Re: Firefox Add-ons

2010-02-06 Thread David E. Ross
On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really comforting:

Re: Firefox Add-ons

2010-02-06 Thread David E. Ross
On 2/6/2010 8:08 AM, David E. Ross wrote: On 2/6/2010 7:04 AM, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? Because this isn't really

Re: Firefox Add-ons

2010-02-06 Thread Lucas Adamski
I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). Code signing doesn't prevent malicious code from being inserted into an

Re: Firefox Add-ons

2010-02-06 Thread Michael Lefevre
On 06/02/2010 15:04, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? I don't know if more details are available than have been published so far,

Re: Firefox Add-ons

2010-02-06 Thread Eddy Nigg
On 02/06/2010 08:30 PM, Lucas Adamski: I don't think it would have made a tremendous difference here. One of them was likely infected accidentally (only one version of the addon contained malware and the developer is actively communicating with us). In this case perhaps - in another case

Re: Firefox Add-ons

2010-02-06 Thread Eddy Nigg
On 02/06/2010 08:42 PM, Michael Lefevre: On 06/02/2010 15:04, Eddy Nigg wrote: Isn't it about time that extensions and applications get signed with verified code signing certificates? Adblock Plus is doing for a while now I think, perhaps other should too? I don't know if more details are

Re: Firefox Add-ons

2010-02-06 Thread Jean-Marc Desperrier
On 06/02/2010 19:47, Eddy Nigg wrote: But I guess you would think twice to sign (malicious) code with your name - any code for that matter. How hard is it to sign it with a cert you bought with a stolen credit card number, using the name from the card ? A 50$ code signing certificate just

Re: Firefox Add-ons

2010-02-06 Thread Eddy Nigg
On 02/06/2010 10:58 PM, Jean-Marc Desperrier: On 06/02/2010 19:47, Eddy Nigg wrote: But I guess you would think twice to sign (malicious) code with your name - any code for that matter. How hard is it to sign it with a cert you bought with a stolen credit card number, using the name from the