Note by @fastfinge

Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.

Update: it looks like the outreach to virustotal.com in my firewall logs was unrelated to NVDA. Based on a look at: github.com/nvaccess/nvda/blob/master/source/addonStore/models/scanResults.py

NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to:
* visit the URL
* hash there addon
* compare the hashes

And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.

By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.

I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?

It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'

#screenreader #a11y #nvda #accessibility

An actual security solution:
* allow user reviews of addons
* allow users to report addons
* remove addons from the store after X number of reports
* have a reputation system for addon developers (How many addons? How many versions? How long have they been around?)
* allow high reputation developers to do code reviews of other addons and submit the results

This would help for addons in the store. For addons not in the store, users are on their own. However, even for non-store addons, NVDA could do things that would reduce risk:
* Check PGP keys. An addon that claims it was by fastfinge but isn't signed by my PGP key won't run. Public keyservers already exist; NVDA doesn't need to build infrastructure, or in any way gatekeep or endorse developers to do this.
* reserve addon names: fastfinge is the known developer of unspoken-ng. So flag a big warning before running a version of unspoken-ng developed by BobTheBad man. And don't run a version of unspoken-ng not signed by fastfinge's known PGP key at all.

There are ways to let users understand if an addon can be trusted, or how much, and who made it, without centralizing on the store, pointlessly scanning with VirusTotal, etc. NVDA addon security based on restricting functionality is never going to work. So instead, we need to create the tools to build trust models of developers, and know exactly who wrote and signed off on the code we're running.

@fastfinge Wouldn't that encourage brigading? Not to mention an NVDA person would need to review all the reports. Particularly in the AI age, I can easily see someone spamming a bunch of realistic looking reports from accounts. That's not to say they couldn't be discovered, but its extra effort for a job no one wants.

@prism This is why you track reputation. Number of false reports, account age, etc.

The blindness community is also quite interconnected. If we wanted to, a "web of trust" would be more possible for us than other communities. We regularly gather at conventions (NFB, ACB, Sight Village, Zero Project, etc.) so with accessible, easy to use and understand tools, keysigning parties could easily happen. We've already moved to the #Fediverse because it's more accessible, and obviously better for our needs. Let's keep thinking differently about centralization and privacy; we might discover there are other methods that will work better for us and our needs, without restricting our rights, privacy, or functionality.

@fastfinge We do allow & encourage user reviews of add-on. Users can report add-ons & we will remove suspicious add-ons from the store. You can verify an author's history by looking at their Github. The community already do informal code reviews in the add-on group.

1/2

@fastfinge 2/2 You cannot pre-make your own VirusTotal results for an add-on, that's not how it works (& if you find a way to), please RESPONSIBLY disclose this). We introduced the store to have a central, consistent way to update add-ons, not for control, but to discourage add-ons downloading their own updates without any verification.

@NVAccess But you haven’t stopped that from happening. Any addon can still do that. So what threat, exactly is Virus Total defending against? Users who run Windows Defender will already have it intercept known viruses. Unknown viruses aren’t likely to be picked up by defender or Virus Total. Malicious addon authors can just add code into the addon that will download the virus later, and thus never be scanned by Virus Total. I guess maybe you’d catch supply chain attacks? Those of us who distribute outside of the NVDA store can continue doing whatever the heck we want, but now we can also stick fake Virus Total keys into the addon.

@NVAccess And I have to push back here, as well. When I go to the addon manager, and brows for and install addons, where do I see this information? There’s no rating like in the chrome or edge addon store. No number of reviews. No number of installs. No easy way to see other addons by the same developer, so I can judge if they’re an active part of the community, or malicious, or what. No contact info for the author. Maybe this is all on a website, or in a group I’m not subscribed to. But for the purposes of helping a user judge if an addon is trustworthy or not, that’s effectively nowhere.

@fastfinge @NVAccess it's in the other details section, tab around and you should find it.

@J3317 @NVAccess Do you mean the text field with unclickable links?

@fastfinge @NVAccess Other Details: edit read only multi line Alt+ o Channel: Stable