Confirmed users
729
edits
Firefox3.6/Plugin Update Awareness Security Review: Difference between revisions
Firefox3.6/Plugin Update Awareness Security Review (view source)
Revision as of 21:26, 2 November 2009
, 2 November 2009→Review comments
| Line 82: | Line 82: | ||
== Review comments == | == Review comments == | ||
[http://blog.mozilla.com/security/2009/10/13/mozilla-plugin-check-now-live/ concern] that some plugin installers include foistware. | * [http://blog.mozilla.com/security/2009/10/13/mozilla-plugin-check-now-live/ concern] that some plugin installers include foistware. | ||
* how many lists of plugins/versions do we have, between PFS and the plugincheck website and the blocklist? | |||
how many lists of plugins/versions do we have, between PFS and the plugincheck website and the blocklist? | *do we show the infobar for both "just outdated" and "outdated and has security holes"? | ||
** We're constrained to "outdated", "softblock", and "hard block" :( So it's hard to block and let users know there's a newer version available. | |||
do we show the infobar for both "just outdated" and "outdated and has security holes"? | *is there a pref for "automatically disable outdated plugins" for our more paranoid users? | ||
* We're constrained to "outdated", "softblock", and "hard block" :( So it's hard to block and let users know there's a newer version available. | ** There's a threshold pref, extensions.blocklist.level. Setting it to 0 should make "outdated" plugins get disabled. | ||
*is the blocklist transferred to users in a way that's authenticated, or it is vulnerable to MITM? | |||
is there a pref for "automatically disable outdated plugins" for our more paranoid users? | ** The default plugins.update.url is on https://www.mozilla.com/, but who knows what Ubuntu's is | ||
* There's a threshold pref, extensions.blocklist.level. Setting it to 0 should make "outdated" plugins get disabled. | *since the warning is an infobar, can users tell the difference between our feature (sending them to adobe.com) and a malicious advertisement (sending them elsewhere)? | ||
** Clicking "there is a newer, safer version available" actually takes you to mozilla.com plugincheck page, which as of 3.6, has access to full version number information. | |||
is the blocklist transferred to users in a way that's authenticated, or it is vulnerable to MITM? | |||
* The default plugins.update.url is on https://www.mozilla.com/, but who knows what Ubuntu's is | |||
since the warning is an infobar, can users tell the difference between our feature (sending them to adobe.com) and a malicious advertisement (sending them elsewhere)? | |||
* Clicking "there is a newer, safer version available" actually takes you to mozilla.com plugincheck page, which as of 3.6, has access to full version number information. | |||