doron's blaahg

FUD. There are already malicious XPIs (and Linux viruses for that matter) out there. For various technical reasons, they can't bloom like their MS counterparts (ActiveX and Windows). I'm sure you know this by now.

Mr. BS, I would love to hear what these "various technical reasons" are. I'd also love to hear what reasons Doron, who gets paid for working on Mozilla and has been doing so for years now, has for spreading FUD...

Has it crossed your mind that just because you don't like the truth that doesn't make it FUD?

On one side, this is flattering: ´The spam gangs are taking the Mr. Fox seriously.

It is a cause for concern, because the safety argument was one of the strong points of Firefox. It is very important that this advantage is not compromised.

I suppose it ought to be part of the service update.mozilla.org offers to approve the extensions, themes, plugins aso offered on there site. If anyone can upload there 'stuff' and noone checks it out, there will be no trust in that website. There can still be malicious .xpis on other sides (this is what the warning on top if the installation dialog is for) but the extensions ppl install from mozillas own webbase HAVE to be benevolent...

I wish I was an expert. Then maybe I could get quoted in an article for predicting something that's already happening.

Go to: http://cracks.ss.ru/download/tsrh/tsrh-activecaptions_15_exe.zip.html (use extreme caution).

It tries to install an XPI when the page loads (also seems to try and persuade you to give enhanced privileges to a Java applet). It was as a result of pages like this that triggering XPI installs during pageloads was blocked.

I've never really liked this marketing that promotes Mozilla as being more secure than IE. Just makes the project look stupid when there are exploits. And there have been in the past and there will be in the future.

HS, reviewing code is _very_ time-consuming. It takes about as much time as writing it, sometimes more. Where will the manpower for reviewing all the u.m.o code come from?

Well, if you assume that social engineering is inherently impossible to eliminate, and that peer review is still an acceptable system for keeping malicious code out, then the sensible solution would be for u.m.o to only host reviewed code. People can download software from Freshmeat or they can get it from the regular Debian repositories, and the level of trust they invest into those different locations varies.

u.m.o isn't any more trustworthy than any other site at the moment, technically, and I assume that this is the point. I don't see how to get around the huge amount of effort it would take to start again and host only reviewed code though. It's the price that has to be paid for an increased level of trust.

This assumes that the point of the above rumination is to come up with a solution, of course. I don't think there's a way to make it impossible for one to shoot onesself in the foot anyway.

- Chris

Are there any confirmed cases of spyware like actions from extensions on mozilla update?

*hugs*

If only Mozilla had clearly defined kernel and user security spaces, with extensions in the user security space, and application security as a separate matter on top. Then at least extensions would be restricted to a degree. Wishful thinking?

I already have spyware -- I downloaded some info on Firefox to help me transfer tapes to wave and now WHENEVER I GO TO ANY OF MY OFF LINE PAGES OR TURN ON MY PRINTER OR SNEEZE -- MY COMPUTER STARTS DIALING THE INTERNET ........no one can find a solution for this .......I NEVER HAD THIS PROBLEM ON IE and am back to IE !!

There is no need to remove unreviewed content. Just make it obvious what has and has not been reviewed. Also if reviewing work is spread out over a large number of people, the workload is manageable. What's needed is a system where multiple people can review extensions and vouch for them. With enough eyeballs, all bugs are shallow.

at least mozilla's xpis can be deleted just deleting the profile, or a hypotetical malicious xpi would just uso firefox as a way in ?

Nigel: this would stop extensions from doing a number of things that people use extensions for. Themes are already prevented from doing anything harmful on the local machine because they don't need to.

- Chris

There is already Google integration, which I would consider spyware if it weren't for the cookie-blocking ability of Firefox. BTW, does working for Google mean that the guys on your team MUST perform such Google A$$-kissing sessions? I fing the following worse than teeny-bopper panty throwing: http://blakeross.com/index.php?p=44#comments

questkot - doubt you got anything from Mozilla that way. You probably downloaded something to do the tapes to wav that had spyware.

I quite agree with you Rengineer about Google intgration and there's even an extension which makes things easy for yahoo! addicts.

Sad things though if extension creators can't be trusted...

Well, Doron, though what you say seem reasonable, I can't help objeting to your unfair jibe at Europe "for $19.994 (european numerical system)" -- this is untrue, you'd see 1.129€ only in petrol station, same in Great Britain but in £).

Keep up the good work

Cheers,

mozilla fan

Patrick is right; most "free" wave editors and converters contain spyware that is difficult to remove (personal experience from trying it some friends' machines).

Well Patrick, I have many reasons NOT to trust Google. Here they are if you're interested:

http://promote-opensource.org/modules/news/article.php?storyid=648

Just copy/paste that into your URL bar.