Google Groups

Re: Pros and cons of different add-on install methods


Jorge Villalobos Mar 5, 2012 1:51 PM
Posted in group: mozilla.dev.platform
On 3/5/12 12:53 PM, Asa Dotzler wrote:
> On 3/5/2012 6:49 AM, Jorge Villalobos wrote:
>> On 3/5/12 6:27 AM, Gervase Markham wrote:
>>> On 03/03/12 16:51, Jorge Villalobos wrote:
>>>> It should
>>>> be up to users to decide who they trust.
>>>
>>> Although this example comes freighted with baggage, I would point out
>>> that this is not Mozilla policy in other areas, e.g. with root CAs. If
>>> we had this policy, every time Mozilla encountered a cert chaining to a
>>> new root, even a built-in one, we would pop a dialog saying:
>>>
>>> "Do you trust Verisign?"
>>>
>>> or
>>>
>>> "Do you trust Comodo?"
>>>
>>> or whoever, as appropriate. But we don't; the user delegates the trust
>>> decision to us and, within the currently-possible technical parameters,
>>> we attempt to do a good job of choosing who to trust for them, and not
>>> bothering them with it. The system has flaws, but millions of dollars of
>>> commerce a day successfully transacted suggest that it works for lots of
>>> people.
>>>
>>> Gerv
>>
>> Well, if you visit, say, AMO and you're asked if you trust Verisign, I
>> don't think users can make any meaningful decisions there, given that
>> there's no apparent connection between the two. The groups handling
>> these certs are unknown to most and are for the most part unrelated to
>> the sited being visited.
>>
>> In the case of add-on installation, I would expect most review
>> signatures would either say Mozilla or the name of the add-on developer,
>> so it would make more sense to ask the question. "You are trying to
>> install ScriptScan, reviewed by McAfee". This is not dissimilar to the
>> security dialog that shows up when you try to install software on
>> Windows, where signed binaries will have messaging that indicates who
>> signed them and (I think) have a way to opt out of the warning for
>> specific signatures.
>>
>> Also, prompting users to accept every cert would make the web unusable
>> for them, and would just learn to automatically dismiss the dialogs, so
>> there are practical considerations. Add-on installations should be rare
>> enough that it shouldn't be that big of a deal to have a single warning.
>> But we do suffer the same problem with users getting used to the
>> warnings and actively ignoring them, which is one of the reasons we're
>> having these discussions.
>>
>> - Jorge
>
> I think you've missed Gerv's point. As I read it, what he's said is a
> direct response to your claim "It should be up to users to decide who
> they trust." He points out that is simply not true and has never been
> true. Mozilla makes many trust decisions on behalf of users and blanket
> statements that suggest otherwise are plainly incorrect. We have plenty
> of precedent for making trust decisions on behalf of our users.
>
> - A

My point was that we should give users choice and control when
reasonable and effective. I gave some reasons why I think that it isn't
reasonable not effective to do so with CAs.

The real question is, why should we make these trust decisions for our
users in this case?

- Jorge