Trusted vs Unstrusted MIME types

Thomas Leonard talex5 at gmail.com
Sun Jul 8 02:54:38 PDT 2007 

On Sat, 07 Jul 2007 16:22:19 -0400, Christopher Aillon wrote:

> Thomas Leonard wrote:
>> Christopher Aillon wrote:
[ unsnipped ]
>>> Why risk a .desktop file which  is wrong?

>> Both the .desktop file and the MIME information come from the
>> application, so that doesn't help you.
> 
> You are correct that the desktop file and the MIME information the
> application claims to support both come from the application.  Good
> thing for me that this thread isn't about that.  :-)

My point is, if you think that the application developer / packager will
incorrectly state that their application is safe*, then they could just as
easily state that the MIME type is safe too, which is actually worse
because it affects other programs. Therefore, this isn't a good reason not
to store this information on a per-application basis.

* <include standard "all-software-has-bugs" disclaimer here>

> I'm requesting a list of MIME types known to be potentially unsafe, 
> which already exists in epiphany's source code.  I want each application 
> that needs to use this to not have to keep track of their own list.

How was this list generated? Presumably, something like this (please
correct):

1. For each MIME type (e.g. "image/foo"), examine the applications
   commonly used to open it.

2. For each application, decide whether it is appropriate to open such
   files in that application without prompting, with prompting, or not at
   all.
   E.g. fooA, fooB and fooC are all designed to render it safely, while
   fooD will run macros inside it and is therefore not safe to use.

3. Calculate a weighted average, based on the number of users with each
   one set as their default.
   E.g. if all four are equally used, there is a 75% chance that a
   user's default application is "safe"

4. Put the type into the "safe" or "unsafe" bin, depending on whether it
   exceeds some threshold.

Is that correct?

What is the threshold? If 75% is considered "safe", then 25% of your users
will find that clicking on an image/foo file displays it with an
application known to be unsuitable for that, even in the absence of any
bugs!

(in other words, if a user complains that their computer was compromised,
we just tell them that it's not a bug and that the MIME system was designed
so that some number of users will have their systems compromised anyway)

You could set the threshold higher. If we want to have only one user per
thousand be vulnerable, we would use 99.9%. But then we end up with no
types in the "safe" bin and users of fooA, fooB and fooC being prompted
unnecessarily (or not allowed to view the file at all).

This ignores bugs. With application tagging bugs can be fixed using the
normal security process. E.g. when fooC turns out to be buggy:

1. Mark fooC as unsafe.
2. Fix the bug.
3. Mark fooC as safe again.

How does this work with MIME tagging? Do you release a new copy of the
MIME database whenever there are enough known bugs to pass the threshold
for safeness?

> You need to understand that security is all about mitigating risks. 

Tagging the types mitigates risk compared to doing nothing, but it
provides very poor quality information compared with tagging the
applications, it seems to me. Perhaps I'm misunderstanding what you do
with this data.

>> What would the warning say?
> 
> In the download manager, the download could be a different color, there
> could be an icon that would denote its status as potentially dangerous.
>   Maybe when the user attempts to open from the download manager, it
> would pop up a dialog similar to what nautilus does when you try to open
> a shell script:
> 
> "foo.sh is an executable text file.  Do you want to run foo.sh or
> display its contents?"

For the case of executables, the browser knows this automatically because
it has to execute them (they won't run themselves ;-). For applications
like Python and Bash you do need to get the information from somewhere, of
course.

> But it doesn't really matter what it would say.  You aren't going to be
> implementing that part.  It is clear that this is needed because
> epiphany already implements it.  MSIE does something similar. Mozilla is
> asking for it for use in Firefox, Thunderbird, etc.

Is it done this way because they believe it provides better security, or
because it was easier to maintain a list of MIME types than a list of
applications?


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

More information about the xdg mailing list