On Sat, Oct 29, 2005 at 03:36:35AM +0200, Yoshinori K. Okuji wrote: > On Friday 28 October 2005 03:34 pm, Bas Wijnen wrote: > > If the system is well designed, then there is no problem. First of all, it > > doesn't sound like a good idea to need a plugin just to set your > > preferences. But even if it is, you don't need to give it permission to > > write to your *entire* configuration. If mozilla is well designed (where > > well-designed means "using the capability system effectively", which of > > course it doesn't), it can allow the plugin to write some configuration > > once, but not allow it to install a proxy. > > For example, look at this extension: > > http://www.roundtwo.com/product/switchproxy > > Whether you like it or not, this kind of extensions are very useful for some > people, so they will use.
Indeed. > "Do not use such a silly plugin" is not an appropriate answer for this, > since the purpose of a good secure framework is to allow people to use > untrusted code such as this with no or little risk. I agree that "you musn't want this" is a very bad solution for any problem. :-) However, this is quite an invasive plugin. I think you must either trust it and allow it to set proxies to whatever it wants, or limit it by duplicating the list of used proxies in the configuration of the allowed outgoing network ports for firefox. The latter is a job that I don't expect the average user to be able to do, except it the plugin can help there via a (trusted) user agent. I'm not sure how hard it would be to make a situation like this both usable and secure (without needing to trust the plugin). I agree with you that it can be possible that we do not go for maximum security, if it costs too much usability (and "too much" should be very little). I also think that we should try hard to be secure without losing usability. > So, decisions must be always based on a balanced view. Otherwise, conclusions > would be far away from the reality. I'm not sure what you want to balance here, but I'm a bit allergic against "balanced views" for the sake of themselves. In particular, I think that "it must be balanced" is no argument at all for doing or not doing something. I think I do agree with what you mean to say though. :-) Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://129.125.47.90/e-mail.html
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
