Michael Lefevre | 1 Oct 04:25 2004

Re: do extensions compromise the security of mozilla/firefox?

On 2004-10-01, Mike Henley <mnhenley <at> msn.com> wrote:
> Hi. I'm using mozilla and mozilla firefox. I often install extensions
> though only through the usual websites (mozilla.org, mozdev,
> texturizer).
>
> Today though I tried to install an extension from
> http://jgillick.nettripper.com/ and as such found myself wondering if
> extensions comprmise the security of mozilla or firefox.
>
> I use firefox to access sites such as paypal and my bank. As such I
> would like to ask the following questions...
>
> 1 - can someone make an extension that would allow it (while
> performing its advertised function) to send my username/password
> either from those stored in mozilla/firefox or as i enter them?

Yes. You should think of extensions the same way as other executables.
Extensions can actually contain and launch binary executables, or they can
use script to manipulate your system any way they want via the browser.
There have been previous examples both of malicious extensions (installing
adware and hijacking the user's home page by changing network settings),
and also of popular extensions (with no malicious intent) having serious
security flaws.

> 2 - can such an application make it to the trusted sites? (mozilla,
> mozdev, texturizer)? or is there a review process before such
> extension is allowed to be distributed?

As far as I know (I don't have first hand knowledge), the review process
at all of those sites is informal, but it does exist - the maintainers
(Continue reading)

Mike Henley | 1 Oct 02:46 2004
Picon

do extensions compromise the security of mozilla/firefox?

Hi. I'm using mozilla and mozilla firefox. I often install extensions
though only through the usual websites (mozilla.org, mozdev,
texturizer).

Today though I tried to install an extension from
http://jgillick.nettripper.com/ and as such found myself wondering if
extensions comprmise the security of mozilla or firefox.

I use firefox to access sites such as paypal and my bank. As such I
would like to ask the following questions...

1 - can someone make an extension that would allow it (while
performing its advertised function) to send my username/password
either from those stored in mozilla/firefox or as i enter them?
2 - can such an application make it to the trusted sites? (mozilla,
mozdev, texturizer)? or is there a review process before such
extension is allowed to be distributed?

thanks
Jean-Marc Desperrier | 6 Oct 16:53 2004

Re: SHA1 within a firebird extension

Ian Grigg wrote:
> Jean-Marc Desperrier wrote:
>> He does not compute the SHA1/MD5, he returns the cert.sha1Fingerprint, 
>> cert.md5Fingerprint value from a nsIX509Cert object he gets back from 
>> nsISSLStatus status.
> 
> Darn.  One supposes that this is authoritive,
> in that NSS will also

If you don't trust NSS to be able to compute a SHA1 correctly, you 
shouldn't use it to do SSL ... Mostly the point is that low level crypto 
is not available to js (most of the components involved are not 
scriptable), except through the installation of a specific extension 
(like Secclab that I believe is not compatible with recents Mozilla)

> [...] the next wave of browser
> malware may be in Firefox extensions that act
> in ways nefarious and evil.
> Hence, I pondered, the interest in code signing
> as an application for the PKI (in addition to
> email and browsing).  [...].

There is a closed as rejected bug about requiring XPI to be signed in 
the browser.
https://bugzilla.mozilla.org/show_bug.cgi?id=238960
(of course, Mozilla bug are not the right place to advocate for another 
decision)

> Or, (still musing here) if the Mozilla Foundation
> were to be the root signer.  Or something similar
(Continue reading)

Daniel Veditz | 6 Oct 22:14 2004
Picon

Re: SHA1 within a firebird extension

Jean-Marc Desperrier wrote:

> I'm convinced this would work better than the current site white list 
> mechanism.
> My opinion is that white-list forces to take a bad compromise between :
> - allowing a small number of list, which will result in major bandwidth 
> problems for those sites, and difficulties if the number of extension 
> creators gets large to make their extension available from those few sites.
> - augmenting the number of sites, and taking a large risk that one of 
> them gets somehow subverted to download a bad extension.

The whitelist is not a security measure, it's an anti-abuse measure like the
popup blocker. The eventual intention is to let people continue on with the
install from the non-modal infobar without having to whitelist the site.
When this is done the whitelist will only be useful as a convenience for
developer types at sites they use often, or for corporate installations that
want to whitelist internal sites.
Nelson Bolyard | 6 Oct 23:24 2004

Re: SHA1 within a firebird extension

Jean-Marc Desperrier wrote:
> Ian Grigg wrote:
> 
>> Jean-Marc Desperrier wrote:
>>
>>> He does not compute the SHA1/MD5, he returns the 
>>> cert.sha1Fingerprint, cert.md5Fingerprint value from a nsIX509Cert 
>>> object he gets back from nsISSLStatus status.
>>
>> Darn.  One supposes that this is authoritive,
>> in that NSS will also
> 
> If you don't trust NSS to be able to compute a SHA1 correctly, you 
> shouldn't use it to do SSL ... 

I suspect there's been a misunderstanding here.  I took Ian's "One supposes"
remark as an unfinished sentence, and so did not attempt to interpret it.

Jean-Marc seems to have interpreted it to mean that Ian was suggesting that
NSS will take a fingerprint value found in nsIX509Cert as a correct
fingerprint (hash) whether or not it is that.

But IINM, the values returned through nsIX509Cert are computed by NSS from
the actual DER cert itself.  nsIX509Cert depends on NSS, not the other way
around.  IMO, NSS is right to trust its own computations as correct.

Perhaps Ian misunderstood the dependency, or perhaps he meant something else.
Ian, maybe you should clarify your "One supposes" remark for us.

I'm not sure what to make of the word "authoritative".  Anyone can compute
(Continue reading)

Ian Grigg | 7 Oct 00:12 2004

Re: SHA1 within a firebird extension

Nelson Bolyard wrote:
> I suspect there's been a misunderstanding here.  I took Ian's "One 
> supposes"
> remark as an unfinished sentence, and so did not attempt to interpret it.

I was thinking out aloud, and expecting to get
shot down in flames.  You were right to ignore
it :)

> Jean-Marc seems to have interpreted it to mean that Ian was suggesting that
> NSS will take a fingerprint value found in nsIX509Cert as a correct
> fingerprint (hash) whether or not it is that.

That's actually what I was thinking, that the
fingerprint was in there, and just being
extracted...  but then I realised that this
was silly.

> But IINM, the values returned through nsIX509Cert are computed by NSS from
> the actual DER cert itself.  nsIX509Cert depends on NSS, not the other way
> around.  IMO, NSS is right to trust its own computations as correct.

Yes, that makes sense.

> I'm not sure what to make of the word "authoritative".  Anyone can compute
> a SHA1 hash of anything.

Right, as long as it is computable, that would
be the preferred way.  Which is what I assumed
SSLBar to do.
(Continue reading)

DD | 7 Oct 16:25 2004

Lolita in China

Contact me free sex +8613680152666 DiuLei.


Dan | 16 Oct 19:37 2004
Picon

Weatherunderground site hijacked in FF 0.8

I'm using Mozilla Firefox 0.8 as my default browser on a win2k machine. 
  Today I attempted to
go to www/weatherunderground.com, a popular site I visit fairly
regularly.  The weatherunderground page loaded momentarily, then I was
redirected to
http://images.specificclick.net/contents/546/layout6_720x300.html, which
in FF appeared as a blank page.  I attempted to load weatherunderground
in IE, where it loads as usual.  Out of curiosity, I went to the URL of
the hijack page in IE, where it does indeed load & plays an anti-John
Edwards propaganda video.  No other pages have so far been redirected in
this way & my homepage remains Google.  Regardless of one's political
leanings, rather than being swayed I can't imagine anyone being anything
but disgusted by such a sleazy tactic.  Anyway, regarding the security
aspects of this, I have run up to date Spysweeper (which runs all the
time, as does Ad-Watch) and it has found nothing.  Neither have
CWShredder, AdAware or Spybot SD.  Startup & running processes look
normal.  A text search of both the registery & the HDD for a portion of
the hijack URL "specificclick" also yielded no result. Where/how is this
hijacking likely to be taking place on my machine how can it be removed?

TIA

Dan
Reg Mouatt | 17 Oct 00:41 2004
Picon

Re: Weatherunderground site hijacked in FF 0.8

On Sat, 16 Oct 2004 13:37:09 -0400, Dan <prograde49 <at> hotmail.com>
wrote:

>I'm using Mozilla Firefox 0.8 as my default browser on a win2k machine. 
>  Today I attempted to
>go to www/weatherunderground.com, a popular site I visit fairly
>regularly.  The weatherunderground page loaded momentarily, then I was
>redirected to
>http://images.specificclick.net/contents/546/layout6_720x300.html, which
>in FF appeared as a blank page.  I attempted to load weatherunderground
>in IE, where it loads as usual.  Out of curiosity, I went to the URL of
>the hijack page in IE, where it does indeed load & plays an anti-John
>Edwards propaganda video.  No other pages have so far been redirected in
>this way & my homepage remains Google.  Regardless of one's political
>leanings, rather than being swayed I can't imagine anyone being anything
>but disgusted by such a sleazy tactic.  Anyway, regarding the security
>aspects of this, I have run up to date Spysweeper (which runs all the
>time, as does Ad-Watch) and it has found nothing.  Neither have
>CWShredder, AdAware or Spybot SD.  Startup & running processes look
>normal.  A text search of both the registery & the HDD for a portion of
>the hijack URL "specificclick" also yielded no result. Where/how is this
>hijacking likely to be taking place on my machine how can it be removed?
>
>TIA
>
>Dan

Hi Dan,

 You might like to have a look with HijackThis; available from
http://aumha.org/free.htm
Search down the left column for it and go from there.

Post the result in
http://hijackthis.de/index.php?langselect=english

or if that is not successful, try this
http://forum.aumha.org/viewforum.php?f=30&sid=879388364285a5047dd18cb97709ef64

Good luck,
Reg
Dan | 17 Oct 00:55 2004
Picon

Re: Weatherunderground site hijacked in FF 0.8

Thanks for the replies.  Oddly enough, the phenomenon has disappeared as 
quickly as it came.  At the risk of seeming paranoid, this makes me 
think it wasn't something on my particular pc, but rather like someone 
having hacked the weatherunderground site to redirect people.  Hate to 
sound like a "conspiracy theorist", but it's hard for me to imagine how 
the redirection could simply cease if it originated on my end, since I 
had basically done nothing after running the scans which came up empty 
(and after which the situation persisted), not even a reboot.  Strange.

Dan

Reg Mouatt wrote:

> On Sat, 16 Oct 2004 13:37:09 -0400, Dan <prograde49 <at> hotmail.com>
> wrote:
> 
> 
>>I'm using Mozilla Firefox 0.8 as my default browser on a win2k machine. 
>> Today I attempted to
>>go to www/weatherunderground.com, a popular site I visit fairly
>>regularly.  The weatherunderground page loaded momentarily, then I was
>>redirected to
>>http://images.specificclick.net/contents/546/layout6_720x300.html, which
>>in FF appeared as a blank page.  I attempted to load weatherunderground
>>in IE, where it loads as usual.  Out of curiosity, I went to the URL of
>>the hijack page in IE, where it does indeed load & plays an anti-John
>>Edwards propaganda video.  No other pages have so far been redirected in
>>this way & my homepage remains Google.  Regardless of one's political
>>leanings, rather than being swayed I can't imagine anyone being anything
>>but disgusted by such a sleazy tactic.  Anyway, regarding the security
>>aspects of this, I have run up to date Spysweeper (which runs all the
>>time, as does Ad-Watch) and it has found nothing.  Neither have
>>CWShredder, AdAware or Spybot SD.  Startup & running processes look
>>normal.  A text search of both the registery & the HDD for a portion of
>>the hijack URL "specificclick" also yielded no result. Where/how is this
>>hijacking likely to be taking place on my machine how can it be removed?
>>
>>TIA
>>
>>Dan
> 
> 
> Hi Dan,
>    
>  You might like to have a look with HijackThis; available from
> http://aumha.org/free.htm
> Search down the left column for it and go from there.
> 
> Post the result in
> http://hijackthis.de/index.php?langselect=english
> 
> or if that is not successful, try this
> http://forum.aumha.org/viewforum.php?f=30&sid=879388364285a5047dd18cb97709ef64
> 
> Good luck,
> Reg

Gmane