Shostack + Friends Blog Archive


Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don’t know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like “Your browser will issue a warning. To use this site, click “please screw me.” Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.

Browsers have become big complex technologies. That’s not a slam at the browser folks–users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.