On 02/09/2010 11:50 PM, David E. Ross:
On 2/6/2010 7:04 AM, Eddy Nigg wrote:
Isn't it about time that extensions and applications get signed with
verified code signing certificates? Adblock Plus is doing for a while
now I think, perhaps other should too?
Because this isn't really comforting:
http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/
I just now noticed that this discussion was not cross-posted to
mozilla.dev.extensions. Should not input from extension developers be
considered?
I'm now cross-posting this reply to mozilla.dev.extensions with
follow-ups back to the newsgroups where this originally appeared:
mozilla.dev.security and mozilla.dev.security.policy.
And here just another reason to sign (addon) code:
http://blog.ivanristic.com/2010/02/firefox-extension-installation-process-vulnerable-to-mitm-attack-.html
Apparently this is going to be fixed, the next issue will come up for
sure...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
