Tab Mix Plus secure update for Firefox 3-Tab Mix Plus
Home to Tab Mix Plus
TMP HelpSearchProfilePMsRegisterLog in
 
Tab Mix Plus secure update for Firefox 3
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic    Tab Mix Plus Forum Index -> Builds
View previous topic :: View next topic  
Author Message
matp75
Guest
PostPosted: Tue Nov 20, 2007 4:05 pm    Post subject: Tab Mix Plus secure update for Firefox 3 Reply with quote
Firefox 3.0b1 refuses to update or install Tab Mix Plus.(included last dev build as of today)
See
http://wiki.mozilla.org/User:Mossop:Fx-Docs:AddonUpdateSecurity

Could either the extension be hosted on a secure site, or could the developper sign the extension instead ?
Back to top
Guest

PostPosted: Tue Nov 20, 2007 4:12 pm    Post subject: Reply with quote
in about:config, create a boolean preference called 'extensions.checkUpdateSecurity'. set the value to 'false'.
Back to top
misterdan

Posts: 37
Joined: 27 Oct 2005
PostPosted: Tue Nov 20, 2007 6:13 pm    Post subject: Reply with quote
but is that really a good way? no. would be better if there was a secure connection.

and will you remember to delete that variable?
Back to top
View user's profile Send private message
CPU
Admin
Posts: 2064
Location: Houston, Texas
Joined: 02 Aug 2005
PostPosted: Wed Nov 21, 2007 5:08 am    Post subject: Reply with quote
the only secure sit i can think of is using the addons site. but we only use it for final versions

sigining the extension ourself would defeat the purpose of having signed extensions since anyone could just do it
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
matp75
Guest
PostPosted: Wed Nov 21, 2007 8:17 am    Post subject: Reply with quote
CPU wrote:
the only secure sit i can think of is using the addons site. but we only use it for final versions

sigining the extension ourself would defeat the purpose of having signed extensions since anyone could just do it

No, the purpose of signing the extension is to be sure that the update process is secure.
Once you sign it, someelse can't sign it as Firefox remembers who signed the extension at the installation time.
Ie this is to be sure that when I get an extension upgrade, I will get it from the same person as the origin.
I agree I have to trust you at install time and someone could intercept the first download and replace the signature but I think nonetheless signing the extension will increase very much the upgrading process security.

With Firefox 2, if I install TMP from a trusted network (from my point of view) then move to a public network where's it's possible to have a man in the middle attack, someone can pretend having a tmp update and install something else as a tmp update.
With Firefox 3, this is no longer possible and I think this is good.

I think this is also securing you because if you keep the private key on your side and just upload to tmp.garyr.net the signed version, you don't risk compromising all your users if the server is compromised as current users will reject update.
Back to top
misterdan

Posts: 37
Joined: 27 Oct 2005
PostPosted: Thu Nov 22, 2007 12:23 am    Post subject: Reply with quote
yes, if you look at the firefox notes, you can sign the extension yourself...

http://wiki.mozilla.org/User:Mossop:Fx-Docs:AddonUpdateSecurity

then users would be able to install the extension without you using SSL (use digital signatures and hashes)
Back to top
View user's profile Send private message
RyanVM
Guest
PostPosted: Thu Nov 22, 2007 7:18 am    Post subject: Reply with quote
There's no reason to not be signing your update manifests, especially when there's a supported tool for doing it.
http://wiki.mozilla.org/McCoy
http://developer.mozilla.org/en/docs/McCoy
Back to top
Guest
Guest
PostPosted: Thu Nov 22, 2007 2:06 pm    Post subject: about:config Reply with quote
There exists an advantage to using the "about:config" modification, not only will it allow Tab Mix Plus to work in FF 3.0 Beta, it will allow your other non-complying extensions to work as well. Please note, if you toggle the new Boolean entry back to "true" TMP, and the other extensions, will be disabled.
Back to top
RyanVM
Guest
PostPosted: Thu Nov 22, 2007 4:22 pm    Post subject: Reply with quote
Yeah, except that completely defeats the purpose of the new security mechanism Rolling Eyes
Back to top
DeepFreeze3

Posts: 24
Joined: 17 Nov 2005
PostPosted: Thu Nov 22, 2007 7:52 pm    Post subject: Reply with quote
Anonymous wrote:
in about:config, create a boolean preference called 'extensions.checkUpdateSecurity'. set the value to 'false'.


You'll also have to get into the extension's install.rdf file and delete the update url. I had to do that with the latest TMP devbuild to get it to install in FF 3.0b1 when the boolean didn't work.
Back to top
View user's profile Send private message
Guest 2
Guest
PostPosted: Thu Nov 22, 2007 9:43 pm    Post subject: about:config Reply with quote
First, to clear up any confusion the second posting regarding about:config was not by the original "Guest", but by me, now Guest 2. Second, yes, using the about:config modification does disable the new security feature. That said, it puts one in no different position than continuing to use FF2 excect that now one possesses the advantage of using FF3 (beta) and its other security enhancements as well as keeping the functionality of all of one's current extensions. Third, even when FF3 reaches its actual release, there will be a period of time when developers have not made the modifications to allow FF3 to download existing non-complying extensions. About:config is a useful tool that does possess a risk: One that some feel comfortable taking under current circumstance.
Back to top
matp75
Guest
PostPosted: Fri Nov 23, 2007 4:05 pm    Post subject: Reply with quote
No need to disable secure update to try making a "incompatible" extension installable with firefox 3.
You can use the nighty tester tool extension, which allow to "make compatible" an extension (obviously, you're on your own, it may not work)
I don't wish to stay in an insecure mode for ever.
From my Firefox 2 extensions, my essentials extensions are working well with firefox 3.
Some are already providing secure update (mostly by signing it when they are not hosted on the addon site).
One has just signed it's extension after asking for it and as a new version has been made public today, every user of this extension has now secure update.
Others have signed their dev version so at least it's installable without disabling security and it will be transparent for users migrating when they release a new stable version.
Hope TMP dev version will be signed soon...
Back to top
onemen

Posts: 4246
Joined: 04 Aug 2005
PostPosted: Sun Nov 25, 2007 6:30 am    Post subject: Reply with quote
The next TMP dev version will be signed
_________________
Tab Mix Plus v0.3.8.2
Tab Mix Plus Dev-Build 0.3.8.3pre.100125
Back to top
View user's profile Send private message Send e-mail
RyanVM
Guest
PostPosted: Sun Nov 25, 2007 10:29 am    Post subject: Reply with quote
Great news, onemen! Thanks for keeping up with the trunk so diligently Smile
Back to top
Guest

PostPosted: Sun Nov 25, 2007 1:53 pm    Post subject: Reply with quote
Help ... need 3b1 update. I can live without all but Roboform and Tab Mix Plus. Got Roboform. How long until TMP? Thanks for a great addon.
Back to top
Atreus
Guest
PostPosted: Sun Nov 25, 2007 6:15 pm    Post subject: Reply with quote
Anonymous wrote:
Help ... need 3b1 update. I can live without all but Roboform and Tab Mix Plus. Got Roboform. How long until TMP? Thanks for a great addon.
Just force compatability and disable the security check
Back to top
Guest

PostPosted: Mon Nov 26, 2007 9:56 pm    Post subject: Reply with quote
Atreus wrote:
Anonymous wrote:
Help ... need 3b1 update. I can live without all but Roboform and Tab Mix Plus. Got Roboform. How long until TMP? Thanks for a great addon.
Just force compatability and disable the security check

Thanks for response.
extensions.checkUpdateSecurity set to 'false'.
Was able to load addon.
Forced compatibility using Nightly Tester Tools.
Restarted.
Nothing shows up in Tools menu.
TMP not shown in addons.
What am I missing?
Back to top
WildcatRay

Posts: 307
Location: Columbus, OH
Joined: 06 Jul 2007
PostPosted: Tue Nov 27, 2007 9:00 am    Post subject: Reply with quote
Another way to "disable" the security check blocking an add-on install is to edit the install.rdf file within the xpi file itself. In the case of TMP dev, delete or comment out the line <em>http://tmp.garyr.net/updates-dev.rdf</em>

As I understand it, the security check looks for this line. If it does not contain "https" meaning future updates will be from a secure site like "https://addons.mozilla.org", it blocks the installation.

On the philosophical side, I cannot fault the intent. However, I do wonder about the heavy-handed approach. This along with coding the browser to force the scanning of downloads for virus' if the user does not have their antivirus program already running in the proper mode, the Places (bookmarks, history, downloads, etc.) organizer and the "Larry" enhancement to go beyond using yellow in the location/address bar to signify you are on a secure site seems to be moving Firefox into the realm of code bloat that may end up defeating the original purpose of it; creating a lean, mean, customizable browsing machine. Besides, if they are so intent on providing the most secure web browser on the market, then why have they not incorporated the NoScript code into it? And, for that matter, why not incorporate ad-blocking into the base browser code, too?

If I were in the product develop meetings I would push for making Firefox 3 the best, leanest, meanest browsing machine that meets the original intent of Firefox and incorporate all the "security" enhancements into a strongly-recommended add-on or, offer it is two forms, a base and "high-security" version. But, who am I? Just some "dumb" user. Why would user's desires matter?

Thank you for indulging my rant. Now, back to your regularly scheduled programming.
_________________
Ray
My Computer Information Page, My Fx3.7pre Add-ons
Back to top
View user's profile Send private message Send e-mail AIM Address
Guest

PostPosted: Tue Nov 27, 2007 9:56 am    Post subject: Reply with quote
Anonymous wrote:
Atreus wrote:
Anonymous wrote:
Help ... need 3b1 update. I can live without all but Roboform and Tab Mix Plus. Got Roboform. How long until TMP? Thanks for a great addon.
Just force compatability and disable the security check

Thanks for response.
extensions.checkUpdateSecurity set to 'false'.
Was able to load addon.
Forced compatibility using Nightly Tester Tools.
Restarted.
Nothing shows up in Tools menu.
TMP not shown in addons.
What am I missing?


Thanks WildcatRay and Atreus! That last bit about modifying the rdf worked like a charm. Hallelujah, I am back in business!
Back to top
Alan Baxter

Posts: 177
Joined: 20 Sep 2005
PostPosted: Wed Nov 28, 2007 12:23 am    Post subject: Reply with quote
WildcatRay wrote:
This along with coding the browser to force the scanning of downloads for virus' if the user does not have their antivirus program already running in the proper mode

OMG! How do I turn it off?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Tab Mix Plus Forum Index -> Builds All times are GMT - 6 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
Tab Mix Plus topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group