Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.
NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to: * visit the URL * hash there addon * compare the hashes
And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.
By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.
I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this. 'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}} Traceback (most recent call last): File "addonStore\models\scanResults.pyc", line 31, in fromDict KeyError: 'virusTotal'
@fastfinge I think there's a misunderstanding on how the Add-on Store works. Every add-on in the store must keep a consistent hash which the VirusTotal scan reflects, which must be the exact same add-on you download from the Store. NVDA won't keep the download of an add-on without a matching hash. The scan provides useful results from well respected security vendors without every user needing to know how to audit code. This is done when the add-on is uploaded to store, not from your PC. 1/2
@fastfinge 2/2 The log provided is a file read error, not a network error. We also have many warnings about the potential risks of add-ons. Signing add-ons would only prove the author, not that the add-on is safe. We're working on increased add-on security & would strongly suggest communicating security concerns privately. If any of these concerns were correct, this would be a dangerous example of irresponsible disclosure practices given you have not reached out to us privately with any of this.
@NVAccess As for reaching out privately: the fact that the entire security model here seems completely wrong to me isn’t a vulnerability. It’s endemic to your design. And I have no idea what the store does with it, but I can absolutely put my own virustotal results in a manifest of an addon distributed outside of the store. So NVDA can’t make any assertions based on that data unless it could guarantee the addon was installed from the store. And that would involve…I guess having a local list of the hashes of every single addon? The only way you can secure addons is by restricting the functions available to them, in ways I’m certain I and other users would find unacceptable. So your only workable recourse is to develop a model that strongly relies on author trust, reputation, and audit ability. To be totally honest, this feels like NVDA has not done threat modeling at all, doesn’t understand what threats an “addon security” system is attempting to prevent or what’s realistic, and hasn’t put long and hard thought into balancing the security triangle for users. Instead, from the outside, a virus total scan looks like “we must be seen to be doing something, and this is something.”
@fastfinge@NVAccess If Virustotal results were delivered with the manifest, I would agree with that. But they're not; I just looked at one of my addons. I think you have a slight misunderstanding about how all this works.
@tspivey@NVAccess I also think it’s fair to say that any malicious payload delivered via an NVDA Addon is going to be targeted to NVDA users. So you have to assume it knows about NVDA’s security process. So once again, unless I’ve misunderstood a lot more than I think I have, a Virus Total scan is nothing more than a placebo at best. I’d love to be wrong here.
@tspivey@NVAccess I’ll grant you that I was incorrect about it being delivered in the manifest. But from the perspective of a malicious addon author, I’m not sure how it’s delivered really makes any difference if I can still intercept and modify it at will. It’s still data that the users local copy of NVDA, running on the user’s machine with the user’s addons of unknown providence installed, cannot trust. I admit I’m not the expert either of you are, but I can’t think of a way around this that doesn’t have other awful side effects. It would be safer for everyone for NVAccess to work on developing a trust model for addon developers and a reputation system for addons, rather than pretending it can make any claims at all about the safety of an addon. Again, unless I’m wildly wrong somewhere. And if I am, I’d love to know.
@fastfinge@NVAccess If I ran a malicious addon, yes, that addon could modify the VirusTotal results of another one. But at that point, the author already has code running on my machine that can do whatever it wants, so there would be no reason to do that. When you open the store for the first time, it warns you: "Add-ons are created by the NVDA community and are not vetted by NV Access. NV Access cannot be held responsible for add-on behavior. The functionality of add-ons is unrestricted and can include accessing your personal data or even the entire system." That warning seems clear enough. I'm sure if there was a malicious addon on the store, NV Access would remove it. But you run them at your own risk. Advocating for a better security model might not be a bad idea, though I don't know what that would look like. It also takes resources I don't think NV Access has.
@tspivey@NVAccess Right. But what I don’t understand is why they’re spending resources on this. It doesn’t inconvenience any users, sure. But it also doesn’t inconvenience any attackers. And for inexperienced users, a virus total result saying “0 threats sounds the same as saying this addon is safe. What NVDA can do is make assertions about who developed any given addon. Users can then decide if they trust that developer or not. IMHO, that’s where effort should be spent. Not in pretending to play a threat detection game that even the likes of Google and Microsoft can’t win.
@tspivey@NVAccess Also, I have two trusted addons, one in the store. Give me $500 per addon and I’ll make sure everyone running my addons never see that your addons have viruses. And when your malicious addon eventually gets removed, mine will probably remain unnoticed in the store so I can sell my result modification to my next customer. This is a joke! Not a real offer! But someone could easily do this. The only practical defence is for users to know and trust the developers of there addons. Not just to be not evil, but also to be skilled. Once you have a single addon installed, you can no longer trust anything NVDA reports unless you trust that addon author. That’s why I think we need pgp keys and author identities front and center. All a virus total scan can do is, at best nothing, and at worst convince a user that an addon is safe when it isn’t.
@fastfinge@tspivey I really cannot stress enough how irresponsible it is to have a discussion about what you believe may be a security hole - in ANY software - on a public forum. We, like other software companies, have published ways of responsibly disclosing information like this, as well as readily available email contacts. Even if you're not sure if something is a bug or a security hole or not, or just have a general suggestion for improvement, ask privately & we'll happily check.
@NVAccess@fastfinge For my part in this, I was only trying to explain what was going on to avoid spreading wrong info around. If there was an actual security issue, I would of course report it privately. I've always gotten a response quickly, even if the issue I report doesn't turn out to be one. Whether Mastodon is a good place to have these kinds of technical discussions about NVDA's design is another question, since I assume the entire team isn't going to see it. Email is probably a better option there.
@NVAccess@tspivey So the answer to a poorly thought out security model is to demand that discussions of it happen in private? That’s an even worse decision than the one I’m upset about.
