Gervase Markham wrote: > > The question is: how much harder is "harder"? Anyone can write an > extension and make it available for free to the world today, paying not > a penny. OK, so the service isn't instantaneous, and they don't get > great stats. But it's free! > Gerv, I think stats is something which could be improved perhaps? How hard would this be? But I must confess, that I don't have a big idea how the Mozilla Addons site is organized etc... > Let's also compare this with the digital signature solution proposed. > That doesn't make things harder in terms of money - anyone can generate > a key pair - but it does make things harder in terms of process > complexity, and the need to guard your key. It also has the potential > for a bad user experience if the addon author screws up the signing for > their latest update. > > I'm really finding it hard to see the big win that all this effort > produces... I think security should be improved somewhat in that respect. I always thought it funny, that whenever I installed an extension on FF or TB, this warning popped up, saying the software isn't signed. However up to date I never encountered a signed on...it started to be some kind of routine to wait for the Install button to appear...
But there are different options to achieve a better and secure mechanism perhaps. Certificates might be one (we could make an effort and start to provide ours faster if needed), but also some hash embedded into the software could be another one...The correct hash could be served from a secured web site, which would - by comparing the hash - make it reasonable secure? Serving the download of the software itself via SSL isn't really the best idea (even if possible), but since they are most likely served from different mirrors I guess this is not a viable option. Except that, how can one guaranty that the parent application (FF, TB etc) wasn't tampered in first place? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
