There is some early thinking about the Jetpack security model at
https://wiki.mozilla.org/Labs/Jetpack/JEP/29#Jetpack_Security_Model
There is still alot of work left to do in driving out details around how
the capabilities will be checked by knowledgable reviewers, and surfaced
to users that might not be as good at making the correlations between
capabilities in Jetpacks and possible risks.
Aza also put together a draft of an introductory video to explain at a
high level how this system might work.
http://vimeo.com/7660200
definitely interested in feedback as the security model gets flushed out
and applied.
-chofmann
Michael Lefevre wrote:
On 29/11/2009 07:40, Kálmán „KAMI” Szalai wrote:
Do we have friendly extension, or signed extension? Could you describe
the validation process. Is it a go not go test or a detailed code
review? Are there possibility that author create a good extension and
change it for the 4th release to bad extension? Will we have a
bugtracker to follow the possible (security) bugs in the extensions. Can
we introduce "it is safe" tag for the really tested extensions?
I'm not part of the add-ons team, but I can try and answer anyway.
Firefox, by default, will only install extensions from
https://addons.mozilla.org - users can install addons from anywhere,
but they have to go through a security warning and a few mouse clicks
before Firefox will install addons from other sites.
The addons on the official site are reviewed, according to the process
at https://addons.mozilla.org/en-US/developers/docs/policies/reviews
Installing an extension is like installing an application on your
machine - it's just as trusted as any other application.
Right. Having said that, how does one give the users the tools to
figure that out? Or is it the users' responsibility to figure it out
by themselves?
Yes, for example the extension can steal the keystrokes? Should I
netbanking only in safe mode of Firefox?
As said above, extensions/addons are like installing an application.
Extensions can steal keystrokes, but also get passwords from your
computer, read your files, re-format you hard disk, or anything else.
Addons have the same privileges on your computer as Firefox itself, so
users need to have the same level of trust of addons as they do in
Firefox, or other applications they install on their computer.
Michael
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
