I think such a document could go a long way to help people understand how Mozilla protects them, the limitations that are faced, and what happens when something goes wrong. If they still feel like it isn't enough, then they can be prompted to suggest improvements to the process.
Speaking of improving the process, I agree with Daniel Veditz that the experimental add-ons should be made available on another site. Even the term 'experimental' gives the impression (to me anyway) that the add-on is potential beta quality, not potential pwnage. Maybe 'unverified add-on' would be more appropriate. - Bil Sid Stamm wrote on 2/8/2010 3:56 PM: > Hi Bil, > > I don't believe we have a document precisely along the lines of what you > suggest (as far as I know) but we have these other documents that are > sometimes helpful: > > https://developer.mozilla.org/en/Security_best_practices_in_extensions > https://addons.mozilla.org/en-US/developers/docs/policies > https://addons.mozilla.org/en-US/developers/docs/policies/reviews > > -Sid > > On 2/7/10 10:02 AM, Bil Corry wrote: >> Eddy Nigg wrote on 2/6/2010 7:04 AM: >>> Isn't it about time that extensions and applications get signed with >>> verified code signing certificates? Adblock Plus is doing for a while >>> now I think, perhaps other should too? >>> >>> Because this isn't really comforting: >>> http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/ >> >> Not sure if it already exists, but it would be helpful if there was a >> document that describes the security practices of AMO; something that >> outlines the responsibilities of Mozilla, of the AMO developers, and the >> users, along with outlining the risks involved and what happens when they're >> realized (such as using the block mechanism). That way, when news such as >> the above is reported, this document can be referenced. >> >> Threats to address, that at least I'm aware of: >> >> (1) Malware in add-ons (see above article) >> >> (2) Trusted add-ons subverting each other >> >> >> http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ >> >> (3) Untrusted add-ons doing bad stuff. >> >> (4) Fake add-ons posing as a trusted add-on: >> >> http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00128.html >> >> (5) Trusted add-ons that pose a security risk: >> >> >> http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/ >> >> (6) Subverting the update mechanism (this is for FF, but might apply to >> add-on updates too?): >> >> >> http://ha.ckers.org/blog/20100204/releasesmozillaorg-ssl-and-update-fail/ >> >> (7) Subverting the blocklist mechanism (to disable, say, noscript): >> >> https://support.mozilla.com/en-US/kb/Add-ons+Blocklist >> >> >> I'm sure there are many many more. >> >> BTW, this presentation from OWASP DC names Eddy Nigg, Giorgio Maone, and >> developers at Mozilla (among others) as "The 10 least-likely and most >> dangerous people on the Internet": >> >> >> http://www.owasp.org/images/1/1f/The_10_least-likely_and_most_dangerous_people_on_the_Internet_-_Robert_Hansen.pdf >> >> >> - Bil > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
