Talk:Extension Blocklisting:User Interface

First I'm very glad to see this work in progress, it has been long time coming and with all security measures there needs to be a balance between risk/reward and useability/security. http://forums.mozillazine.org/viewtopic.php?p=1788769#1788769 http://forums.mozillazine.org/viewtopic.php?p=1791084#1791084 http://forums.mozillazine.org/viewtopic.php?t=63373

The notification wizards described are dummied down too much, and don't imply enough warning or details on how vulnerable packages were determined. These dialogs bear a stricking resemblance to the windows "Unsigned Driver" warning, which most users don't read anymore & click through.

I really dislike the blacklisting sterotype, and the vague reasons given for why a n extension would be on this list. If an extension has a known vulnerability or new exploit, it should refer the user to the published description of the vulnerability US-CERT Vulnerability Notes Database and/or the authors website for discussion and support.

Extension and Plugin devs that wish to submit code for inclusion on the Mozilla Update site should be encouraged to sign their packages with PGP/GPG keys, which someone at Mozilla.org can verify on a key server. It should be someones job (or build community infrastructure) to test and audit the extensions, verify the keys or repackaged with a standard mozilla key and validate CheckSums. The MD5 and SHA1 checksums should be made public, for anyone to validate, and any blacklist error messages a user gets when attempting to install the extension should indicate that the either the signed PGP/GPG keys or CheckSums do not match.

http://www.openoffice.org/dev_docs/using_md5sums.html http://download.openoffice.org/2.0.0rc/md5sums.html

About the 'we're not letting you install this' dialog: trivial point, but since there's a mockup to pick holes in... the 'More information' link should probably be a button (alongside OK) and not a link, as you'll want it to close the dialog too. Quen 04:50, 20 Feb 2006 (PST)