Thursday, March 11, 2010

Mozilla, the extensions, the safety and what we can learn of the false positive


Interesting debate on safety the one that has opened this week to itself with the appearance of two extensions for firefox descargables and instalables from Mozilla Add-ons and supposedly infected with a troyano. Further on it has been proved that one of them was clean.

Beyond the trivial thing, this opens the whole reflection on the processes of quality and cross-check on the part of Mozilla of all these extensions (software, in last case) descargables from his repository. In this respect I want to emphasize Sergio's post, that I believe that it has reason great when it recommends to be prudent with the use of the navigator for sensitive tasks. This is obvious for many persons (between the readership of this blog I imagine that it obviated for almost all), but for the majority to think about these terms will be something new because they have not appeared it earlier.

It would add, also, that in our role of technological prescriptores (I speak for me and my environment, without going further) it is important that apart from recommending the use of free software and surer practices we were doing a special emphasis in the prudence and the good sense. Obviously, the systems 100 % sure, trustworthy and invulnerable does not exist. (Anyone who says to us that his software or his system in general is a 100 % sure can be immediately catalogued like cretinous without fear of being wrong). but where the skill cannot come, if it can bring us over (we will never come, obv) a good set of good practices. After all, when we speak about safety we are the weakest link and he has sense to reduce the insecurity derived from the bad use itself of the hardware.

I want to comment also on a question that Oscar rises in Sergio's blog, which was the authentic shooter to write this post: a comment that I had left long and in the end I have decided to climb to post. He says Oscar: "Really I have neither the time nor the knowledge to prove the code of one or another navigator. what would be the rules to choose the best or the surest?»

Here my answer comes:

To ask for the rules to recognize and to choose the surest navigator is a question so wide that it needs an answer which extension would give to write a blog (not a post, a blog) only to be detaching these rules.

Is the free software surer than the exclusive one? Of entry it is auditable with major facility, which does not imply major safety, only that if there is malicious code it is possible that it is discovered by less delay. The use of free software has countless advantages, but this one does not have because to be always intrinsically surer. It is possible that it it is in general terms due to the facility of audit (if not proper of the user, yes of the community - so important so that a software project is truly free), but punctually it can be insecure like any software.

Probably that will make use of this incident to throw fear, suspense and doubts about Firefox. Nobody should get alarmed, nevertheless. Firefox keeps on being an option reasonably sure that, used with good skill, it bears less risks than other options.

Of course, in the time for coming and if the users' Firefox valuation keeps on growing, this users' quota will occur the biggest problem of safety for Firefox and his programmers. Let's think for a moment how a developer of malicious code would do it: it is going to cost me the same time (it does not have porqué, but let's assume that like an order approach correct zero) to develop my attack against a specific navigator. Do I invest my time to attack 1 % of users, 20 %, 40 %? If we assume also the nonexistence concrete interests that praise my target election, my attack will be directed to the navigator who opens to me the door of more potential victims: the most used navigator. Of entry, this turns to IE8 in a favorite target, followed by Firefox. We should not be surprised, therefore, that in the future the specific attacks become more and more frequent against this navigator who has the added attraction (for the attacker) of being a multiplatform.

On the other hand, different navigators do not excite truly the comparative safety studies to me between. The utility of these compared studies is put by me in quarantine because these comparative submit the navigators to already well-known attacks and the most devastating attacks are always the innovators, not acquaintances. Said about another form, it is equivalent to irritate the airport safety because once there was an offense with planes when we all know that the next massive attack will not take place likewise the previous one: it will have another unexpected form and will take us for surprise. This new unexpected form and the consistent surprise are the base of the success of the attacker. That's why I believe that the benchmarks contribute information different from the one that often hopes to be obtained of them.

I say that I put in quarantine the utility of these comparative like safety meters, but not the subtlest information that is deduced of them: it is inadmissible that a navigator is vulnerable to well-known attacks, they demonstrate that the team responsible for this software has not done his work as it had to. And, sadly (because it puts in danger multitude of persons), it is not infrequent that are discovered bugs and vulnerabilities in IE (it is not a fixation, it is that we like or not, IE keeps on being the navigator most used in absolute terms in February, 2010) that already existed in arcane versions of this navigator or that the same one has bugs without parchear for months. (At the time of this post writes, IE8 a bug takes 8 days without parchear moderately critically that allows the exhibition of information sensitive to a remote attacker; almost ná. For 2 years with other vulnerabilities without parchear).

Since a new vulnerability promises to be until parchea, the appearance of xploits that should abuse this mistake is exponential. He was saying before the innovative attacks that they are more dangerous because one is assumed the already well-known attacks to do that the software is modified in question to improve his defense. If this patch does not come, the attacker has all the advantages: a well-known attack (something that facilitates the abuse of the vulnerability) for that the defender has not prepared himself. Without affirming anything about the safety of a concrete software, this type of laxness with the temporary remedies they suppose the whole argument to stop using a certain software.

And I say all this peacefully, without forgetting that any software is capable of having errors (of course, also our dear Firefox) that should make it capable to attacks. But: what are we going to do with that? It is not possible to avoid, the only thing that can be done is parchear as soon as possible. In that Mozilla has given that of lime and that of sand in only a few days: a system of cross-check of the software of his repository that has demonstrated imperfect (perhaps for confidence) that will be late in recovering the confidence that it was possessing between the public allowed to slip in malware, nevertheless they have been very rapid in the cleanliness of the extensions and the suppression of this concrete threat, which also demonstrated to be a minor of what seemed at first.

[And yes, it is not free of mistakes it it will never be, but in these moments I am not going to surprise anybody if I say that I recommend to use Firefox. Perhaps you were waiting for another thing? The last compilation of safety extensions that I saw the Security by default boys did.]

No comments:

Post a Comment