More about Extension Signing

Back in February we mentioned Extension Signing Coming Later in 2015. Recently the Mozilla Add-ons Blog posted a follow up The Case for Extension Signing. There is a lot of interesting information in this article, including this very shocking statistic which puts into prospective just how badly broken the current Mozilla Firefox add-on system is:

The Web experienced by tech-savvy developers, however, is not the Web experienced by most people. While only fourteen add-ons hosted on our addons.mozilla.org site have more than a million users, and only two of those have more than 3 million, many tens of millions of users have non-hosted add-ons that were installed without their informed consent. Users run the risk of picking up unwanted extra add-ons and other software every time they download software over the Internet. Even updates of software that many users find indispensable or software from download sites run by trusted news organizations come bundled with these unwanted extras. Their Internet experience is being shaped by these third party add-ons in ways they did not choose and that benefit third parties and not the user. Most of these unwanted add-ons are advertising related in some way, tracking user actions and altering content. These add-ons are not created with user security in mind and can break fundamental browser security. These violate another of Mozilla’s basic principles: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Many of the complaints I see at Go Firefox! are about these unwanted advertising/tracking add-ons (extensions/toolbars). The users can’t understand how these add-ons get installed. In almost every case it was something else they were installing which secretly added the add-on. Most of these software developers bury the option (usually under Custom Install) to install or not install the add-on. Then they try to protect themselves by disclosing (usually buried) in their End User License Agreement (EULA) or their Terms of Service about this optional (in that you need to choose NOT to install it) extension. Worse yet though are the updates for Anti-Virus programs, content plugins such as Flash and Java almost always are trying to sneak some type of add-on into Firefox. In the case of Adobe Flash, the option to opt-out is in plain site, but many users just keep clicking ‘next’ and not paying attention to the prompts.

This is not the first time Mozilla has tried to get a handle on the installation of unwanted add-ons. Almost three and half years ago in November 2011 with Firefox 8, Mozilla had introduced a couple add-on control features. One of these features was to ensure that an add-on installed outside of Firefox, would only be enabled if the user choose to do so. The user would get a pop-up message the next time they started Firefox following the installation of the add-on asking if they wished to authorize this add-on. It looks like that mechanism is still there, but I guessing like so many other safe-guard systems Mozilla as added over the years, it has been circumvented by these malicious developers.

Many developers have asked why we can’t make this a runtime option or preference. There is nowhere we could store that choice on the user’s machine that these greyware apps couldn’t change and plausibly claim they were acting on behalf of the user’s “choice” not to opt-out of the light grey checkbox on page 43 of their EULA. This is not a concern about hypotheticals, we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons.

While the Extension Signing may put a developers who don’t host their add-ons on AMO, I think it is one of the better options. Some extension developers have asked about getting their own (code-signing) certificates.

The other common question is why developers can’t have their own certificates and sign their own add-ons. This would require Mozilla to function as a Certificate Authority which is currently not in our expertise. It also means we would not be able to run security scans on the add-on code. The only thing preventing a malicious add-on in that case would be the strength of our contracts requiring non-malicious code and our ability to bring legal action should those contracts be breached. This approach would favor established companies in jurisdictions where we have offices and would be extremely unfair to individual developers, especially those outside those regions. We feel the community would be better off if we put our resources into the review and scanning process that can treat everyone equally rather than setting up a certificate issuing infrastructure.

Two problems I see with this scenario right off the bat. First a code-signing certificate runs about $200 USD per year per extension. For many of these extension developers it is a side project. They saw something that could be changed with Firefox they felt would be beneficial to the users. Developers are already burdened with the costs of the space as well as the bandwidth for hosting their extension(s). Most developers don’t charge for their extensions, simply they ask for a donation. So to add another $200 per year (again per extension) would make it too costly for these developers to self-host their extensions (though I not sure of their reasoning for not hosting through AMO). Second and more importantly, Mozilla (unlike Microsoft and Google) is a non-profit organization. I could foresee Mozilla taking “legal actions” as a major burden on their finances which could result in them having to cut or even stop funding on other projects.

Greasy Scripts finds userscripts

“Remember Greasefire? It was an add-on for the Firefox browser that would alert you whenever userscripts were available for sites that you visited in the browser.
“The extension used userscripts-org as its source, a site that is no longer available. Since it has not been updated since 2012, it is not working either anymore because of this.
“Enter Greasy Scripts, a brand new add-on for Firefox that brings the functionality back to life, albeit in a slightly different form.
… “

Source: gHacks Tech News
--->“> <a href=Greasy Scripts finds userscripts on sites you visit in Firefox

‘Couldn’t load XPCOM’ Error on Startup

This seems to be a common error some people encounter with Firefox. First, XPCOM has nothing to do with Windows XP, rather it is Cross Platform Component Object Model. It is a cross-platform component model from Mozilla (more info at Wikipedia). Not sure what causes this error other than a file or files for XPCOM in the main Firefox uninstall some how get removed or corrupted. However, the fix is fairly simple and painless: re-install Firefox.

Uninstalling Firefox will NOT remove your profile folder or settings, it simply removes the Firefox browser from your computer. Once you have removed Firefox, (using another browser) go to getfirefox.com to download the latest version of Firefox. Once you complete the installation, Firefox should launch without issue and with your profile.

via ghacks.net

 

What you do when Firefox uses too much memory

"... While memory usage has improved significantly in recent years, complaints about it have not stopped. If you browse sites like Reddit for example, you still find user's complaining about the memory hog Firefox today.
"Here are tips to analyze the issue in Firefox
"The first thing you should do is run Firefox without add-ons and customizations. Each add-on or extension you install may add to the browser's memory usage. Some add-ons, like Adblock Plus for example, may use more memory than the browser itself. ..."
Source: gHacks Tech News
---> What you do when Firefox uses too much memory

CNNIC Certificates

I thought I had done a post earlier in regards to Mozilla Revoking Trust in one CNNIC Intermediate Certificate. Turns out I had not. Also had planned on posting more about this earlier this weekend as Mozilla took further actions against the CNNIC certificate authority on Thursday, April 2nd. I did mention this briefly in the Firefox 37.0.1 Released post, but wanted to take a moment and explain about this in a little more detail. About 2-weeks ago on March 23rd, from the Mozilla Security Blog:
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.
When a Certificate Authority (CA) issues an SSL Certificate for a site there are certain verification protocols that must be followed. For 'Standard' certificates this includes verifying the information of the certificate requester against the domain registration information of said domain. This includes an automated email and phone call to the email address/phone number registered to that domain. For the higher end 'Extended Validation (EV)' certificates (green padlock and/or address bar highlight) the same verification of domain ownership still applies plus verification of the business/organization (involves documentation from the company's/organization's lawyers and/or accountants). In this case these verification protocols were not being followed by the CNNIC customer and they were issuing certificates for various sites (in which they claimed to be own/control, but did not). This could result in these certificates being used in a Man-In-The-Middle (MITM) attack. Wikipedia has a detailed article about MITM attacks. The example they use involves an un-encrypted Wi-Fi Network. While different than web servers, the principle is still the same: you have a person in the middle that is impersonating each end point (in this case with the spoofed SSL Certificates) and is intercepting (and possible changing) the communication. On April 2nd, Mozilla took further actions against the CNNIC by Distrusting New CNNIC Certificates:
After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.
The portion above I highlighted in red may not make much sense to people are not familiar with the workings of the PKI (Public Key Infrastructure) industry and its practices. The easiest way I can think of this is with the idiom "Fox Guarding the Hen house". Another example would be a bank issuing a debit card with PIN. Suppose the customer forgot their PIN and they go to the bank's website for assistance. The Bank has no documented policy on how they confirm the person contacting them is who they claim to be. The only information the website asks for is the debit card number. Once the debit card information is submitted and matched, the website displays the PIN associated with that card. No other verification takes place and it is just 'assumed' the person entering the card number is the cardholder. Worse yet, this bank stores this information in a clear-text database with no security protections which means hackers can get to this information. On top of that some employees have accessed this information and issued themselves spoofed debit cards (with the associated PINs) of several customers. Essentially the "company" is doing the same thing with SSL Certificates while the certificate authority (or in the bank example The Federal Reserve Board or FDIC) 'looks the other way'. At least CNNIC did notify Mozilla what happened, instead of sweeping it under the rug. However, as Mozilla pointed out, CNNIC should have never issued the certificate to the company in the first place. This was a serious breach of PKI protocol and will be interesting to see what (if anything) sanctions will be imposed upon this CA.

Firefox 37.0.1 Released

Mozilla released an emergency update to Firefox 37 on April 3, 2015 with Firefox 37.0.1. This update did address start-up crashes due to graphics hardware and third party software. However, there were two security fixes to address a couple recently released Mozilla Foundation Security Advisories (MFSA):
  • MFSA 2015-44 Critical: Certificate verification bypass through the HTTP/2 Alt-Svc header [Firefox 37 Desktop]
  • MFSA 2015-43 High: Loading privileged content through Reader mode [Firefox 37 Android/Firefox 38 Beta (Desktop)]
The now disabled HTTP/2 Alt-Svc header aka Opportunistic Encryption For Firefox was introduced in the Firefox 37 from earlier in the week. There has been several security issues/breaches lately with browser SSL Certificates possibly being used to orchestrate Man-in-the-Middle (MITM) attacks. Most recently this included Mozilla revoking China Internet Network Information Center (CNNIC) Intermediate certificates. The actions (or lack there of) of this certificate authority has prompted Mozilla to Distrust New CNNIC Certificates. Users may be prompted to update to the newest release (37.0.1) of Firefox or can do so manually within Firefox by going to Help > About Firefox and following the update prompts. Users may also manually download and install the newest Firefox update the getfirefox.com site. The next scheduled update for Firefox is May 12th, 2015 with Firefox 38.

Firefox 37 Released

Mozilla released an update to Firefox on March 31, 2015 with Firefox 37. There are several new features and fixes for this release and these can be viewed in the release notes. Users may be prompted to update to the newest release (36.0) of Firefox or can do so manually within Firefox by going to Help > About Firefox and following the update prompts. Users may also manually download and install the newest Firefox update the getfirefox.com site. The next scheduled update for Firefox is May 12th, 2015 with Firefox 38.

Firefox 36.0.4 Released

Mozilla released another emergency security update for Firefox 36 on March 21, 2015 with Firefox 36.0.4. This update has more Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest. Depending on their update settings, users should be prompted shortly to update to Firefox 36.0.4 or can also force the update by going to the Firefox Help Menu and selecting About Firefox then follow the prompts. Alternatively, users my also go to getfirefox.com and download and install the latest version of Firefox there. The next scheduled release for Firefox is March 31st with Firefox 37.

Attention Firefox Users: Google Wants You Back!

Google, is starting panic. For the first time since 2008 their market share as dropped below 75%. The reason behind this sudden decline and panic is Mozilla's decision back in November 2014 not to renew the agreement (default browser search engine) they had with Google, instead opting to sign a five-year deal with Yahoo. Not surprisingly, Yahoo's market share has increased as a result of this deal to 10.6% (up 2% since the agreement started back in November). Well, Google is not too happy about this and is trying to get Firefox user back.
While Google is still the clear market leader, it is still embarrassing for the company: Search is Google's bread and butter — the company's name has become a verb synonymous with finding information online. Google's displeasure is now becoming clear, Search Engine Land reports, with the search engine prominently asking Firefox users who do not have Google set as their default search to change when they visit the site.
I checked this earlier today with the default search engine set to Yahoo and also again with the default search engine set as Bing. Both times when I did a search directly on google.com I received this request displayed above my search results: google search via Business Insider

Firefox 36.0.3 Released

Mozilla released an emergency security update for Firefox 36 on March 20, 2015 with Firefox 36.0.3. This update has Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest. Depending on their update settings, users should be prompted shortly to update to Firefox 36.0.3 or can also force the update by going to the Firefox Help Menu and selecting About Firefox then follow the prompts. Alternatively, users my also go to getfirefox.com and download and install the latest version of Firefox there. The next scheduled release for Firefox is March 31st with Firefox 37.