Comments on: Malicious XPIs run executable binaries

By: Minh Nguyễn

Minh Nguyễn — Thu, 01 Jan 1970 00:00:00 +0000

I’m not so sure that David Tenser verifying all the XPIs alone would scale too well. :)

By: Dark Reflexions

Dark Reflexions — Thu, 01 Jan 1970 00:00:00 +0000

Disappointing
A malicious Firefox .XPI was created I’m just gunna trackback and link you to the blog of a person I know (internet-wise), because his post was very well written. It will be fixed by the Mozilla developement project somehow, but…

By: Cheah Chu Yeow

Cheah Chu Yeow — Thu, 01 Jan 1970 00:00:00 +0000

Verified by whom? mozilla.org?

I’d say a good, trusted authority is good enough. The people at mozdev.org, David Tenser, mozilla.org are possible candidates.

By: 0zone

0zone — Thu, 01 Jan 1970 00:00:00 +0000

There should be a team that checks packages that are submitted, if the team finds that the packages are ok then they add the file name and md5 of the file to a database that gets checked by the installer. If the installer can’t find the entry then it should display a warning stating that the package could not be verified and ask them if they want to continue (no should be default).

By: Jesse Ruderman

Jesse Ruderman — Thu, 01 Jan 1970 00:00:00 +0000

“Best solution, to me? Verified and digitally signed XPIs are allowed to run without hindrance.”

Verified by whom? mozilla.org?