[Project_owners] Security_Concerns

Onno Ekker o.e.ekker at gmail.com
Wed Jun 6 10:16:41 PDT 2007


This discussion has probably been going on on mozilla.org before, but since
the Security Concerns have also reached mozdev, I'd like to put my two cents
to it:

Although I reckon that the hashing and secure downloads will prevent users
from downloading false extensions from fake websites, it might also give
them a false feeling of security. They do have the extension they wanted,
but they have absolutely no guarantee on what that extension does.

Even commercial extensions like google toolbar, yahoo, or
del.ici.usbookmarks can have some kind of spyware functionality built
in, to "assist"
them in analyzing user behavior. They might even have put it in a disclaimer
to which the user has agreed before using their software.

The users might get a false feeling of security because of the secure
downloads.

I think mozilla and mozdev need to emphasize this...

Am I right or did I miss something?

Onno

On 6/4/07, Matthew Wilson <matthew at mjwilson.demon.co.uk> wrote:
>
> Eric H. Jung wrote:
> >> No, but all e-mails with attachments are trashed, so I will have to
> >> look
> >> into this later today and get back to you (out of band).
> >
> > That is too bad.
> >
> >> The generated md5 or sha1 values needs to be stored in install.rdf
> >> like
> >> this (which is basically the same example as the link I provided):
> >>
> >> <em:updateHash>
> >>    sha1:c4e27e3819ec8e2ed732aaaea2531440a8694542
> >> </em:updateHash>
> >
> > Neither the above example nor the link you sent explain where in the
> > install.rdf DOM <em:updateHash/> should appear. Should it appear as a
> > child of <RDF:Description/>, child of document.documentElement, or
> > somewhere else???
>
> See for example http://wmlbrowser.mozdev.org/wmlbrowser-update.rdf
>
> Matthew
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> http://mozdev.org/mailman/listinfo/project_owners
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/project_owners/attachments/20070606/34f342a2/attachment-0001.html 


More information about the Project_owners mailing list