On 2/6/2010 8:08 AM, David E. Ross wrote: > On 2/6/2010 7:04 AM, Eddy Nigg wrote: >> Isn't it about time that extensions and applications get signed with >> verified code signing certificates? Adblock Plus is doing for a while >> now I think, perhaps other should too? >> >> Because this isn't really comforting: >> http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ >> > > Do you know a source of free "verified code signing certificates"? Most > add-ons are freeware developed by individuals who do it as a hobby. > Requiring code-signing subscriber certificates would add a cost that few > could afford. > > For those who are concerned, I suggest that they only install add-ons > from <https://addons.mozilla.org/en-US/firefox/>, which is a Mozilla > Corporation site secured with a Verisign-signed site certificate. > Add-ons there go through some degree of review before being available to > the public; before such reviews are concluded, add-ons require a user to > logon to his or her own account and receive a warning that the review is > still underway. >
Oh! I just read the cited Web page. However, the malicious add-ons were what I described as "before such reviews are concluded". Stick with those add-ons from <https://addons.mozilla.org/en-US/firefox/> that can be obtained without logging-on. -- David E. Ross <http://www.rossde.com/>. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security