Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.
NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to: * visit the URL * hash there addon * compare the hashes
And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.
By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.
I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this. 'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}} Traceback (most recent call last): File "addonStore\models\scanResults.pyc", line 31, in fromDict KeyError: 'virusTotal'
@fastfinge I think there's a misunderstanding on how the Add-on Store works. Every add-on in the store must keep a consistent hash which the VirusTotal scan reflects, which must be the exact same add-on you download from the Store. NVDA won't keep the download of an add-on without a matching hash. The scan provides useful results from well respected security vendors without every user needing to know how to audit code. This is done when the add-on is uploaded to store, not from your PC. 1/2
@fastfinge 2/2 The log provided is a file read error, not a network error. We also have many warnings about the potential risks of add-ons. Signing add-ons would only prove the author, not that the add-on is safe. We're working on increased add-on security & would strongly suggest communicating security concerns privately. If any of these concerns were correct, this would be a dangerous example of irresponsible disclosure practices given you have not reached out to us privately with any of this.
@NVAccess As for reaching out privately: the fact that the entire security model here seems completely wrong to me isn’t a vulnerability. It’s endemic to your design. And I have no idea what the store does with it, but I can absolutely put my own virustotal results in a manifest of an addon distributed outside of the store. So NVDA can’t make any assertions based on that data unless it could guarantee the addon was installed from the store. And that would involve…I guess having a local list of the hashes of every single addon? The only way you can secure addons is by restricting the functions available to them, in ways I’m certain I and other users would find unacceptable. So your only workable recourse is to develop a model that strongly relies on author trust, reputation, and audit ability. To be totally honest, this feels like NVDA has not done threat modeling at all, doesn’t understand what threats an “addon security” system is attempting to prevent or what’s realistic, and hasn’t put long and hard thought into balancing the security triangle for users. Instead, from the outside, a virus total scan looks like “we must be seen to be doing something, and this is something.”
@fastfinge@NVAccess If Virustotal results were delivered with the manifest, I would agree with that. But they're not; I just looked at one of my addons. I think you have a slight misunderstanding about how all this works.
@tspivey@NVAccess I can see the dictionary that contains them in the Python Console. So how they’re delivered really doesn’t matter, if we assume either that I’m malicious or am working for another malicious actor.
