On 11/28/15 2:30 PM, Kartikaya Gupta wrote:
So it seems to me that people are actually in general agreement about what the validator can and cannot do, but have different evaluations of the cost-benefit tradeoff.On the one hand we have the camp (let's say camp A) that believes the validator provides negligible actual benefit, because it is trival to bypass, but at the same time provides a huge cost to add-on developers. And on the other hand we have the camp ("camp B") that believes the validator provides some non-negligible benefit, even though it may significantly increase the cost to add-on developers. From what I have been told from multiple people, Mozilla does have actual data on the type and number of malicious add-ons in the wild, and it cannot be published. I don't really like this since it goes against openness and whatnot, but I can accept that there are legitimate reasons for not publishing this data. So the question is - do the people in camp A or the people in camp B have access to this data? I would argue that whoever has access to the data is in a better position to make the right call with respect to the cost-benefit tradeoff, and everybody else should defer to them. If people in both camps have access to the data, then clearly they have different interpretations of the data and they should discuss it further. Presumably they know who they are.
Unfortunately I think there is still some confusion about the implications of my PoC [1].
But putting that aside, I don't see how historical data is valid, given how trivial the bypass is. Since this sort of obfuscation hasn't been necessary, there's been no reason for it to be done. But that doesn't make it any less trivial, or require malware authors to be any less "lazy" to get their code signed.
Certainly arguments that have been made against whitelisting over the last few months don't hold up to scrutiny in light of the PoC, unless you're willing to argue that someone who compromised Zotero's servers, got into our VCS, got code past our review process, purchased Zotero from a large research university to turn it into malware, etc., would also be unable to dynamically generate a property name.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1227867#c26 _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
