Interviewed by CNN on 15/09/2011 00:12, NoOp told the world: > Well, let's not forget that it also affected Mozilla addons... > <http://www.theregister.co.uk/2011/09/08/mozilla_certificate_authority_audit/> > <quote> > DigiNotar's omissions came as a personal affront to Mozilla, since one > of the domains they imperiled was https://addons.mozilla.org/, home of > tens of thousands of addons that add powerful capabilities to the > default versions of Firefox and Thunderbird. > </quote> > > So lets consider the Mozilla auto update policy that is set by default > in all current Mozilla products. Given the policy, and given the serious > nature of the DigiNotar hack, why does Mozill continue to enable auto > update by default? > > SeaMonkey users have offered valid complaints regarding this policy on > this list, yet the policy remains. I just encountered the same issue on > a system with Firefox; I noticed that Firefox was in the process of > downloading an update without my permission. I stopped it. Yes, I > eventually updated the Firefox version, but did so at *my* disgression, > and via a direct download of Firefox from Mozilla. Ditto for a SeaMonkey > version. > > Yes, Mozilla users can turn off the auto updates (program and addons), > but have to jump through hoops (IMO) to do so. Reminds me of the opt-out > settings from Google/Yahoo/et al. > > What if any addons were compromised during the DigiNotar certificate issue? > ...
On the other hand... what if an exploit comes up for a popular add-on, such as NoScript, AddBlock Plus or DownThemAll? Deploying the update as fast as possible is a good response, isn't it? The DigiNotar case was very, very bad, but it's not the most common situation we see. Common attacks are exploits into the weaknesses of software. And yet, users who won't upgrade their browsers (or, in IE's case, turn of Windows Update) will still be vulnerable to the DigiNotar's fake certificates. Yes, it could have happened. Someone (perhaps in Iran, where most of the attacks took place) might have used a fake addons.mozilla.org to push fake "updated" extensions to users. Yet, as I said, this kind of attack is relatively rare. Arguing for disabling auto-updates for this reason is like arguing against seat belts because, in very rare cases, someone might be better off not wearing one. Statistically, is not sound policy. (By the way: just this week, some idiot drank two bottles of wine, got behind the wheel on his Mercedes at twice the speed limit -- despite his girlfriend's pleas for him to slow down -- then got distracted trying to pull his wallet from the pocket, lost control and crashed. Said idiot was not wearing his seat belt, got ejected from the car and died instantly. Girlfriend was wearing seat belt and came out with minor scratches, no doubt a tribute to German engineering) -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my Etch-a-Sketch. *Added by TagZilla 0.066.2 running on Seamonkey 2.3.3 * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
