Closed Bug 252779 Opened 21 years ago Closed 21 years ago

Auto-update system needs to be secured

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: roc, Assigned: chofmann)

Details

(Keywords: fixed-aviary1.0)

Currently HTTP is used to talk to update.mozilla.org. This permits a variety of attacks by someone who can inject packets into the network between a client and update.mozilla.org. Here's the most basic: -- Firefox does its periodic update check -- Dr Evil hijacks the TCP connection and says "yes, you need to update, critical fix!" -- User asks Firefox to get the update -- Dr Evil hijacks the TCP connection and says "here's your (evil) code, enjoy!" This has to be prevented. IMHO it's a stop ship bug. If we ship like this, we will at the least be crucified in the security press. We'll probably see actual exploits too, since TCP connection hijacking is trivial for someone with the right network access. (Think wireless, campus networks, ISP operators.) The first line of defense is to secure all Extension Manager traffic with SSL. The public key for update.mozilla.org should be shipped with Firefox as *the* key for that server. As a second line of defense, I'd recommend having a separate key for signing Firefox XPIs, keep that private key on a very secure machine, preferably one with no Internet connection, and make Firefox require extension XPIs to be signed with that key. That way, if update.mozilla.org is compromised, an attacker won't be able to forcefeed millions of users new malicious code. Maybe they could force users to downgrade to extensions with known vulnerabilities, but with some work we could close that off too. If we do this then update.mozilla.org probably doesn't have to use SSL to serve the XPIs. We also need to think about whether the MF infrastructure can handle a nightmare scenario like, say, in a 24-hour period twenty million users downloading a critical security patch which requires a new Gecko. If the XPIs are signed then that would probably help a lot by reducing the traffic that must go through SSL.
also tracking this as an ifrastructure bug in http://bugzilla.mozilla.org/show_bug.cgi?id=252676 a single dedicated beefy server for u.m.o is being ordered and should be up and running in a week or two. unlikely that it will support 20m users in a 24 hr period but it should get us started
Assignee: bugs → leaf
Flags: blocking-aviary1.0+
Need help on converting the server side to HTTPS -- Ben can change the client URLs easily. Need help getting a cert and securing it. Need signing infrastructure that we run on behalf of extension authors, for the extensions we host. Extension authors mostly will not sign, and should not be trusted to get it right. We'll want hashes or whatever to make sure the bits we host match the bits the extension authors purvey. I think we should get switched to HTTPS ASAP, to shake out bugs and allow more work to go on for this bug and followup bugs during the next two months. To whom should this bug be assigned? Maybe this should be a metabug blocked by several other bugs? Reassigning to chofmann to figure that out. /be
Assignee: leaf → chofmann
Firefox now uses HTTPS for update checks.
Group: security
marking fixed
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Keywords: fixed-aviary1.0
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.