Nils Maier wrote: >> But compromised mirrors are by far the most common way that things are >> trojaned. >> >> http://www.internetnews.com/dev-news/article.php/1438341 >> http://wordpress.org/development/2007/03/upgrade-212/ >> http://www.afterdawn.com/news/archive/6001.cfm >> http://www.daemon-tools.cc/dtcc/archive/update-download-com-issue-t5334.html > > No, actually compromised mirrors are more common and compromised > "download information" pages (at the momemnt of course).
That sentence isn't grammatical, and it could mean either of two opposite things. Could you restate your point? Thanks :-) If you are saying that compromised download information pages are more common, can you give some examples? I agree that Link Fingerprints is less useful in that case - although often the URL goes out in a release announcement email as well. It only takes one person to use a fingerprinted URL to raise the alarm. That's why universal client support isn't necessary to get a lot of the protection. > Actually the DC++ and daemon tools examples you gave is flawed. The Daemon Tools one is fine. If the DT website had been linking to download.com with a link fingerprint, the problem would have been spotted. > It > wasn't just mirrors compromised. Somebody managed to submit trojaned > packages to these sites. A good analogy would be: Somebody managed to > submit a trojaned popular extension to amo, which then pushed it out to > all its mirrors and provided link-fingerprints (of the trojaned package > of course) via the download/install links. > Oops. But at least the download wasn't corrupt. Right. So in this case, Link Fingerprints doesn't help. And it doesn't solve world hunger either. What does solve this problem? > But that's not the point. Giving a warning and options how to handle the > errors will make people aware, too. Security researcher do not need to > pull out IE just to download and analyze such a trojaned package. They can install the extension you are going to write to add an override. Security researchers are not Firefox's primary audience. >> But if it's trojaned, it's not "his data". It's someone else's evil data. > > Still his copy of said data. And still his choice what to do with it. He > has been warned. What would an ordinary user possibly want to do with a trojaned executable apart from delete it? Even giving them the option to do something else is dangerous. They select it to delete it but accidentally double-click instead of single-click and Boom! >> No, I mean that the person providing the link should not use link >> fingerprints on it, unless they want you to have that exact version. > > And people should not do IE-only websites and stick to standards. > People will mess up, sooner or later, even if they have good intensions. Right. And if they do, they fix the problem. If they use an out of date SSL certificate, or one with a mismatched hostname, they've missed up - but Firefox is going to prevent access to the site anyway. > There was kinda uproar when Firefox didn't download the Vista Beta > images, because there was a bug when handling large files in append more > on Win. Pretty limited user base, but still people where pissed. That's a _bug_. It's entirely different. > Seriously, you cannot know this. And FX user base is generally more > "sophisticated" than the general public, or at least now a tech-buddy > they may consult. Proof: Somebody installed Firefox. We have 100 million users or more. "Able to install software" is miles and miles away from "Uses archive-repair tools on a regular basis". > And providing *all* people, the ordinary and the geeks, which some > choice seems to hurt that badly. Yes. http://weblogs.mozillazine.org/gerv/archives/2007/06/choice_considered_harmful.html > In the other thread you claimed that FX already makes a lot of choices, > but I fail to see many of them. Listing choices the user *can* make says nothing about the ones they can't. You can't see those, because you don't have to make them! > You may browse phising sites (Ignore option), you may browse sites with > self-signed certificates which are meant for another host, Not soon. >> So Firefox protected you, you bypassed the protection, and got stuffed. >> Firefox did its job. > > Yep, my fault. > It is my fault if I used another browser to download, but it is still my > fault if I decide to ignore that warning message that would be displayed > when FX asked me what to do with the download. But in that case, it's a tragedy we can prevent. In the case where you choose to use another application, it's not. I agree that the error message needs to be informative enough that you don't just go off and use another client. Gerv _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
