Apple, Microsoft, Google Attacked For Evil Plugins

nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"

Yes

[metrix007]

Yes...I should not have to check addons to firefox to make sure nothing dodgy has been installed. Of course, this behaviour will continue as long as it is technically possible, so why doesn't Mozilla simply make it impossible? Only allow installing addons through firefox, with explicit prompts.

Re:Yes

[QuoteMstr]

Encrypt the list of enabled plugins with a user password

"Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.

At all times, the browser would store the list of enabled plugins and sign it with the encrypted private key. Nobody can generate a valid signature for a list of enabled plugins without the password, and the browser will not use a plugin list unless it comes with a valid signature.

All this is fine as far as it goes, but it'll only work until our malicious plugin installer patches the browser binary and makes it skip the key check; the malware could also replace both the public and the private key with replacements of its choosing. Either way, the user may or may not eventually notice that something is wrong, but if he does, it probably won't be a while, and he probably won't be able to track the malfunction back to the evil installer.

Malware vendors can also wait for the user to type his password when installing a different plugin, then use that password to generate a valid signature for a plugin list that includes anything desired.

The moral is that applications still need to be sandboxed. They're not protected from each other. Without OS-level protection, applications can do horrible things (often without needing elevated privileges at all). Half-measures aren't the answer.

Re:Yes

[QuoteMstr]

My interpretation was in the spirit of intellectual charity, not arrogance; i.e., I gave you the benefit of the doubt, employing the only interpretation that makes any sense.

Encryption without authentication is worthless. Either you're using symmetric encryption and you make the user enter the password every time the browser wants to read the plugin list (or worse, store the key on disk), or you're using asymmetric encryption and creating a message that can be decrypted by a given public key is simple.

Encryption *and* authentication is pointless in this case because the browser needs to be able to decrypt plugin information at all times using only information in persistent storage. Encryption does not provide any security properties in this context.

So we're left with authentication itself being the task at hand, which I assumed is what you meant. But instead of having an adult conversation about the issue, you have a temper tantrum. I'm through.

Solution: Warning box

[GodWasAnAlien]

Warning: A third party plugin, PluginNameHere, has been installed without user consent:

DELETE KEEP

people don't seem to mind

One thing I've slowly come to realize is that most people do not mind a big company or other entity controlling their computers. They're quite happy to run javascript trackers, download web bugs, run any executable without knowing whether it's safe, and so on.

Many of us here have an aversion to these things. If we see a plugin installed without our permission, we'll figure out how to remove it. But most people do not place any value in having control over their own hardware, so they see no value in doing that.

The end result of this is going to be a highly controlled internet, because the number of people who care about its freedom and openness is very tiny compared to the number who don't. The market forces will decide, and those are clearly on the side of the "you may control my computer in any way you want, Mr Multinational Corporation".

PS - my CAPTCHA for this message was "disallow".

Re:people don't seem to mind

[spacefiddle]

I would alter "do not mind" to "have no clue and don't understand the potential implications of." The end result will be a highly controlled everything, because people are neither taught nor encouraged to think about things that don't relate to their immediate button-pushing responsibilities, coupled with a fair amount of casual despair about having any control over their own lives.

Most enduser types I've talked to about such things tend to give me lines like "Ah, none of this stuff affects me," "Whaddyagonna do, they'll do what they want anyway" and "Pfff, they wouldn't do anything really bad."

Re:So because Mozilla's security model is flawed

[Lundse]

Yes. It is the other's fault.

The human body is very easy to puncture with a knife, this does not make slashing open your neighbour OK.
Cars can drive beyond the speed limit, houses can be broken into, people can be swindled, telephones called by telemarketers, etc. etc.

None of this makes it OK to do any of these things, and just because Firefox is built around a certain design principle (that it should be easy to modify) does not make it OK for others to modify it against the user's wishes.