I don't think it would have made a tremendous difference here. One of
them was likely infected accidentally (only one version of the addon
contained malware and the developer is actively communicating with
us). Code signing doesn't prevent malicious code from being inserted
into an addon. Yes, it makes it much harder for hobbyist developers
to create addons but doesn't stop the bad guys from getting their
hands on *some* code signing cert, either by stealing one or via a
shell company in some foreign country.
The real problem IMHO is that we allow unreviewed addons to be
downloaded directly from AMO. As a secondary issue we also need more
& better AV scanning, but that only gets you so far in the grand
scheme of things.
Lucas.
On Feb 6, 2010, at 7:04 AM, Eddy Nigg wrote:
Isn't it about time that extensions and applications get signed with
verified code signing certificates? Adblock Plus is doing for a
while now I think, perhaps other should too?
Because this isn't really comforting:
http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
