Talk:Extension Blocklisting:User Interface

From MozillaWiki
Jump to: navigation, search

Messaging

Only nit, no contractions so, "This Extension is not secure." "Known to be danger and can not be installed."


CheckSums and PGP/GPG Keys

First I'm very glad to see this work in progress, it has been long time coming and with all security measures there needs to be a balance between risk/reward and useability/security. http://forums.mozillazine.org/viewtopic.php?p=1788769#1788769 http://forums.mozillazine.org/viewtopic.php?p=1791084#1791084 http://forums.mozillazine.org/viewtopic.php?t=63373

The notification wizards described are dummied down too much, and don't imply enough warning or details on how vulnerable packages were determined. These dialogs bear a stricking resemblance to the windows "Unsigned Driver" warning, which most users don't read anymore & click through.

  • The details will be available on the blocklist web page. An important difference regarding any similarity between windows "Unsigned Driver" warning is that there is no option to ignore the warning. -- Robert Strong 12:49, 5 Mar 2006 (PDT)

I really dislike the blacklisting sterotype, and the vague reasons given for why a n extension would be on this list. If an extension has a known vulnerability or new exploit, it should refer the user to the published description of the vulnerability US-CERT Vulnerability Notes Database and/or the authors website for discussion and support.

  • The details will be available on the blocklist web page which will be hosted on mozilla.com. The reasons why an extension is blocklisted will be available there and they should never be vague. I hope to have guidelines available as to what will cause an extension to be added to the blocklist and the general process that will take place which would include notification to the extension author prior to blocklisting except for security issues. -- Robert Strong 12:49, 5 Mar 2006 (PDT)

Extension and Plugin devs that wish to submit code for inclusion on the Mozilla Update site should be encouraged to sign their packages with PGP/GPG keys, which someone at Mozilla.org can verify on a key server. It should be someones job (or build community infrastructure) to test and audit the extensions, verify the keys or repackaged with a standard mozilla key and validate CheckSums. The MD5 and SHA1 checksums should be made public, for anyone to validate, and any blacklist error messages a user gets when attempting to install the extension should indicate that the either the signed PGP/GPG keys or CheckSums do not match.

http://www.openoffice.org/dev_docs/using_md5sums.html http://download.openoffice.org/2.0.0rc/md5sums.html

  • All points to think on but outside of the scope for blocklisting. -- Robert Strong 12:49, 5 Mar 2006 (PDT)

More information link, button?

About the 'we're not letting you install this' dialog: trivial point, but since there's a mockup to pick holes in... the 'More information' link should probably be a button (alongside OK) and not a link, as you'll want it to close the dialog too. Quen 04:50, 20 Feb 2006 (PST)

This page uses an insecure plugin

"This page uses an insecure plugin" isn't good because it blames the page, and because it doesn't make it sound like the user has a good way to make the page work. How about "This page uses a plugin that you need to update"?