for an
attacker to replace the extensions for which we include exceptions with
their own code: updates are disabled for Tor Launcher and Torbutton, and
HTTPS-E updates are protected by the updateKey mechanism

Mark Smith
Pearl Crescent

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170411/cc01fedd/attachment.sig>

More information about the tbb-dev mailing list