Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.
NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to: * visit the URL * hash there addon * compare the hashes
And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.
By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.
I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this. 'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}} Traceback (most recent call last): File "addonStore\models\scanResults.pyc", line 31, in fromDict KeyError: 'virusTotal'
@fastfinge I think there's a misunderstanding on how the Add-on Store works. Every add-on in the store must keep a consistent hash which the VirusTotal scan reflects, which must be the exact same add-on you download from the Store. NVDA won't keep the download of an add-on without a matching hash. The scan provides useful results from well respected security vendors without every user needing to know how to audit code. This is done when the add-on is uploaded to store, not from your PC. 1/2
@fastfinge 2/2 The log provided is a file read error, not a network error. We also have many warnings about the potential risks of add-ons. Signing add-ons would only prove the author, not that the add-on is safe. We're working on increased add-on security & would strongly suggest communicating security concerns privately. If any of these concerns were correct, this would be a dangerous example of irresponsible disclosure practices given you have not reached out to us privately with any of this.
@NVAccess@fastfinge responsible disclosure of what? A user read something in their logs that looked like a feature, not a bug. As is expected in FOSS, they didn’t implicitly trust you. I looked at your open source code and assuaged their concerns, one of the key benefits of the FOSS model. What was even disclosed here?
The rest of the conversation is a whole other story: NVDA exists in a complex environment where it needs to satisfy a wide range of users and stakeholders. That NVAccess can’t make every single one completely happy is a foregone conclusion.
@MostlyBlindGamer@NVAccess Public criticism of the security model is disclosure I guess. Other than complain about inaccuracies I’ve gone out of my way to correct, NVaccess has declined to respond to the actual problem here: virus total scanning is ineffective, and gives users a false sense of security, while being easy for malicious addons to work around. That’s not an exploit! That’s the system working as designed!
@fastfinge@MostlyBlindGamer We actually went out of our way to answer all your initial point, which were mostly incorrect assumptions. The point about responsible disclosure is simple: you found something you believed enabled a malicious actor to spread malware through add-ons - the responsible thing is to share that with us privately so we can fix it if needed. By sharing it publically first, you potentially allow someone to exploit a vulnerability you didn't give us a chance to fix.
@NVAccess@MostlyBlindGamer This is, to be blunt, not true. You corrected assumptions that my post was edited to correct hours before you got involved. The rest of the thread is you complaining that the design of security systems should be conducted completely behind closed doors. I am doing my best to believe you are conducting this discussion in good faith. But I’m starting to struggle. As you are the nv access official account, it’s starting to look like nvaccess just doesn’t want any public discussion or criticism of its design choices.
