Closed Bug 1440930 Opened 7 years ago Closed 7 years ago

Bypassing safe browsing checks for signed executables?

Categories

(Toolkit :: Safe Browsing, enhancement)

Product:
Toolkit
Component:
Safe Browsing
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1162842
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

Details

Per https://mobile.twitter.com/mavrommatis/status/967396859340718081 apparently something about our safe browsing implementation is easier to bypass than Chrome's. Per https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work#firefox:win10:fx60 > Windows users: This online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher. Most of the common and safe software for Windows is signed and so this final check won’t always need to happen. We may want to reconsider this policy, in light of the fact that it's apparently being exploited.
What's a "good publisher"? Is there a whitelist of known Microsoft, Adobe, etc certs? If it's just "hey, looks signed" that's completely unreliable.
Flags: needinfo?(francois)
It's a list of known publishers like the ones you list. We check the cert fingerprints against that list: https://searchfox.org/mozilla-central/rev/14d933246211b02f5be21d2e730a57cf087c6606/toolkit/components/url-classifier/chromium/safebrowsing.proto#298 This bug is likely a duplicate of one of the bugs in https://bugzilla.mozilla.org/showdependencytree.cgi?id=662819&hide_resolved=1. Most of them contribute to the lower detection rate we see on Firefox for downloads. Dimi was working on this when he got laid off: https://docs.google.com/document/d/1ONK5frTmijeSuWagu9AR0oLidve7j07tklPCmW5os1M/edit
Flags: needinfo?(francois)
Since the tweet context was "signed malware" bug 1162842 is a reasonable guess at a duplicate, although a follow says "However, there's ways to trick the browser to skip the online checks, or send incomplete data." which points at the archives and hash truncation bugs. Really, though, we need to burn down the whole list. Note: @mavrommatis works on the Google safe browsing team; he's not just guessing.
Group: toolkit-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Just to be clear and answer the question in the bug title: we don't actually bypass the protection when an executable is signed. It needs to be signed by a cert on Google's whitelist, the same whitelist used by Chrome.
You need to log in before you can comment on or make changes to this bug.