05.22
There as been some confusion about FFSpy and what it represents as a PoC. But, Raf from Digital Soapbox nailed it square and faire.
The real issue is that Mozilla went for simplicity, speed, and extensibility over security – an obvious choice many times over.
Perhaps the most hard-to-swallow design flaw with plugins is that they have access to the raw browser’s stream… before it hits the encryption routines. This effectively means that not only does a plug-in have access to keystrokes, URLs, full-text of your POSTs but it has access to all that pre-encryption onto the SSL stream. Talk about game over!
What really matters is that the attack surface of FireFox is laid bare through the plug-in/extension architecture which in my humble opinion is fundamentally flawed from a security perspective.
I don’t have an answer to your question Tom, because I’m not very well versed in cryptography. But I guess that changing the public key could be made difficult, the same way the stored passwords on Firefox *wallet* are made hard to read. But has I wrote, I’m not very into cryptography.
Just because it has been like this with all other plug-in/add-on architecture, doesn’t make it the correct way of doing things.
If the software doesn’t provide a way to sign the plug-ins/add-ons in order to make sure they don’t get compromised, then yes, it is flawed. This is not the case of a user misguided to install a malware, this is the case where a benign software gets compromised and there isn’t a way to make sure that when that happens, the user gets notified.
I do understand why you pointed out other plug-in/add-on based application like emacs. But notice that web browsers have taken the spot light in the last few years. A web browser as become a very important tool. Nowadays, you can do everything with a browser, from elaborating documents, to sending e-mails, play games, manage your finances, manage your company and staff, and so on. And with that importance in mind, I think that web browsers need to re-evaluate their add-on/plug-in architecture, to make it more secure. The security standards applied to a browser these days can no longer be the same ones applied to other applications.