Recent Features
| |||||||||||||
A trojan in a Firefox security add-onA trojan in a Firefox security add-onPosted Jul 22, 2010 10:01 UTC (Thu) by nye (guest, #51576)In reply to: A trojan in a Firefox security add-on by elanthis Parent article: A trojan in a Firefox security add-on
I wonder if it would be worth an Android-app-style 'this addon is requesting the following capabilities' dialogue. I know most users would just click through without reading it, but it makes it a lot less likely to go unnoticed if some addon suddenly starts trying to do something completely unexpected.
(Log in to post comments)
A trojan in a Firefox security add-on Posted Jul 23, 2010 3:53 UTC (Fri) by zooko (subscriber, #2589) [Link]
The Mozilla Jetpack project is an attempt to make a framework for add-ons which is auditable and confinable. If successful, Jetpack will make it easy to prevent this sort of backdoor without requiring auditors to carefully pick apart reams of confusing code and without popping up annoying and useless "Is it OKAY?" dialog boxes that the user will learn to autoclick.
Honestly, I'm pretty damned excited about Jetpack. Long-time readers of LWN.net might notice that I always post a comment after one of these articles bemoaning the futility of combatting malware by controlling authorship of code and by auditing enormous codebases. I've often alluded to the possibility of a better system based on confinement and dynamic access controls (i.e. capabilities). Jetpack is finally an attempt to do it that way.
Disclosure: Jetpack is being designed by my good friend and long-time collaborator (on the Tahoe-LAFS project) Brian Warner. Even if I didn't already think the basic idea was super great I would be biased towards liking Jetpack just because Brian Warner is awesome.
|
|||||||||||||