[conspire] Mandatory code-signing is for your protection

Rick Moen rick at linuxmafia.com
Thu Dec 17 13:17:29 PST 2020 

About a week ago, I wrote:

> I personally felt the critics underreacted to the _earlier_ change.
> Starting with Firefox 48 on 2016-08-02, Firefox refuses to run any
> extension not cryptographically signed by Mozilla, Inc.  (There has been
> a temporary workaround by running the ESR or developer or nightly or
> unbranded builds and doing fiddly things in about:config to un-break
> ability to run your own choice of extensions, but the writing was on the
> wall.)
> 
> IMO, if you cannot run code without someone else's permission, then it's
> not open source.

But mandatory corporate signing of publicly available code is for
everyone's protection, you see.  We were supposed to forgive the minor 
inconvenience of newer Firefox versions no longer running extensions
unless they'd been cryptographically signed by Mozilla Corporation at
the addons.mozilla.org Web site -- because, that way, Mozilla
Corporation could exclude malicious and criminally directed code from
the extensions market.  Surely, the theoretical loss of user autonomy is
worth it, for the freedom from malware, etc., that it brings.

And the similar walled gardens of corporate signing by competing
browser publishers such as Google and Microsoft, why, that's the same
thing.


Oh, what's that fluttering of wings I hear?  I believe it's the Irony
Fairy.


https://arstechnica.com/information-technology/2020/12/up-to-3-million-devices-infected-by-malware-laced-chrome-and-edge-add-ons/

  SURPRISE —
  Up to 3 million devices infected by malware-laced Chrome and Edge
  add-ons
  Security firm identifies 28 malicious extensions hosted by Google and
  Microsoft.
  DAN GOODIN - 12/16/2020


  As many as 3 million people have been infected by Chrome and Edge
  browser extensions that steal personal data and redirect users to ad or
  phishing sites, a security firm said on Wednesday.

  In all, researchers from Prague-based Avast said they found 28
  extensions for the Google Chrome and Microsoft Edge browsers that
  contained malware. The add-ons billed themselves as a way to download
  pictures, videos, or other content from sites including Facebook,
  Instagram, Vimeo, and Spotify. At the time this post went live, some,
  but not all, of the malicious extensions remained available for download
  from Google and Microsoft.

  Avast researchers found malicious code in the JavaScript-based
  extensions that allows them to download malware onto an infected
  computer. [...]


Oh, say it's not so, Uncle Google and Auntie Microsoft.  I thought you'd
promised to protect us with your holy signing keys!


  Over the past few years, third-party add-ons have become a widely used
  means for infecting people with malware and adware. Last year, a
  researcher uncovered Chrome and Firefox extensions that collected and
  published the browsing histories
  (https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/) 
  of an estimated 4 million people.

  The data divulged proprietary information from some of the biggest
  names in tech, including Tesla, Trend Micro, Symantec, and Blue Origin.
  Individuals’ tax returns, doctor appointment schedules, and other
  personal information was also exposed.

  In at least one case of extension tampering, malicious code was inserted
  into extensions after attackers gained access to the accounts of
  legitimate developers.
(https://arstechnica.com/information-technology/2017/08/after-phishing-attacks-chrome-extensions-push-adware-to-millions/)
  In other cases, the extensions were published by developers who
  managed to bypass vetting processes browser makers used in an attempt to
  block abusive or malicious add-ons.

It's not completely clear what author Goodin means by the phrase 'bypass
vetting processes browser makers used', but I can think of possible
meanings, including developers of extensions with established user bases
getting bought out, and then the new owner putting out newer versions 
primarily as malware delivery vehicles -- as the privacy engineering guy
at DuckDuckGo notes:
https://mobile.twitter.com/kdzwinel/status/885540551025676288

That is what happened with a low-end ad-blocker named Nano Adblocker /
Nano Defender:
https://arstechnica.com/information-technology/2020/10/popular-chromium-ad-blockers-caught-stealing-user-data-and-accessing-accounts/

A certain Hugo Xu, originator of this modestly successful
cottage-industry extension for Chrome, decided a couple of months ago
that he no longer had time to maintain the codebase, and sold the
rights to somebody-nobody-in-particular, who thereupon used it as a
malware delivery vehicle with a built-in, trusting audience.

I am reminded of the problem with trademarks/brands:  We get accustomed
to using the brand identity as a proxy for getting to know and trust the
artisans behind the product, but unfortunately because we _don't_ know
those people, we are at risk when the brand gets sold to some bunch of
low lives.  E.g.:

Polaroid
Remington
Bell and Howell
RCA
Zenith
Magnavox
The Sharper Image
Pan Am
Volvo
Hoover
Motorola
Stanley

Anyway, if you actually believe that code-signed walled gardens make you 
safe, then, oh, gosh no.

More information about the conspire mailing list