Closed Bug 909458 Opened 11 years ago Closed 11 years ago

Check signature only for privileged apps

Categories

(Firefox Graveyard :: Web Apps, defect, P2)

Product:
Firefox Graveyard
Component:
Web Apps
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: marco, Unassigned)

References

Details

Attachments

(1 file)

Patch
(deleted), patch
Details | Diff | Splinter Review
Attached patch Patch (deleted) — Splinter Review 
Non privileged apps should be installable also if the signature is invalid.

Without this, marketplace apps can't be installed.
Attachment #795581 - Flags: review?(fabrice)
If there is a signature, it should be valid. We support installing unsigned unprivileged apps, and that is good enough.
Attachment #795581 - Flags: review?(fabrice)
This prevents installation of all the packaged apps from the marketplace, because on the marketplace also unprivileged apps are signed.
Can I get some background on why this is necessary?  All Marketplace packaged apps have valid signatures. If signed apps aren't supported on Desktop then packaged apps aren't supported on Desktop.  Breaking the code for one type of packaged app isn't a fix.
Flags: needinfo?(mcastelluccio)
(In reply to Andrew Williamson [:eviljeff] from comment #3)
> Can I get some background on why this is necessary?

Well, I thought for unprivileged packaged apps the signature verification isn't really necessary, is it?

The problem is that on desktop we can't use the same hack that we use on b2g and Android, see bug 896620 comment 8 for details. The signature verification support is currently unscheduled work for the security team and so we don't know yet when it will be available. In the meantime this could be a stopgap solution.

> If signed apps aren't supported on
> Desktop then packaged apps aren't supported on Desktop.  Breaking the code
> for one type of packaged app isn't a fix.

We don't support signed apps but we do support packaged apps. As unprivileged apps don't really need a signature (at least this was my opinion), this solution could allow users to install unprivileged apps from the marketplace.
Flags: needinfo?(mcastelluccio)
The signature is useful even for unprivileged apps from the marketplace because that means that the user installs and runs the app that has actually been reviewed.

Imagine that at some point all the apis that are only accessible to privileged apps could be usable by all apps: the signature still has has value, right?
(In reply to Marco Castelluccio [:marco] from comment #4)
> The problem is that on desktop we can't use the same hack that we use on b2g
> and Android, see bug 896620 comment 8 for details. The signature
> verification support is currently unscheduled work for the security team and
> so we don't know yet when it will be available. In the meantime this could
> be a stopgap solution.

A solution to what problem, is what I'm trying to find out.  Packaged apps don't need to be available on Desktop with any urgency (afaik) and if part of the implementation isn't ready (the signing part) then its not ready.
(In reply to Fabrice Desré [:fabrice] from comment #5)
> The signature is useful even for unprivileged apps from the marketplace
> because that means that the user installs and runs the app that has actually
> been reviewed.
> 
> Imagine that at some point all the apis that are only accessible to
> privileged apps could be usable by all apps: the signature still has has
> value, right?

An unprivileged application can be installed from any website, even if not reviewed. So we can't grant them APIs that we think we should grant only after a review.

(In reply to Andrew Williamson [:eviljeff] from comment #6)
> Packaged apps don't need to be available on Desktop with any urgency (afaik) and if part
> of the implementation isn't ready (the signing part) then its not ready.

Packaged apps are already available on Desktop, only the signed subset isn't available. I think there's no harm in allowing people to install unprivileged apps without checking the signature.
(In reply to Marco Castelluccio [:marco] from comment #7)
> (In reply to Fabrice Desré [:fabrice] from comment #5)
> > The signature is useful even for unprivileged apps from the marketplace
> > because that means that the user installs and runs the app that has actually
> > been reviewed.
> > 
> > Imagine that at some point all the apis that are only accessible to
> > privileged apps could be usable by all apps: the signature still has has
> > value, right?
> 
> An unprivileged application can be installed from any website, even if not
> reviewed. So we can't grant them APIs that we think we should grant only
> after a review.

That's not what I'm saying. I'm arguing that there is value in reviewing code and signing an app beyond granting access to privileged apis: users can have more trust in apps that are reviewed and signed even if they don't need special apis.
(In reply to Marco Castelluccio [:marco] from comment #7)
> Packaged apps are already available on Desktop, only the signed subset isn't
> available. 

Well as Marketplace is the only place that distributes apps* and packaged apps can't be installed currently from Marketplace, its debatable if they are actually 'available' now on Desktop.

I don't see the urgent need for the workaround - why not just wait till its implemented properly?

* (right now, afaik)
briansmith suggested an approach like this in bug 896620, comment 10, where he said, "It would be easy to make it so that signature verification always fails on desktop, so that privileged apps cannot be installed, but non-privileged apps would still work."

The reason I suggested to Marco that he look into partial workaround is that it wasn't clear how soon the "proper solution" would be implemented.  Brian said in bug 896620, comment 10 that "This quarter, we are working on the basis of that proper solution. Once we have it, it wouldn't be much work to redo the certificate verification code to use that proper solution."

But it wasn't clear that it would actually happen this quarter, and there isn't anyone signed up yet to do the second part of the necessary work.

Hence this suggestion (and Brian's related one).  I still think it's worth considering, but in the meantime, I heard from Vishy that geekboy says the first part is a Q3 goal for his team.

If the first part lands in Q3, and we can find someone to do the second part, and the second part is as easy to do as folks seem to think it is, so we can land it early in Q4 (or even implement it in Q3 in parallel with the first part), then it isn't worth considering this short-term workaround.

But if that isn't the case, and the work required to implement the proper solution stretches far into Q4 or even beyond, then we should absolutely consider workarounds like this one to make incremental progress; with all due consideration to the security and other ramifications, of course, as we always do.
Brian (and others on the security team): would this be reasonable from a security perspective?

(If not, then we'll have to wait until Firefox 27 or later for the proper solution.  If, however, this is a reasonable workaround that gives us support for unprivileged packaged apps in the Firefox 26 timeframe, then it's worth doing it to get developers and users to start testing those apps on the desktop runtime.)
Flags: needinfo?(brian)
My interpretation of doing this would be to say "It's okay if unprivileged apps have broken signatures." This is basically equivalent making signatures on unprivileged apps mean nothing. If we're okay with that, then we can either go ahead with this across the board or simply change Marketplace to not sign unprivileged apps. Otherwise, I think we should continue to work on the more comprehensive solution.
(In reply to David Keeler (:keeler) from comment #12)
> My interpretation of doing this would be to say "It's okay if unprivileged
> apps have broken signatures." This is basically equivalent making signatures
> on unprivileged apps mean nothing. If we're okay with that, then we can
> either go ahead with this across the board or simply change Marketplace to
> not sign unprivileged apps. Otherwise, I think we should continue to work on
> the more comprehensive solution.

Could we flip this around to say that unprivileged packaged apps MUST NOT be signed? That might address David's concern?
(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #13)
> (In reply to David Keeler (:keeler) from comment #12)
> > My interpretation of doing this would be to say "It's okay if unprivileged
> > apps have broken signatures." This is basically equivalent making signatures
> > on unprivileged apps mean nothing. If we're okay with that, then we can
> > either go ahead with this across the board or simply change Marketplace to
> > not sign unprivileged apps. Otherwise, I think we should continue to work on
> > the more comprehensive solution.
> 
> Could we flip this around to say that unprivileged packaged apps MUST NOT be
> signed? That might address David's concern?

In that case Marketplace would have to be changed to not sign unprivileged apps and once that happens 99%+ of unprivileged packaged apps out there will be installable on Desktop without any platform code change, so changing the policy to mandate that they not be signed becomes unnecessary.  So changing Marketplace is the solution.

That would also require no changes to platform now, and once the proper solution is implemented signing on Marketplace could be easily be turned back on again.
This seems fine iff: The only marketplaces available (for now are mozilla's)?
(In reply to Camilo Viecco (:cviecco) from comment #15)
> This seems fine iff: The only marketplaces available (for now are mozilla's)?

I've not heard of any others, and FxOS devices only ship with certs for Mozilla's.  So they're either having to advise their users how to use adb to push new certificates (fun!), or are only listed unprivileged apps and aren't signing them anyway.
then I agree witht the plan. Thank you.
adding my comment to this bug as well.  I am totally fine with Brian's solution of having the signature check always fail on desktop thus allowing unprivileged packaged apps to be installed but privileged ones will not be.
I talked with Brian and he's ok with always failing signature verification on Desktop.
Flags: needinfo?(brian)
If Marketplace could make a change to not sign privileged apps there wouldn't be any need for failing signature verification.
I think we still need to fail signature verification, because on Desktop we have other CA authorities in the certdb that could sign apps if they wanted to.
The only thing that protects users is the "dom.mozApps.signed_apps_installable_from" preference.
(In reply to Marco Castelluccio [:marco] from comment #21)
> I think we still need to fail signature verification, because on Desktop we
> have other CA authorities in the certdb that could sign apps if they wanted
> to.

Wouldn't those authorities just choose not to?  There aren't any signing apps right now (as it doesn't work), so why would they start?
We should absolutely not ignore signatures even on non-privileged apps.

The first problem is that it will cause packaged apps with broken signatures to start floating around since no-one will detect that their signatures are broken. That means that once we *do* start enforcing signatures, we'll end up breaking those apps.

Second, signatures do bring security advantages even for non-privileged apps. They ensure that a hacked webstore doesn't result in the attacker being able to put a hacked version of a popular app on the store as an update and get that update automatically rolled out to all users of that app.

Even if there are other marketplaces out there, they won't be able to sign apps since currently only mozilla has the key for signing apps. So it's no problem if there are other marketplaces out there. They are unaffected by firefox desktop's inability to verify signatures no matter what.


If we really don't care about signatures on non-privileged packed apps, the solution is simply to have the mozilla marketplace stop signing those apps. No code changes are needed on the client.
I still think we should fail signature verification on desktop. Firefox can't verify the marketplace signature, but can verify signatures from other certificate authorities.
I'm not sure what you mean exactly by "fail signature verification". I definitely think that if there's a signature on a package, and we can't verify that the signature is correct, we should not allow the package to be installed.

Ultimately I'll defer to Brian though, as with all things crypto.
(In reply to Jonas Sicking (:sicking) from comment #25)
> I'm not sure what you mean exactly by "fail signature verification". I
> definitely think that if there's a signature on a package, and we can't
> verify that the signature is correct, we should not allow the package to be
> installed.
> 
> Ultimately I'll defer to Brian though, as with all things crypto.

Please also see https://bugzilla.mozilla.org/show_bug.cgi?id=896620#c15 where rforbes writes, "i am totally fine with brian's solution of having signature check always failing on desktop."
(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #26)
> (In reply to Jonas Sicking (:sicking) from comment #25)
> > I'm not sure what you mean exactly by "fail signature verification". I
> > definitely think that if there's a signature on a package, and we can't
> > verify that the signature is correct, we should not allow the package to be
> > installed.
> > 
> > Ultimately I'll defer to Brian though, as with all things crypto.
> 
> Please also see https://bugzilla.mozilla.org/show_bug.cgi?id=896620#c15
> where rforbes writes, "i am totally fine with brian's solution of having
> signature check always failing on desktop."

It being acceptable from a security standpoint isn't the same as it being a good idea from an ecosystem standpoint - as Jonas mentions, apps with broken signatures will propagate and then suddenly stop working.  

The problem is unprivileged packaged apps can't be installed from Marketplace on Desktop; changing Marketplace to not sign unprivileged apps would allow this.  There aren't any other app stores signing unprivileged apps.
I think everyone agrees that not signing unprivileged apps in the marketplace is fine.

Marco is arguing in comment 21 that since we have other code signing certificates, the only protection we'll have against installing apps signed with these certificates is a pref that whitelists origins that can install signed apps.
This would not be an issue on b2g, where you have to root the device to push new prefs, but that's unfortunately a more valid concern on desktop.
> Please also see https://bugzilla.mozilla.org/show_bug.cgi?id=896620#c15
> where rforbes writes, "i am totally fine with brian's solution of having
> signature check always failing on desktop."

What does "having signature check fail" mean here? I took that as meaning that the package should not be installed.

If that's the case, then it sounds like rforbes, bsmith and I all are saying that unverifiable signature should lead to package not being installed.
(In reply to Fabrice Desré [:fabrice] from comment #28)
> I think everyone agrees that not signing unprivileged apps in the
> marketplace is fine.
> 
> Marco is arguing in comment 21 that since we have other code signing
> certificates, the only protection we'll have against installing apps signed
> with these certificates is a pref that whitelists origins that can install
> signed apps.

my counter is that there is a workaround (i.e. not signing the package) that will work today, which is easier than signing. And as there are no known current developers/app-stores deploying signed packaged apps on Desktop (other than ourselves) it doesn't appear to be a hack that benefits any developer/user today.  In the future the actual solution will be implemented, and in the meantime just not signing would be obvious choice for any start-up appstore, etc.
(In reply to Jonas Sicking (:sicking) from comment #29)
> > Please also see https://bugzilla.mozilla.org/show_bug.cgi?id=896620#c15
> > where rforbes writes, "i am totally fine with brian's solution of having
> > signature check always failing on desktop."
> 
> What does "having signature check fail" mean here? I took that as meaning
> that the package should not be installed.
> 
> If that's the case, then it sounds like rforbes, bsmith and I all are saying
> that unverifiable signature should lead to package not being installed.

rforbes and bsmith are proposing the opposite - that the fail should be ignored on desktop and the package installed regardless.
Priority: -- → P2
This will matter less once we have signature verification on desktop, but we don't have that yet, so it's still valuable.

And regardless of what we do with this bug, it's important to resolve our differences of understanding about what a signature actually signifies.  For which this bug is not the best forum.  So bwalker is going to get sicking, tchoma, and the security folks together to hash that out.
If rforbes and bsmith is ok with this, then I guess I can live with that.

Obviously this is something that we'd have to fix once we add support to privileged APIs on desktop.

We should probably add a warning in the console though whenever a signed app is installed.
Let me be clear with what I suggested: As a temporary measure, if we want to allow the installation of packaged apps on desktop before the signature verification is ready for desktop, then it is OK with me if we *skip* the signature verification step on desktop. Unquestionable, this exposes desktop Firefox to more risk than B2G.

I did not suggest that it is OK to stop signing unprivileged apps on the marketplace server. Please do not stop signing unprivileged apps. The signing of unprivileged apps still has security benefits. Consider, for example, that the way we "revoke" apps is dependent on signatures. If we stopped signing apps on marketplace you would break B2G and lessen the security of B2G.

The original plan for verifying packaged app signatures on desktop Firefox got blocked on work I am doing to replace the certificate verification logic in Firefox with a new library. That project is taking longer than expected and that is on me. It would be great if somebody could send me an email to brian@briansmith.org to let me know exactly the state of packaged app support on desktop Firefox and to let me know exactly which release (release as in shipping in a release build) the feature will be first enabled for. In return I will try to figure out a solution for verifying the signatures of the packaged apps that will work in that release, without being blocked on the new certificate verification library. But, I don't want to do that extra work unless we are certain that the feature is going to make it to release or is already in release.
(In reply to Brian Smith (:briansmith, was :bsmith@mozilla.com) from comment #34)
> Let me be clear with what I suggested: As a temporary measure, if we want to
> allow the installation of packaged apps on desktop before the signature
> verification is ready for desktop, then it is OK with me if we *skip* the
> signature verification step on desktop

..for "web" packaged apps only (not "privileged" or "certified").
i definitely think of this as a temporary solution.  I would assume this signature would be verified again once we solve the signature verification on desktop.  This solution becomes very much not optimal as soon as we have other marketplaces out there.
Blocks: 969242
Blocks: 969243
Blocks: 969244
Blocks: 969245
The proper solution is being implemented in bug 896620.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: