User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1w
Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.

Update: it looks like the outreach to virustotal.com in my firewall logs was unrelated to NVDA. Based on a look at: github.com/nvaccess/nvda/blob/master/source/addonStore/models/scanResults.py

NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to:
* visit the URL
* hash there addon
* compare the hashes

And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.

By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.

I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?

It looks like in the latest alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
9
13
4
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
6d
An actual security solution:
* allow user reviews of addons
* allow users to report addons
* remove addons from the store after X number of reports
* have a reputation system for addon developers (How many addons? How many versions? How long have they been around?)
* allow high reputation developers to do code reviews of other addons and submit the results

This would help for addons in the store. For addons not in the store, users are on their own. However, even for non-store addons, NVDA could do things that would reduce risk:
* Check PGP keys. An addon that claims it was by fastfinge but isn't signed by my PGP key won't run. Public keyservers already exist; NVDA doesn't need to build infrastructure, or in any way gatekeep or endorse developers to do this.
* reserve addon names: fastfinge is the known developer of unspoken-ng. So flag a big warning before running a version of unspoken-ng developed by BobTheBad man. And don't run a version of unspoken-ng not signed by fastfinge's known PGP key at all.

There are ways to let users understand if an addon can be trusted, or how much, and who made it, without centralizing on the store, pointlessly scanning with VirusTotal, etc. NVDA addon security based on restricting functionality is never going to work. So instead, we need to create the tools to build trust models of developers, and know exactly who wrote and signed off on the code we're running.
3
6
6
0
User avatar
NV Access @NVAccess@fosstodon.org
6d
@fastfinge We do allow & encourage user reviews of add-on. Users can report add-ons & we will remove suspicious add-ons from the store. You can verify an author's history by looking at their Github. The community already do informal code reviews in the add-on group.

1/2
2
1
0
0
User avatar
NV Access @NVAccess@fosstodon.org
6d
@fastfinge 2/2 You cannot pre-make your own VirusTotal results for an add-on, that's not how it works (& if you find a way to), please RESPONSIBLY disclose this). We introduced the store to have a central, consistent way to update add-ons, not for control, but to discourage add-ons downloading their own updates without any verification.
1
1
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
6d
@NVAccess But you haven’t stopped that from happening. Any addon can still do that. So what threat, exactly is Virus Total defending against? Users who run Windows Defender will already have it intercept known viruses. Unknown viruses aren’t likely to be picked up by defender or Virus Total. Malicious addon authors can just add code into the addon that will download the virus later, and thus never be scanned by Virus Total. I guess maybe you’d catch supply chain attacks? Those of us who distribute outside of the NVDA store can continue doing whatever the heck we want, but now we can also stick fake Virus Total keys into the addon.
0
0
0
0