Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Firefox Privacy

Mozilla To Force All Add-on Devs To Use 2FA To Prevent Supply-Chain Attacks (zdnet.com) 21

Mozilla announced this week that all developers of Firefox add-ons must enable a two-factor authentication (2FA) solution for their account. From a report: "Starting in early 2020, extension developers will be required to have 2FA enabled on AMO [the Mozilla Add-Ons portal]," said Caitlin Neiman, Add-ons Community Manager at Mozilla. "This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users," Neiman added. When this happens, hackers can use the developers' compromised accounts to ship tainted add-on updates to Firefox users. Since Firefox add-ons have a pretty privileged position inside the browser, an attacker can use a compromised add-on to steal passwords, authentication/session cookies, spy on a user's browsing habits, or redirect users to phishing pages or malware download sites. These types of incidents are usually referred to as supply-chain attacks.
This discussion has been archived. No new comments can be posted.

Mozilla To Force All Add-on Devs To Use 2FA To Prevent Supply-Chain Attacks

Comments Filter:
  • Do it right (Score:5, Interesting)

    by markdavis ( 642305 ) on Friday December 13, 2019 @10:23AM (#59515936)

    >"Starting in early 2020, extension developers will be required to have 2FA enabled on AMO [the Mozilla Add-Ons portal],"

    That might not be a horrible thing, as long as they don't define "2FA" as "we must have your cell phone number" which is what seems to occur with most sites. Doing it "right" means not trying to force users to disclose something they don't necessarily want businesses to have (or get hacked or disclosed or "shared"), and something that doesn't force the user to use some software that doesn't run on their preferred platforms.

    I just went through this with my health insurance company, who REQUIRED that I use their portal to get a prescription and REQUIRED that get a text message, which means I would be forced to disclose my mobile number to them (which they would then use to spam me forever). Or I could disclose my phone number with an automated voice call, which doesn't work with my work number (due to auto attendant) and I still refuse to disclose my mobile number for the same reasons. They didn't support Email for 2F, at all. I ended up having to call their tech support to get an exception so I could get in. They had to just disable 2FA completely for me.

    Some other company had the same stuff as above, but one addition- an "app", which needs permission to my number, so it would disclose that, yet again, to the company.

    I am not anti-2fa for *important* accounts. But I am against many of the designs that have been used so far, because many companies are using this as an excuse to pry into our lives even further than they already do by insisting they know our mobile phone numbers.

    • Anything else than an Authenticator app or physical key of some sort is not secure - text messages can be intercepted by SIM swap, and email is even worse as it’s basically clear text going over several servers/routes.
      • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Friday December 13, 2019 @10:52AM (#59516004) Homepage Journal

        Anything else than an Authenticator app or physical key of some sort is not secure

        It is indeed a TOTP authenticator app.

        Mozilla's 2FA support page [mozilla.org] lists compatible apps as including Authy, Google Authenticator, Duo Mobile, FreeOTP, andOTP, or KeePassXC. Most are exclusive to phone operating systems (Android with Google Play or iOS), though Authy also runs on proprietary desktop operating systems (Microsoft's Windows or Apple's macOS). The only one of these that runs on X11/Linux is KeePassXC.

        For comparison: I don't use Twitch because of its strict dependence on Authy in order to obtain a stream key. Authy's desktop app for Windows did not work for me under Wine in Xubuntu. In order to use Authy on X11/Linux, I would have to install Google Chrome, an entire different web browser, just for one extension. That looks to me, a regular user of Firefox, like such a waste of both RAM and SSD space.

        • Lighten up man, installing Chrome is not going to be a resource problem on your system. You could probably tax resources by using it irresponsibly, but since you just need it for 2fa you can leave it closed 99.9% of the time.
        • by q4Fry ( 1322209 )

          If you don't like "apps," just `apt install oathtool`. man oathtool [nongnu.org]

      • I can see recovery being through both SMS and E-mail, at least requiring one to verify via at least two, if not three different channels, be it mail, SMS, phone call to a number already configured, recovery codes, or in extreme cases, a small fee on a validated credit card, or in extreme cases, a code sent via registered mail.

        SMS, and RCS are worthless for recovery protocols. If a messaging protocol had to be used, it should be Signal, or perhaps just a GPG encrypted E-mail.

        As for authentication, the Bog-s

    • You realise that as an insurer dealing with your health information, they can't permit access to your phone # or various other ePHI or III, without explicit written authorization stating what, when, what for, and so on. Otherwise, sue them for violating HIPPA and thank them for giving you proof.

      • You mean explicit permission like you agreed in paragraph 145 of your contract?

        Personally i got a second prepaid phone number a year ago that I use for the spam.

      • >"You realise that as an insurer dealing with your health information, they can't permit access to your phone # "

        * Yet THEY can use it to spam me constantly, which I don't want.
        * And they can legally "share" it with other countless providers and companies with whom they have a BSA, and then THEY can spam me.
        * And I might be forced to "agree" to them doing other things with my number in some obscure thing I "agreed" to in some 100 page legal click-through, of which I have no option to not "agree" with.

        I d

    • I just went through this with my health insurance company, who REQUIRED that I use their portal to get a prescription and REQUIRED that get a text message, which means I would be forced to disclose my mobile number to them (which they would then use to spam me forever). Or I could disclose my phone number with an automated voice call, which doesn't work with my work number (due to auto attendant)

      Or you could get a google voice number for free, and they can receive text messages, and optionally forward them to your email.

    • Not that anyone seems to care.

      The "something you have" is not supposed to be input from another untrusted first factor, but an actual key. That you then decrypt with the first factor.
      How exactly is a phone a "key" that gets decrypted? (It isn't.)

      But hey... Without actually knowing who you are, knowing you know and have something is all security theater anyway.

      Also, I don't trust Mozilla in the first place, given that I never met a single person of them. For all I know, the OS I downloaded Firefox with, was

      • How exactly is a phone a "key" that gets decrypted? (It isn't.)

        Android and iOS provide some means of private storage that applications can use for keys. So here's how TOTP [wikipedia.org] works, as I understand it:

        1. At signup time, a website issues a shared secret to a user via a QR code or a type-in code.
        2. The TOTP authenticator application (the "app") stores this shared secret in private storage.
        3. At login time, the app calculates the time since New Year's 1970 in 30-second units, hashes it with the shared secret, and produces a 6-digit code.
        4. The website asks the user for this

  • This is not preventing a supply chain attack, a supply chain attack is when one of your dependencies is compromised. In this case the product is the add-on, hence if the developer's account is compromised its a direct attack not a supply chain attack.
  • 2FA prevents me from even bothering to install it.
    • by Tool Man ( 9826 )

      2FA prevents me from even bothering to install it.

      If that's just your own data and systems that 2FA might protect, that's up to you. Maybe not brilliant, but your call.
      In this case, it's Mozilla's decision to protect their infrastructure and users, and one dev deciding to not use 2FA could affect thousands of people.

      So, if 2FA was all that stood in the way of a dev who can't be bothered, then your participation likely won't be missed, and it's a reasonable security decision.

      • Online security is a lie. Nothing that communicates across the internet is safe. The only "safe" thing you can do is not be connected to the internet.
  • Seems like another one for them:

    *In 2019, I wanted to develop an extension for firefox (the privacy focused browser!) but they demanded my phone number..

    Biggest joke being that chrome has most of the market share and where such attacks would take place. Half of the rando extensions in the web store are spyware. Google removes nothing.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...