There were several good threads we left in Mozilla.security, which I
think we may want to revisit and try to resolve in the new anti-fraud
list. For now, I'm cross-posting, although I suggest we continue only on
anti-fraud if nobody objects, simply since it is more focused.
Heikki Toivonen wrote:
One thing about a class of extensions that check the URL you are
visiting against known bad ones from an online source: privacy. I read
about some implementation which was IMO too invasive. When a security
product like this comes from a commercial company and they get access to
your browsing history in real time I see it as a deal breaker. Tweaking
the settings and eliminating the commercial party from the picture would
make it much more likely to get accepted.
Hear, hear!!! This is absolutely absolutely correct, imho. Indeed, as I
already mentioned, we got a kind offer (I'm serious) to access one of
these DBs with `black list` of suspect sites, but decided to decline,
due to these concerns (and also performance; you feel this very well if
you are not close to the server, e.g. from Israel).
We are now working (Ahmad, mostly) on a better solution. In a sense,
this `blacklist` is really a variant on the old CRL problem, btw. The
solution we work on is roughly:
-- Have a local cache for the queries. This reduces privacy invasion
substantially and improves performance.
-- Specifically, we simply think of doing the requests in cacheable HTTP
queries - the cache will be simply in the HTTP proxy (often hidden, of
course). DNS could be an alternative, btw. But HTTP is really trivial
solution.
-- Each query will not be for a single URL but for a collection,
following the efficient CRL techniques. Again: improve efficiency and
privacy together.
-- A variant on this mechanism will help us get additional positive
credentials for the web page such as logo, BBB/Zagat/Fodor/eTrust
ratings,...
None of them have been usability tested in a browsing situation.
Some tests were done and more will follow, I don't think you do this for
any new UI feature, do you?
Making them into extensions and gathering feedback is one way of getting
it. In fact this is what I recommend. Iron out the bugs and usability
problems in the extension model first.
We did/do.
I have my own opinions about these options. Ian has his own opinions,
and Gervase has his own opinions. We could argue endlessly about it,
but there comes a point where arguments are based on speculation and
the only way to know is to gather empirical evidence.
Do you do this as part of your closed process? I doubt.
I don't think there is a written set of acceptance criteria. Writing one
up would be a good thing. Another doc for the security area or wiki
perhaps. Anyone could write/start it, but it would need approval from
the Mozilla Security Group of course.
I can't see many volunteers to write a draft of the Mozilla security
group's acceptance criteria - esp. not from people outside this group...
In the end it will fall into convincing the right people, but before
that you really need to pass the not-yet-written-down-anywhere
acceptance criteria.
Well, seems like an impossible mission, then.
Some rules of thumb could be gathered from my
feedback to the petnames extension, like should not require too much
(ideally anything) from users, should use minimal chrome real estate and
so on. I'd also like to add: make it first into an extension, iron out
the bugs, gather usability etc. feedback
I think we do all that fairly well.
I am grateful that you posted the link to the list of people on the
Mozilla Security Group. It's helpful to know those names. It's
just that there are over 60 people on that list, so I'd like to know
a little more about how consensus is reached on design decisions.
...
You can narrow down the list, though, by checking the affiliations of
the people on the list, and if you can't figure who to contact you could
always start with the owner.
Well, sounds like fun, they are probably all very interesting persons
and digging up their e-mails should be lots of fun, writing each of them
- a very efficient, constructive use of my time. I've put it in the
appropriate priority of my `to-do` list. Coding to other platforms is a
bit higher, though.
Best, Amir Herzberg
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
