On 26/11/2009 15:35, Gervase Markham wrote:
On 25/11/09 18:47, Kálmán „KAMI” Szalai wrote:
Today, one of leading IT portal published an article about FIrefox with
this title: "Firefox is not safety because of its extensions".
That's like saying "Windows is not safe because of applications".
Or, "SSL has been breached because of phishing" ;)
It is true that to the technical mind that can unravel these things,
these are different things, but to the general public these can often
become the same one thing. So when they blame the big brand, they might
be wrong or innacurate or just plain confused. Or they might have been
deceived, and now the deception is coming back to bite.
But the problem still exists. At a minimum, those protecting the big
brand will need to think about how to distance their brand from the
various not-so-clear things or utter slanders thrown at them.
And those who are concerned about security will know what happens next:
because each side now has a convenient excuse to blame someone else
for the problem, nothing will be done, and slowly the brand will acquire
a well-deserved reputation for being insecure. Seen it all before...
In thinking about extensions, one would think that providing a portal
for "friendly extensions" and dealing with only signed or otherwise
checked sources would be sufficient. Is there a sense that these
techniques aren't working?
Or is the problem out in the wild wild west where users are just
downloading any old shlock?
Installing an extension is like installing an application on your
machine - it's just as trusted as any other application.
Right. Having said that, how does one give the users the tools to
figure that out? Or is it the users' responsibility to figure it out by
themselves?
To some extent this is the same dilemma the banks find themselves in.
They were forced to use the platform, against good advice, and now find
the platform is biting them. What to do? They can't go back. And
there is no easy forward.
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security