[Benjamin_Dobell]

Did you personally, and at least one other trusted party, sign off on every single commit, or are you trusting Mozilla?

Where did you get the hash you're comparing against?

Firstly, no matter what you're trusting the developers of the software you're running on your computer.

Secondly, the software (and/or its hash), just like this JavaScript, is delivered to you in a verifiably secure fashion i.e. SSL.

What's the difference?

Sure, this JS can change. Do you have automatic updates running for Firefox, or any piece of software on your computer?

[krageon]

With attack vectors it's also about ease of exploitation. In this case, the ease is high. If the person you are responding to compiles their own browser, the bar to put an exploit in there is already much higher. Yes, there are still attack vectors. And there always will be. The point is they're harder to access.

[Benjamin_Dobell]

Your initial comment was pretty adamant that Mozilla had really messed up by delivering the code as JS. However, what is the attack vector that they've introduced by taking this approach?

It sounds to me like you're referring to a man-in-the-middle style attack. However, to be best of everyone's current knowledge, that's simply not possible with SSL.

It's only possible if the attack vector includes having already compromised the user's computer and installed a root certificate. At which point this is all pretty moot.

[krageon]

I think you have me confused with someone else. I have made no points except the ones in the post you are responding to.

In this case it looks like you're missing the fact that you can change the JS on the server with a high amount of ease and a low discoverability (it can be changed just for you and it won't show anywhere else).

[Benjamin_Dobell]

> I think you have me confused with someone else. I have made no points except the ones in the post you are responding to.

My apologies, that's what I get for reading on my mobile.

> In this case it looks like you're missing the fact that you can change the JS on the server with a high amount of ease and a low discoverability (it can be changed just for you and it won't show anywhere else).

You raise a reasonable point. It is indeed something everyone should be aware of. It's mostly a matter of trust, not security.

However, the same is equally true of someone you trust changing the binaries, source and/or hashes that are delivered to you; whether you got those from Mozilla, or somewhere else.

For example, the relatively recent Handbrake release compromise - https://news.ycombinator.com/item?id=14281808

[mercutio2]

“That’s simply not possible with SSL”

I agree that we don’t currently know of easy attacks on SSL if you’re pinning certs (which it sounds like Mozilla does here). But all you need is a rogue CA to MITM SSL if you’re not pinning certs, so I don’t think “simply not possible” is an accurate description of SSL as generally used by the broad web-dev community.

[zimbatm]

The question is how hard it is to detect tampering. My linux distribution builds firefox from source and signs the build. The builds are also checked to be reproducible.

Raising the bar is a good thing.

[tomrittervg]

I wasn't aware that any distribution (besides Tor Browser) was building Firefox (or anything really) reproducibly.

There's debian's https://reproducible-builds.org/ effort, but I thought that wasn't making much progress lately, nor was it deployed.

Could you provide more info on what distro you're using, or how they're doing this?

[srazzaque]

S/he may be referring to Gentoo Linux.

[eadmund]

> Do you have automatic updates running for Firefox …

No.

> … or any piece of software on your computer?

Also, no. But even did I, there’s a world of difference between automatic updates from e.g. Debian and automatic updates from Mozilla.

[Benjamin_Dobell]

> there’s a world of difference between automatic updates from e.g. Debian and automatic updates from Mozilla.

In what way?

This is obviously somewhat anecdotal, but...

I'm the developer of Heimdall. Software that flashes firmware onto Samsung phones. The software quite literally has the ability to replace almost every piece of software running on your phone. If it were compromised, it could not only own a user's phone, but also potentially everything a user accesses on said phone.

Sure my software is open-source, and I encourage anyone interested to inspect the code, I'm sure there are bugs. However, the `heimdall-flash` package in the official Debian repositories... I didn't make it, and I have no connection with whoever did. Now, don't be alarmed, despite being several years out of date, to the best of my knowledge it's a perfectly good package, and I'm thankful that the maintainer went to the effort. However, it would be so easy for someone to have published a malicious package. This is pretty powerful software, it has significantly more power than root on your mobile phone.

I love Debian, both philosophically and in practice. But does it really deserve your trust more than Mozilla?

[ptx]

It's perfectly normal for Debian packages to be maintained by other people that the original developers of that piece of software, isn't it? Debian has more than 60000 packages but doesn't have 60000 package maintainers – the roles are quite separate.

For example, Linus Torvalds doesn't maintain the Debian kernel packages. If whoever does were to put malicious code in the kernel packages, that would be very bad, just as if Heimdall were compromised, which is why Debian has a relatively small set of trusted package maintainers and doesn't let just anyone put code in the official distribution.

[Benjamin_Dobell]

> Debian has a relatively small set of trusted package maintainers and doesn't let just anyone put code in the official distribution

There are presently 2619 official Debian maintainer GPG keys[1].

Considering the scope, that's not ridiculous, but I wouldn't call it small.

[1] http://ftp.debian.org/debian/pool/main/d/debian-keyring/