Closed Bug 310130 Opened 19 years ago Closed 19 years ago

no mozilla build can be certified, witch open a security breach if someone distribute a "spyware" modified version of Mozilla

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: stephane.russell, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; fr-FR; rv:1.7.11) Gecko/20050909
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; fr-FR; rv:1.7.11) Gecko/20050909

You might not take this "bug" report seriously. The fact that Mozilla's source
is open makes that it would be very "easy" for any competent criminal
organisation to modify the source of Mozilla and to build and distribute a
special version of it (by direct distribution or by hacking some "official"
sites) that blinds the user when he reaches somes web adresses. For example, a
user could be displayed http://www.ebay.com in the URL field while is opening a
pirate site with a clone login page. After his phishing action, the pirate site
can then redirect the user to the true eBay site with a invisible background
logon, wich is easy to to when you have a username and password. How will the
user know that he was "phished" then, and why? Even if I think no one probably
had this idea yet, this is a huge security risk than should be corrected before
anyone does. They should be some way to certify a build of Mozilla or any
critical open source software, maybe by some third party program supported by a
reliable organization (ex: SourceForge), or otherwise the whole fact of open
source could be sooner or later severly compromised. Distribution of open
sources and their correspondent builds should come from some certified open
source distributors, certifications ruled by, as any example, W3C. Maybe ther is
other ways, like some binary checks and the like, or just open source "good
practices" learned to the users by any mean possible. In any ways, this is not
an obvious problem to solve, but the risk is real.

Reproducible: Always

Steps to Reproduce:
If someone downloads a binary from an untrusted 3rd-party site and runs it,
they're in trouble.  period.  The fact that Mozilla is open source is irrelevant.

Someone could also write trojan software that looks like closed-source software.

md5sums, sha1sums are provided for Mozilla releases, which are also pgp-signed.

see:
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.11/
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You're right about the closed source software, but it's a more complex job to do.

Also, if they can make someone believe that a pirate site is an official ebay
login page (often by emailing links like XXX.XXX.XXX.XXX/www.ebay.com, a perfect
lie to non initiated users), they can do it too for an "official" download site.

The checksums are a good thing, but more publicity should be made over them. I
personnally don't need it, because I always get Mozilla from the packages of my
FreeBSD OS. The risk is mainly for Windows users, wich gets Mozilla from the
Internet. That's why I think that a third party software pre-installed on
people's computers who wants to download softwares on the Internet might be
required. It would not solve the problem, but make it more difficult to
distribute uncertified softwares (they would have to hack both the browser AND
the certification software(s)).

Mozilla is now a critical application for security. It's distibution shouldn't
be made loosely like that, even though it remains open (which I expect).

Anyway, I know it's a complex security problem, and I suspected that it would be
ignored for that. I work in a bank, and they always do that too! Billions of $
is stolen on the Internet every year as a result.

But I did my job, your advised. :-)
You need to log in before you can comment on or make changes to this bug.