On 2004-03-28, James Graham <[EMAIL PROTECTED]> wrote: >> >>>It would be good if there were some ttechnical measures in place >>>to make users less likely to install malicious code >> >> Hey, you can *disable* the software installation entirely in the >> preferences, and if you don't, you are *asked* for confirmation *every >> time* such an installation is requested. > > But /users don't read warning messages/. Even if users do read the > warning message, they probably don't understand it. Even if they read > and understand the warning message, they have no idea how to respond - > given a site which says "you may see a popup asking if you want to > install some software, click OK to get superplugin7 which you'll need to > view the content of this site" users will always click OK.
Aside from that, it's currently possible to do the same thing as in IE, where the site causes a never-ending cycle of dialogs asking to install the XPI, so the user either has to kill the browser or say "yes". >> What other technical measures do you need? > > Some that might actually be effective; there is some discussion on the > Mozillazine thread which included: > > Only allow XPIInstall to init after a user click (siimilar to popup > blocking) There's a bug filed for this now, bug 238684. This would be a good thing to do. > Whitelisting of a few trusted sites in the default installation Not sure about this one - there are already issues with mozdev (in terms of lack of bandwidth, computer and human resources) > Whitelisting of a few trusted certificates in the default iinstallation That makes sense. > Blacklisting of known-bad extensions or sites (could work like a builtin > spyware scanner that refused to install extensions that were known to be > harmful) I can't see how you'd do that without requiring a lot of maintenance from someone, and you could only update from release to release unless you also built-in some kind of autoupdating. You'd be re-inventing some kind of anti-spyware/anti-virus - why not just leave that to the software out there that does it already. > Scanning of extensions to produce a security profile based on the > actions those extensions take Again, that sounds like a lot of work in order to do something that the malware folks could work around with considerably less work - you create a kind of "arms race" where the good side has to compete on a reactive basis. > I don't know if you've noticed, but in the last few years, a huge number > of security exploits have been the 'trick the user into running unsafe > code' type and not the 'exploit a buffer overflow or other programming > error' type. Certianly these are the types of exploits that have been > most effective in compromising the machines of the great masses. It's > very easy to bury your head in the sand and say "oh, that's user error", > but is is the job of the program to prevent the user from making those > errors, particularly when the security of the user's machine is at risk. > Warning dialogs are not, never have been, and never will be, effective > at doing this. True. But if you lock things down too much, then you end up making your product more limited and/or harder to use than the competition. I think with using the signing stuff that's already there (but unused), ensuring that XPI installation is user-initiated (with a click rather than by loading a page or doing a mouseover unknowingly), and having a clear UI (more than just a bunch of "OK/Cancel" boxes with overly long text), the problem can be contained. -- Michael _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
