Ian G írta: > > In thinking about extensions, one would think that providing a portal > for "friendly extensions" and dealing with only signed or otherwise > checked sources would be sufficient. Is there a sense that these > techniques aren't working? > > Or is the problem out in the wild wild west where users are just > downloading any old shlock? Do we have friendly extension, or signed extension? Could you describe the validation process. Is it a go not go test or a detailed code review? Are there possibility that author create a good extension and change it for the 4th release to bad extension? Will we have a bugtracker to follow the possible (security) bugs in the extensions. Can we introduce "it is safe" tag for the really tested extensions? > > >> Installing an extension is like installing an application on your >> machine - it's just as trusted as any other application. > > > Right. Having said that, how does one give the users the tools to > figure that out? Or is it the users' responsibility to figure it out > by themselves? > > To some extent this is the same dilemma the banks find themselves in. > They were forced to use the platform, against good advice, and now > find the platform is biting them. What to do? They can't go back. > And there is no easy forward. > Yes, for example the extension can steal the keystrokes? Should I netbanking only in safe mode of Firefox? > > > iang > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security
-- Best regards, KAMI Kálmán „KAMI” Szalai | 神 | kami911 [at] gmail [dot] com My projects: http://ooop.sf.net/ | http://hun.sf.net/ Blog (Hun): http://bit.ly/10ucTR | Donate: http://bit.ly/eYZO6 Follow me: http://bit.ly/gJuJZ | http://bit.ly/kDocB
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
