[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Jean-Baptiste Kempf jb at videolan.org
Tue Mar 21 08:01:19 CET 2017 

On 21/03/2017 07:15, Pierre Ynard wrote:
>> You have no idea what "security through obfuscation" is. Open source
>> is the exact opposite of that.
>
> I believe you understood what I really meant.

No. You use terms that have an actual meaning and use them for another 
meaning.

> But thank you for pointing
> out the fact that VLC is open-source, and as such, the security patches
> that you push are moot since it's so easy for an attacker to strip them
> from the source and rebuild binaries, or patch binaries directly, or add
> any other piece of malware in another way.

And then you break the signature.

>> So, since you have an issue, let's not fix the other ones? I have a
>> hole in my wall, but I won't fix it, because my window is open?
>
> You wake up in the morning, your paint is peeling, your curtains are
> gone, and the water is boiling. Which problem do you deal with first?

Exactly, you start with the biggest issues, and you fix them, one by
one.

>> If you check, EVERY other main application is using embedded manifest,
>> except us.
>
> If you leave it at that, your argument is cargo cult.

Cargo cult does not mean what you think it means.

>> bloat, by loading explicitly vs loading implicitly? Are you serious?
>
> Yes, very much so.

Sorry, but then you have no idea what you are talking about.
The difference in code is not big, and the difference in CPU time is 
negligible, notably because it's only done at the first time.

>> We're not scanning installation directory from known libraries
>
> Well maybe you should, it would be a step up from what was done.

You don't know what known libraries are.

>> So your point is that signing binaries is bad? Wow. Then why are
>> debian packages signed?
>
> Once again I believe you actually understood what I really meant.

No, I did not.

> Signatures of Debian packages are good and enforced by the package
> manager. My point is that if you're dissatisfied because it's too easy
> to tamper with the VLC installation directory, maybe you should improve
> the packaging to ensure integrity, instead of fiddling with vlc.exe
> without protecting it against tampering.

Which is EXACTLY what is already done on macOS and also what is 
happening on Windows 10.

>> Also, addressing the issues is important for our users, see the
>> reactions on various social media. If you don't care about them, then
>> fine, but don't attack people who do.
>
> I don't know if you care about the users, and I don't know if you do
> this out of care for them. To me, you come off as caring about your
> corporate interests.

Plonk. You go too far. What corporate interests?

> And maybe that's just me but I feel you care more
> about them than about my interests as a developer.

Clearly. I care more about users than you. You speak without 
understanding anything, making me lose my time.

>>> I like this statement: https://pbs.twimg.com/media/C6V78U1WYAEaEvM.jpg
>>
>> That has nothing to do with our case here. It is about the security of
>> an app on an insecure system.
>
> Well, first, I disagree. If you can't use the normal link mechanism of
> an OS to load its system libraries because it opens and exposes you to
> attack vectors, this is an OS security problem.

Yes, and the solutions advised by Microsoft is to do what we've exactly 
done: sign binaries, use embedded manifest, dlopen with full path or 
from system32, use knowndll.

> Then, and I hope you understood what I meant, the real point is the
> Telegram statement expresses one simple message in a clear way.

But no. This is not the same. The Telegram issue is about having a 
keylogger and a spyware installed. Not about system security.

>> Now, we're schizophrenic? So you're down to insults?
>
> If I was down to insults, it's not schizophrenic I would call you ;)
> Besides, that's not very politically correct.

You've already insulted me more than twice in this thread.

> When I read the mailing list, the commit log, the PR statement, I don't
> feel much soundness or oneness in what's going on: I see different
> efforts to cover several fronts at the same time, all opposed to each
> other

How about you come and ask on IRC what we're working on?
Instead of coming and attacking us like you are doing?

> I already gave some suggestions.

Yeah right: do nothing because Windows is bad at security and try to 
educate 300 million users?

> Moreover if it's stored on and run from removable media, I can't
> imagine any good mechanism to maintain integrity.

Well, you see? We do.
With what we've done, and the loading plugins signature check, the 
integrity is maintained. And BECAUSE we use embedded manifest, and 
BECAUSE we use dlopening of un-knowndll.

> aborting if necessary. Checking that the installation directory is not
> writable. Checking that the installation directory was not written to -
> actually some filesystem timestamps cannot be tampered with without raw
> filesystem access.

But that's not necessary and way too complex.

> As part of the privileged installer, would it be possible or desirable
> to extend the KnownDLL list to cover system libraries that VLC uses?

Of course not!

Once again, you show that you've read absolutely nothing about the 
issue. So let me explain it again: YOU CANNOT MODIFY KnownDLL LIST!

Before answering, you should really look at the documentation, install 
Windows, and read a bit about what has been done.

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device

More information about the vlc-devel mailing list