54
6
I presume there is a security benefit to Firefox's delay before installing add-ons, but for the life of me I can't figure out what it is. (Yes, I know you can disable the delay.)
If you answer this question, please provide references from Firefox mailing lists or commit logs.
Natan Yellin
Posted 2011-08-08T11:48:50.480
Reputation: 572
71
Why?
Here's an interesting article about race conditions in security dialogs by Jesse Ruderman:
Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.
Firefox's solution, from bug 162020, is to delay enabling the "Yes"/"Install" buttons until three seconds after the dialog appears. I believe that this is the only possible fix other than completely denying untrusted content the ability to pose the dialog. Unfortunately, this fix is frustrating for users who install extensions often.
Basically, it all comes down to predicting when a user would click and then intercepting that click within an installation dialog. Ruderman explained a more concise game situation like this in his bug report from Firefox, which ultimately led to the inclusion of the delay period.
To summarize again, his main point was:
If I can control or predict when and where a user will click, I can get them to install software.
The delay period was certainly only one way of dealing with this. Another one could have been shuffling the buttons for "Install", "Cancel" every time you would install something. This is something used very often, but it confuses the user more than it helps.
Another idea would be moving the window location randomly for every dialog. This has the same result as shuffling the buttons, namely confusing the user.
Also, introducing randomness is not the ultimate solution. If there are keyboard shortcuts for the buttons, you could intercept keypresses as well. That all being said, it seems more like a legacy feature today, as most plugins are installed from the official Firefox add-on website anyway.
slhck
Posted 2011-08-08T11:48:50.480
Reputation: 182 472
1Don't the installation permissions for addons.firefox.org solve this? – Natan Yellin – 2011-08-08T12:27:17.767
Most probably. It would help to have the option to permanently accept (like you can with certificates) -- generally it seems more like a legacy "feature". But I'm not a Firefox user, so I can't really comment on this. – slhck – 2011-08-08T12:28:51.550
... cool demo! :) – sebastian_k – 2011-08-08T18:00:23.350
Per-site installation permissions don't help by themselves, because a malicious site can arrange to trick you into clicking on a button on a site that has been granted permissions. (Yes, even with aggressive clickjacking defenses - this is not a solved problem.) – zwol – 2011-08-09T00:34:31.473
@Zack, can you give an example for addons.firefox.org? – Natan Yellin – 2011-08-10T00:08:27.007
@Natan: I'm not sure exactly what you mean by an example. The basic idea is you arrange to have a window containing the addons site directly underneath the window with the malicious site. Then you do the double-click attack, as Jesse described; the first click dismisses the malicious site's window, the second click hits AMO's install button. There are some technical hurdles - JS isn't always allowed to move windows, for instance - but nothing designed to prevent this. – zwol – 2011-08-10T13:54:50.060
12The question should be "why is Mozilla the only one doing this?". IMHO, every new dialog should enable the buttons 1 sec after showing them because you might accidentally click it (or someone wants you to click it without your consent). I really hate it when I click somewhere and a button spawns there just before I click. It also happens with phones when someone calls you right at the moment you want to tap that 'play' button. – Mike – 2011-08-08T13:31:41.073
4"If you answer this question, please provide references from Firefox mailing lists or commit logs." If this is your requirement, then can't you do your own searching? – kmm – 2011-08-08T17:33:59.213
2Maybe it's not that easy to find, or there are some other things to consider. Maybe somebody here would have had more internal information -- who knows? It's not bad to ask per se @Kevin – slhck – 2011-08-08T18:08:12.770
I tried to look myself, but I couldn't find the information. (I said so in an edit hours ago, which was somehow lost: http://superuser.com/users/68351/aantn?tab=activity#apage_1-afilter_revisions)
– Natan Yellin – 2011-08-08T19:04:18.470@aantn Sorry, I had removed it as it didn't really add necessary information to the question. We generally expect people to search first, so there's no need mentioning it :) – slhck – 2011-08-08T19:10:14.003