On 4 February 2018 at 17:25, Raffaele Florio <raffaeleflo...@protonmail.com>
> > The "make firefox" rule uses wget to get a few files. Is this because
> you don't want to distribute signatures on Github? Ideally, it would use
> local files only.
> I was referring to the HTTPS statement. I'd like to deepen this statement.
> There are signatures and I also think that the GitHub clone reduce the
> complexity. I agree that the latter will be the default. However HTTPS is
> used both in the clone and in the process to get my public key.
It introduces an extra point of failure. I could owned by a corrupted "git
clone" operation. I could also get cloned by a corrupted wget operation.
It's one extra thing to audit (if I want to be careful).
> > Well, it crashed my machine... I had to reboot the whole thing. It
> would be nice if it did something more graceful when presented with 20
> links at the same time, even if it is just asking for confirmation.
> Why 20? Why not 10, 30 or other numbers? However to avoid DOS attacks,
> very plausible, is useful to have a maximum requests per second. When this
> limit is reached the extension blocks other request and warns the user.
> This is a vital feature.. ;)
Yes, a lower number would be better. I used 20 for dramatic effect,
because this is enough to crash a computer.
> > Also, I think your tool could be quite useful for several different use
> cases. Perhaps it's better to have the default configuration being
> unobtrusive, but allow the user to switch on more defenses if they like.
> I think that the opposite is better. *The user* sets as default "Open
> here mode" (not secure), and then, trough Quick Settings, it could switch
> to "redirection mode". Quick Settings has to be very flexible.
> More secure default, is better.. I repeat: the extension did its job.
> However why do you not whitelist these (20+) URLs (or related domains), if
> you consider them trustworthy?
My computer crashed before I had a chance to whitelist anything. I would
actually rather open them inside a "session VM", but it isn't obvious how
to do it.
> (I think this idea needs a bit more thought!)
> I agree. It's something not, principally, related to this extension. I'm
> also waiting to try the stable 4.0.
It is a great use case though, which is very helpful when designing things.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.