Firefox addon signing
Richard Z
rz at linux-m68k.org
Thu Aug 27 11:24:27 UTC 2015
On Thu, Aug 27, 2015 at 02:28:48AM +0200, Reindl Harald wrote:
>
> Am 27.08.2015 um 02:21 schrieb Solomon Peachy:
> >On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
> >>A better solution would be to add a mechanism that allows you to use
> >>your own signing keys.
> >>That way you have both 1) install self built extensions and 2) the
> >>added security.
> >
> >..and (3) a way for malware to install its own key, rendering (2) moot
>
> that would imply that malware running as root and then you have already lost
> the whole game - pretty sure nobody meant "your own signing keys" writeable
> by the user firefox is running
I suspect even malware with user rights will be able to effectively manipulate
the firefox binary using LD_PRELOAD or many other methods.
Having a working sandbox implementation would improve security much
better.
Richard
--
Name and OpenPGP keys available from pgp key servers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150827/06363ca2/attachment.sig>
More information about the devel
mailing list