网站能否检查加载项是否被修改? [英] Can a Web site check if an add-on has been modified?
问题描述
这是上下文:假设在Mozilla Firefox附加站点上有一个插件P。
考虑一个恶意用户修改P例如,使其偏离正常行为。我的第一个问题是:
- Firefox浏览器能否检测到插件不是原始插件(即下载的插件如果可以检测到这种情况,Firefox浏览器是否可以禁用(已修改)插件?
现在考虑一下这个案例与插件P进行交互的Web站点。例如,只有当插件是原创插件(尚未修改)时,该站点才允许访问Web内容。
我的第二个问题是:
- 网站能够检测到这个恶意用户修改了插件?
Firefox检测更改
从 AMO 下载的所有扩展程序均为由Mozill加密签名(链接2 )。如果扩展程序以任何方式被修改,Firefox会自动检测到已经发生了变化,并且会禁用附加组件。
但是,如果用户正在运行 Firefox开发者版, Firefox Nightly ,未标记的Beta,或无品牌发布,他们可以更改首选项,以便修改后的扩展程序不会被禁用。修改仍会被检测到,并且用户在中通知了:addons ( Ctrl - Shif - OSX上的, Cmd - Shif - A 。用户也可以下载Firefox的源代码并编译自己的版本,禁用附加签名检查。
临时附加组件
Firefox的正式版本和测试版本不允许用户永久选择安装并运行尚未签名的扩展程序,或签名后扩展名已更改的位置。然而,他们以及所有其他版本都允许将扩展程序加载为临时附加组件,即使未签名或更改也是如此。这使得在这些版本的Firefox中无法使用无符号加载项需要重新启动浏览器。
$ b
总结
Mozilla唱歌附加组件旨在防止恶意或未经Mozilla审查的附加组件被未经授权的用户下载和安装。因此,要安装未签名或已更改的加载项,用户必须跳过额外的不便步骤(不使用品牌版本或测试版Firefox,或使用临时附加安装)。但是,签名不会阻止用户有意更改加载项而无法运行它。
网站检测到扩展已经改变
不,假设对扩展的修改被故意隐藏,网页无法保证检测到发生了变化。修改后的扩展可以欺骗原始扩展代码提供给网页的任何信息。您可以很难做到这一点,但不能保证。
您还没有提到您为什么希望您的网站能够检测到这些变化。因此,如果没有猜测目的,就不可能为您提供合理的选择。
This is the context: Suppose there is a plug-in, P, available at the Mozilla Firefox add-on site.
Consider a malicious user that modifies P, for example, to make it deviate from the normal behavior. My first question is:
- Could the Firefox browser detect that the plug-in is not the original one (i.e., the one that was downloaded from Firefox site? If this can be detected, could the Firefox browser disable the (modified) plug-in?
Now consider the case of a Web site that interacts with the plug-in P. For example, the site allows access to the web content only if the plug-in is original (it has not been modified).
My second question is:
- Could the site be able to detect that this malicious user modified the plug-in?
Firefox detecting changes
All extensions which are downloaded from AMO are cryptographically signed by Mozilla (link 2). If the extension is modified in any way, Firefox will automatically detect that there have been changes and will disable the add-on.
However, if the user is running Firefox Developer Edition, Firefox Nightly, Unbranded Beta, or Unbranded Release, they can change a preference such that the modified extension will not be disabled. The modification will still be detected, and the user informed in about:addons (Ctrl-Shif-A, Cmd-Shif-A on OSX). It is also possible for the user to download the source code for Firefox and compile their own version which disables add-on signature checking.
Temporary add-ons
The normal release and beta versions of Firefox do not permit the user the option to permanently install and run extensions which have not been signed, or where the extension has been changed after signing. However, they do, along with all other versions, permit an extension to be loaded as a temporary add-on even if unsigned, or changed. This makes it impossible unsigned add-ons which require a browser restart in those versions of Firefox.
Summary
Mozilla singing add-ons is intended to prevent add-ons, which are malicious, or that just have not been reviewed by Mozilla, from being downloaded and installed by naive users. Thus, to install an unsigned, or changed, add-on, the user has to jump through extra, inconvenient steps (not use a branded release or beta Firefox, or use a temporary add-on install). However, signing does not, and was not intended to, prevent the user from intentionally changing an add-on and not being able to run it.
Website detecting that the extension has changed
No, assuming that the modifications to the extension are intentionally being hidden, there is no guaranteed way for the web page to detect that a change has occurred. The modified extension can spoof any information that is provided to the web page by the original extension code. You can make this hard to do, but it can not be guaranteed.
You have not mentioned why you are wanting your website to be able to detect these changes. Thus, without guessing as to the purpose, it is not possible to provide you with reasonable alternatives.
这篇关于网站能否检查加载项是否被修改?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
