On 29/11/2009 07:40, Kálmán „KAMI” Szalai wrote:
Do we have friendly extension, or signed extension? Could you describe
the validation process. Is it a go not go test or a detailed code
review? Are there possibility that author create a good extension and
change it for the 4th release to bad extension? Will we have a
bugtracker to follow the possible (security) bugs in the extensions. Can
we introduce "it is safe" tag for the really tested extensions?
I'm not part of the add-ons team, but I can try and answer anyway.
Firefox, by default, will only install extensions from
https://addons.mozilla.org - users can install addons from anywhere, but
they have to go through a security warning and a few mouse clicks before
Firefox will install addons from other sites.
The addons on the official site are reviewed, according to the process
at https://addons.mozilla.org/en-US/developers/docs/policies/reviews
Installing an extension is like installing an application on your
machine - it's just as trusted as any other application.
Right. Having said that, how does one give the users the tools to
figure that out? Or is it the users' responsibility to figure it out
by themselves?
Yes, for example the extension can steal the keystrokes? Should I
netbanking only in safe mode of Firefox?
As said above, extensions/addons are like installing an application.
Extensions can steal keystrokes, but also get passwords from your
computer, read your files, re-format you hard disk, or anything else.
Addons have the same privileges on your computer as Firefox itself, so
users need to have the same level of trust of addons as they do in
Firefox, or other applications they install on their computer.
Michael
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
