Re: What I am missing

Thank you Jonas. I was actually thinking about the security model of
FirefoxOS or Android apps. We write powerful "webapps" nowadays. And
with "webapps" I mean regular web pages with a lot of script/html5
functionality. The browsers are fast enough to do a variety of things:
from running a linux kernel, to playing dos-games,  doing crypto,
decoding and streaming mp3. I understand a browser to be an operating
system on top of an operating system. But the need to protect the user
is a problem if you want to go beyond what is possible today.

I am asking to consider a model, where a signed script package notifies
a user about is origin and signer and even may ask the user for special
permissions like direct file system access or raw networking sockets or
anything else that would, for safety reasons, not be possible today.

The browser would remember the origin ip and the signature of the script
package and would re-ask for permission if something changes. It would
refuse to run if the signature isn't valid or expired.

It wouldn't change a thing in regard to updates. You would just have to
re-sign your code before you make it available. I used to work a lot
with java applets (signed and un-signed) in the old days, I am working
with android apps today. Signing is just another step in the work chain.

Signed code is the missing last element in the CSP - TLS environment .
Let's make the browser into something that can truly be seen as an
alternative operating system on top of an operating system.

Michaela

On 11/19/2014 08:33 AM, Jonas Sicking wrote:
> On Tue, Nov 18, 2014 at 7:40 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> On 11/18/14, 10:26 PM, Michaela Merz wrote:
>>> First: We need signed script code.
>> For what it's worth, Gecko supported this for a while.  See
>> <http://www-archive.mozilla.org/projects/security/components/signed-scripts.html>.
>> In practice, people didn't really use it, and it made the security model a
>> _lot_ more complicated and hard to reason about, so the feature was dropped.
>>
>> It would be good to understand how proposals along these lines differ from
>> what's already been tried and failed.
> The way we did script signing back then was nutty in several ways. The
> signing we do in FirefoxOS is *much* simpler. Simple enough that no
> one has complained about the complexity that it has added to Gecko.
>
> Sadly enhanced security models that use signing by a trusted party
> inherently looses a lot of the advantages of the web. It means that
> you can't publish a new version of you website by simply uploading
> files to your webserver whenever you want. And it means that you can't
> generate the script and markup that make up your website dynamically
> on your webserver.
>
> So I'm by no means arguing that FirefoxOS has the problem of signing solved.
>
> Unfortunately no one has been able to solve the problem of how to
> grant web content access to capabilities like raw TCP or UDP sockets
> in order to access legacy hardware and protocols, or how to get
> read/write acccess to your photo library in order to build a photo
> manager, without relying on signing.
>
> Which has meant that the web so far is unable to "compete with native"
> in those areas.
>
> / Jonas
>

Received on Wednesday, 19 November 2014 14:20:13 UTC