Michael Vincent van Rantwijk
mv_van_rantwijk at yahoo.com
Wed Jun 6 12:00:56 PDT 2007
Onno Ekker wrote:
> This discussion has probably been going on on mozilla.org before, but since
> the Security Concerns have also reached mozdev, I'd like to put my two
> to it:
> Although I reckon that the hashing and secure downloads will prevent users
> from downloading false extensions from fake websites, it might also give
> them a false feeling of security. They do have the extension they wanted,
> but they have absolutely no guarantee on what that extension does.
The hash is only used to check the XPI integrity, nothing else.
> Even commercial extensions like google toolbar, yahoo, or
> del.ici.usbookmarks can have some kind of spyware functionality built
> in, to "assist"
> them in analyzing user behavior. They might even have put it in a
> disclaimer to which the user has agreed before using their software.
> The users might get a false feeling of security because of the secure
For people who _misuse_ the term security, yes, but we're most certainly
not going to that.
> I think mozilla and mozdev need to emphasize this...
This is a task for the responsible project leads.
> Am I right or did I miss something?
You was probably juts a little misinformed because of the subject, which
I used at times not knowing what the hash code was used for, so pardon me.
More information about the Project_owners