You are correct that "local security issues" did and continue to take a backseat to remote exploits. We assume that if an attacker can change files locally (or is sitting at your keyboard) then there's nothing we can do.
There has been no impetus for signature verification of local chrome files. However, if you can find some like-minded people who also want this feature, this would make a great Mozdev project.
-Mitch
rvj wrote:
OK dumb question but is it potentially possible to have signed chrome which could be authenticated when Mozilla starts up?
I know that signing is primary used for file transfer verfication but I am more interested in preventing tampering at the
local workstation (i.e. tampering/ replacement of JAR files)
Instead of having to sign individual scripts, objects, etc, I would like to sign a single chrome JAR file containing a collection of secure files . i.e. the signed chrome would be verified on startup using Mozilla certficate security methods.
I asked this question a couple of years ago and there didnt seem to be too much concern for local security issues.
i.e. a security loophole that results in mozilla's application files being compromised
I was trying to find out if things have moved on?
