On 9/12/2011 12:44 PM, Philip TAYLOR (Webmaster, Ret'd) wrote:
I have just logged in to one of my less-frequently-used
machines to be greeted by this message :
URGENT!
Your version of SeaMonkey is no
longer protected against online
attacks.
---------------------------------------------
_Get the upgrade_ -- it's fast& free !
* stay safe online
* get faster performance
* enjoy new features
This is /exactly /the sort of message that is used to inject
Trojan horses and worse, and there is no way that I would
dream of clicking on "Yes, get the latest version" or similar.
The link there leads to seamonkey-project.org our official site. There
is also the ability to go directly to our website. Yes some
trojan's/virus things try to inject scary messages like this, but that
is the very reason that those scary warnings work for Virii. In our
case, you can easily tell that it is a real, "chrome" window, and not
some Virus.
If this /is/ a phishing attempt, or an attempt to con me into
loading a Trojan horse or virus, it is a clever one but will
not succeed; if it is a genuine message from the Seamonkey
group, then I consider it to be an appalling error of judgement.
It is a genuine message, and is worded this way in direct thoughtful
expression. It is the message that Firefox also uses for 3.5.x->future
version upgrades as well, fwiw.
(a) It looks like a phishing attempt, or an attempt to inject
a Trojan horse or virus
I'd argue that the attempt to scare a user into upgraded resembles
trojan stuff, but it is easily distinguished by those who know to watch
for those types of trojans, and otherwise fits in well with our
SeaMonkey themeing/style that everyone *should* be able to identify it
as legit.
(b) It is an appalling use of the "Fear, Uncertainty and Doubt"
technique -- my version of Seamonkey (2.0.14) is no
less well protected against online attacks than it was
on the day it was released; to suggest otherwise is
intentionally confusing, intentionally misleading, and
can only bring the whole Seamonkey project into disrepute.
Actually it is NOT misleading. SeaMonkey 2.0.14 is VULNERABLE to web
attacks/exploits, including ones actively being exploited as we speak.
For one example that I can mention right now, is the DigiNotar case,
where people (especially in Iran) are/were being hurt by that, by
allowing the attacker access to e-mail, passwords, etc. 2.3.3 does not
have that vulnerability. And that is just one of many. 2.0.14 is dead,
we are not supporting it, and it has known vulnerabilities, which is why
we did this message. To advocate otherwise is a disservice to yourself
and our users.
Please, if this is a genuine message, get rid of it */immediately/*,
and replace it with something factual and considered, perhaps
along the lines of the following :
URGENT!
Your version of SeaMonkey is not
as secure as it might be; we have made
considerable efforts to improve on security
since this version was released, and you are
strongly advised to use the Seamonkey icon
in your browser, or e-mail/news client to
download the most recent version.
---------------------------------------------
Get the upgrade -- it's fast& free !
* stay safe online
* get faster performance
* enjoy new features
No. That is overly wordy for what we have to work with, we should not
expect users to have to load the website directly for this, since our
upgrade service provides certificate checks that are not easily
available through website downloads. We also have limited space to work
with in our update dialog, and your wording implies that users are "OK"
on 2.0.14, THEY ARE NOT.
Sorry.
--
~Justin Wood (Callek)
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
