Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.
Update: it looks like the outreach to virustotal.com in my firewall logs was unrelated to NVDA. Based on a look at: github.com/nvaccess/nvda/blob/master/source/addonStore/models/scanResults.py
NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to:
* visit the URL
* hash there addon
* compare the hashes
And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.
By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.
I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility
🇨🇦Samuel Proulx🇨🇦
@fastfinge@interfree.ca