How do you sign an extension?

crafteh · Post by **crafteh** » December 25th, 2004, 6:18 pm

It appeared signed for me...

iosart · Post by **iosart** » December 25th, 2004, 6:23 pm

asqueella wrote:This (from Maxx link) appears as unsigned in Firefox's installation window.

1. Typing the above URL in the Firefox address bar directly and hitting Enter - the install dialog opens up although the site is not white-listed (is this a feature or a bug?)

2. It says "PhotoSource International" in my FF 1.0 and not "unsigned"

3. Modified some files inside the package leaving the cert. intact. It still says the package is signed by "PhotoSource International". So what does this signature mean? That somewhere in the past this package has been signed, but since then it may or may not been modified

Like I mentioned earlier - almost all the signature verification tests FAIL!

Could it be that this whole discussion should be moved to Bugzilla and be flagged "Security"?
Lack of certificate support is one thing, but their apparent presence but wrongness is another - the user -believes- that the package is signed when in fact, this doesn't really mean anything...

asqueella · Post by **asqueella** » December 25th, 2004, 6:41 pm

#1 is a known bug
#2 here's what I see when I click on the link after I whitelisted the site.

This and your #3 = we can't sign extensions yet. I have yet to see a "signed by" message...

edit: typos

iosart · Post by **iosart** » December 25th, 2004, 7:10 pm

asqueella wrote:#1 is a known bug
#2 here's what I see when I click on the link after I whitelisted the site.

This and your #3 = we can't sign extensions yet. I have yet to see a "signed by" message...

edit: typos

Well, it appears like this here.
Maybe there's a bug in the bug

About my #3 - it's much worse than "we can't sign extensions yet". The users might see "signed" for maliciously altered versions of the extensions... I would prefer it to always say "unsigned".

Robert S. · Post by **Robert S.** » December 25th, 2004, 7:17 pm

<a href="http://exchangecode.com/robert/em-signed.png">This</a> is what I see. I also verified that when the xpi file has been modified the install dialog looks exactly the same as the original.

*edited to add* I agree with isoart in that it is much worse. I don't put faith in signing in the first place since it only means the file hasn't been modified since creation but there are those that would.

iosart · Post by **iosart** » December 25th, 2004, 7:27 pm

wig_out_on_me wrote:<a href="http://exchangecode.com/robert/em-signed.png">This</a> is what I see. I also verified that when the xpi file has been modified the install dialog looks exactly the same as the original.

*edited to add* I agree with isoart in that it is much worse. I don't put faith in signing in the first place since it only means the file hasn't been modified since creation but there are those that would.

Ok, installed the latest FF nightly, verified that this still happens, submitted a security bug.

Robert S. · Post by **Robert S.** » December 25th, 2004, 7:35 pm

So, I just removed all of the extension files from the xpi and added the files from another with the end result of it showing that the other extension is signed. The good news is that Firefox didn't install the extension because the signature couldn't be verified.

*edited to add* I doubt it needs a security flag since it doesn't compromise security in that it doesn't allow installation.

iosart · Post by **iosart** » December 25th, 2004, 7:51 pm

wig_out_on_me wrote:So, I just removed all of the extension files from the xpi and added the files from another with the end result of it showing that the other extension is signed. The good news is that Firefox didn't install the extension because the signature couldn't be verified.

*edited to add* I doubt it needs a security flag since it doesn't compromise security in that it doesn't allow installation.

Ok, I tested this a bit further, and it seems that this is an extension manager bug with the latest nightly.
If you press "Install" it actually says "Install success". After you restart FF, the extension appears in EM, but without its full name - only the filename that was downloaded. The extension seems -not- to be installed - it just sits there. So, it now looks more like an EM bug than a security one.

False alarm?

Robert S. · Post by **Robert S.** » December 25th, 2004, 8:01 pm

Probably a false alarm but no more false than how many of the less tech saavy people believe that signing means an extension is trustworthy or not malicious. As is, the install dialog gives the impression to people that an unsigned extension is bad (e.g. be careful... it says unsigned in bold red) while a signed one is good when neither are true based on signing. I realize that we know the difference but the average user doesn't.

iosart · Post by **iosart** » December 25th, 2004, 8:10 pm

wig_out_on_me wrote:Probably a false alarm but no more false than how many of the less tech saavy people believe that signing means an extension is trustworthy or not malicious. As is, the install dialog gives the impression to people that an unsigned extension is bad (e.g. be careful... it says unsigned in bold red) while a signed one is good when neither are true based on signing. I realize that we know the difference but the average user doesn't.

Couldn't agree more. The certificate only means that someone signed the extension. This still can be someone with bad intentions. The false sense of security the user might have when seeing the extension is signed can also be very dangerous.

One more thing - I believe this -is- a security issue - the installation window only displays the name of the signer, you cannot see additional information about the certificate, the cert. authority etc... This probably means that I can use a test certificate with any name and it will appear identical to the user.

What do you think?

Robert S. · Post by **Robert S.** » December 25th, 2004, 8:21 pm

I've been considerring scrounging up a test cert to see how it behaves but haven't had the time. I do find it rather limiting not being able to see the details of the cert and have also wondered about the possibility of certs that use similar names especially with only the name being displayed and no option to view details. Personally, I question the value of showing an extension is signed in the dialog due to this and many other reasons. For example, with how many users just install unsigned extensions today what value will signing provide... it becomes just another piece of useless information for many users in that the user will install whether it is signed or not or worse... the user believes the extension is not malicious due to it being signed.

iosart · Post by **iosart** » December 25th, 2004, 8:32 pm

Well, I'm kind of ambivalent about this issue. The signing mechanism is important IMHO for those users that do understand and use it (just like the SSL secure sites). Users that do not understand it can just ignore the issue until they are more educated and understanding. I guess you can give the users the tools, and try to educate them as much as possible, but in the end - it's up to them to learn and use those tools.

All of the above is true only if the mechanisms are implemented correctly. Otherwise (like in this case) it is not only useless, but dangerous. No implementation is better than wrong implementation IMHO.

Robert S. · Post by **Robert S.** » December 25th, 2004, 8:40 pm

I agree that it is important for those that do use it but with the way it is implemented there are too many average users that take it to mean something other than what it means. I'd prefer something similar to SSL in that it wouldn't show anything unless there was a cert... I believe there would be less confusion over the value of signing if it was implemented this way.

iosart · Post by **iosart** » December 25th, 2004, 9:00 pm

I think there are two aspects here: a correct implementation and a user friendly one.
"Correct" means that if a user wants to verify the certificate and all the CAs he/she can do it. Of course the signing verification and error messages should also work

"User friendly" means that it is easy for the user to achive the verification. For example, the certificate view dialog (the one that is missing right now) can be built like a wizard and lead the user through the verification process, giving instructions on what to notice and verify.

Unfortunately, FF implementation is neither correct nor user friendly.

About not showing anything with unsigned extensions, I'm not sure it's a good idea.
After all, just browsing on non-ssl sites cannot harm the user and installing an extension can...
I believe it would be a better world for all of us if all the official extensions were signed and it was easy for the users to verify it. Then the "unsigned" warning would really mean something...

Robert S. · Post by **Robert S.** » December 25th, 2004, 9:37 pm

Actually, submitting credit card information can harm a user that is browsing a non-ssl site and there is no info presented to the user when this occurs. Also, installing an extension that is signed can harm a user just as easily as a non-signed one... this is what I am getting at. People seem to think that signing is some guarantee of not being harmed. If a site is compromised and an extension is replaced with a malicious one the malicious one could just as well be signed.

*edited to add* actually, I believe the user is presented with a dialog when submitting a form over a non-ssl connection if they haven't checked the box to not show this dialog again. I just don't see the value of using signing as a security measure but I am open to it... I just don't see any scenarios that are reasonable where having extensions signed would provide more benefit than the issue with people misinterpreting what signing actually means.