Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Christoph Anton Mitterer
calestyo at scientia.net
Fri Nov 28 17:13:28 UTC 2014
Hey Mike.
On Fri, 2014-11-28 at 00:44 +0900, Mike Hommey wrote:
> a) it's not in any release of Debian, and it's not in any upcoming
> release of Debian either. It's in a package from experimental.
Well but you know that a lot of people actually run unstable as their
normal suite and many of them pull in iceweasel from experimental, just
as you guys suggest here http://mozilla.debian.net/
Since these versions are usually up to date with what Mozilla ships,
there's also not that big problem with the missing security support in
experimental.
> b) everyone knows what's actually contained in that binary blob, since
> it's built from open source code, and the build is (supposed to be)
> reproductible.
Well but since the blob is still fetched from cisco, they could simply
replace it for certain users, and once you're hacked there's basically
no way to tell whether you had a "good" version or not.
> c) the binary blob is verified against a sha256 checksum downloaded from
> a mozilla server through HTTPS with certificate pinning.
Ah,.. I was actually looking for that in the code for something like
that, but couldn't find it a the place where the download apparently
happens - but I only had a very short glance on it.
Could you perhaps please elaborate a bit more on how that actually
works:
- the checksum over the binary download is stored on a mozilla server?
- downloaded via https?
(at that point, the way of verifying should in principle also protect
against downgrade attacks, as SSL/TLS should protect against
replaying... BUT this alone doesn't protect against blocking attacks)
- and you say certificate pinning? since that could mean a lot, what
exactly? Is there a hardcoded cert known to be controlled by Mozilla? Is
there a hardcoded CA from the Mozilla CA bundle (which would then in
principle still allow that CA to issue a forged cert to someone else)?
Or is it pinning in the sense of HSTS, i.e. pinning of any cert (from
any "trusted" CA - even CNNIC) on the first access (which is quite
insecure IMHO)?
- has someone really checked that reproducibility?
> So it's not as bad as you make it sound.
Well,.. admittedly, when you say that there *is* some hash sum
verification (which I just didn't find)... then it's less worse as I've
though.
Nevertheless, it's still at least remotely possible that this could have
been used to compromise systems, and even if there aren't masses who run
at experimental, these people are probably still unhappy about that
chance.
If the bug would have been set to a higher severity, then people with
apt-listbugs would have at least noticed it :-(
> And it's not going to stay that way anyways.
It's really good we have the Iceweasel "fork" for things like these.
Actually I'd also like to see that in Debian we remove certain trusted
CAs, which are basically never used on the web and which are clearly
untrustworthy.
Can't you make a quit release where the codec is disabled, or at least
fresh downloading of it?
What will be the policy in Debian when Mozilla adds more and more
proprietary/binary stuff to FF? Like e.g. the Adobe DRM stuff.
Is that going to be removed from the beginning or will I have to take
care that I don't accidentally get DRM-root-kitted with one of the first
iceweasel-experimental releases?
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141128/e1f0e2f9/attachment.bin>
More information about the pkg-mozilla-maintainers
mailing list