User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
3w
Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.

Update: it looks like the outreach to virustotal.com in my firewall logs was unrelated to NVDA. Based on a look at: github.com/nvaccess/nvda/blob/master/source/addonStore/models/scanResults.py

NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to:
* visit the URL
* hash there addon
* compare the hashes

And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.

By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.

I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?

It looks like in the latest alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
9
13
4
0
User avatar
NV Access @NVAccess@fosstodon.org
3w
@fastfinge I think there's a misunderstanding on how the Add-on Store works. Every add-on in the store must keep a consistent hash which the VirusTotal scan reflects, which must be the exact same add-on you download from the Store. NVDA won't keep the download of an add-on without a matching hash. The scan provides useful results from well respected security vendors without every user needing to know how to audit code. This is done when the add-on is uploaded to store, not from your PC. 1/2
2
3
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
3w
@NVAccess But this is utterly meaningless. Any addon can download and run any code it wants, from any URL. So there is no guarantee the addon isn’t running malicious code. As long as the addon can download and run its own code, the virus total results can’t mean anything. So they’re security theatre, as I said. Either NVDA blocks addons from downloading arbitrary files to the user’s machine completely, NVDA manually reviews all addon code (and the code of any network servers the addon uses), or the Virus Total results in the store are useless.
1
0
0
0
User avatar
Jayson Smith @jaybird110127@dragonscave.space
3w
@fastfinge @NVAccess Sorry for jumping in here, but just pointing out that NVDA reviewing code downloaded from external servers is pointless, as if you're a malicious addon creator, you can just wait for NVDA to give your addon a clean bill of health and add it to the store, then flip a switch on your server so that the good, clean, harmless code you were downloading to satisfy the review process is now replaced with the worst virus/trojan/malware imaginable.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
3w
@jaybird110127 @NVAccess I thought that was obvious enough to not need saying. But perhaps it wasn’t, so thank you for saying it. Chrome addons, and even Android and IOS apps, do this constantly. But Google and Apple have to keep fighting the good fight, and ever restricting functions, because there are just so many app developers that expecting users to know who any of them are or who they can trust is impossible. In the much smaller community of addon developers, that’s really not the case.
0
0
0
0