On 02/06/2010 08:30 PM, Lucas Adamski:
I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us).
In this case perhaps - in another case you perhaps will stay with the damage and never hear from the "developer".
Code signing doesn't prevent malicious code from being inserted into an addon. Yes, it makes it much harder for hobbyist developers to create addons but doesn't stop the bad guys from getting their hands on *some* code signing cert, either by stealing one or via a shell company in some foreign country.
Errr...I hope not, otherwise what's the point of code signing certificates anyway.
The real problem IMHO is that we allow unreviewed addons to be downloaded directly from AMO.
Yes, but is it feasible to review every add-on? Maybe it's not such a burden - and what about modifications of existing add-ons? Are they reviewed too?
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
