[Project_owners] Security_Concerns

Michael Vincent van Rantwijk mv_van_rantwijk at yahoo.com
Wed Jun 6 12:00:56 PDT 2007


Onno Ekker wrote:
> This discussion has probably been going on on mozilla.org before, but since
> the Security Concerns have also reached mozdev, I'd like to put my two 
> cents
> to it:
> 
> Although I reckon that the hashing and secure downloads will prevent users
> from downloading false extensions from fake websites, it might also give
> them a false feeling of security. They do have the extension they wanted,
> but they have absolutely no guarantee on what that extension does.

The hash is only used to check the XPI integrity, nothing else.

> Even commercial extensions like google toolbar, yahoo, or
> del.ici.usbookmarks can have some kind of spyware functionality built
> in, to "assist"
> them in analyzing user behavior. They might even have put it in a 
> disclaimer to which the user has agreed before using their software.
> The users might get a false feeling of security because of the secure
> downloads.

For people who _misuse_ the term security, yes, but we're most certainly 
not going to that.

> I think mozilla and mozdev need to emphasize this...

This is a task for the responsible project leads.

> Am I right or did I miss something?

You was probably juts a little misinformed because of the subject, which 
I used at times not knowing what the hash code was used for, so pardon me.

Michael



More information about the Project_owners mailing list