| |||||||||||||
A trojan in a Firefox security add-onA trojan in a Firefox security add-onPosted Jul 22, 2010 12:03 UTC (Thu) by nix (subscriber, #2304)In reply to: A trojan in a Firefox security add-on by elanthis Parent article: A trojan in a Firefox security add-on
For example, why does Firefox allow any ol' plugin to connect out to any ol' site without first asking the user to confirm that the plugin is allowed to do so?Because users would immediately be bombarded by so many of these messages that they'd soon learn to just click 'yes' at all times? (Hell, they've been well-trained to do that already by other equally useless 'security' warning dialogs.)
(Log in to post comments)
security policy Posted Jul 22, 2010 15:30 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
Also, this a plugin to a _web browser_. So, suppose we "forbid" the plugin from sending data to a web site. Instead, it finds an IMG in a web page and rewrites it to be an indirect, sending the data to a web site and returning the original image. Of course there are a million variations on this theme, many of which look (to a machine anyway) indistinguishable from legitimate actions.
The big problem with security policies is finding something that users can understand correctly. This is a big research topic. It is often possible to create something which _technically_ works but which almost no-one will operate correctly, for an end user application like Firefox this is plainly useless (whether it is useless in more specialised applications is up for debate).
|
|||||||||||||