[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Godmar Back godmar at gmail.com
Tue Jul 19 01:09:03 EDT 2005


Consider this:

when installing an extension, Mozilla makes you jump through hoops:
first you have to click on the "mozilla prevented blabla" from running
on this page.  Then you have to click "Allow site", then click install
again.  Then it makes you wait 1 second.  Then you get another
warning.

Why do you think Mozilla's designers decided on that procedure if the
same degree of trust  that extension developers earn only through that
tedious procedure is then passed on by some of them with the click of
a single button, without warning the user?

Secondly, there are richer security models than the 'all-or-nothing'
model pioneered by ActiveX.  So no, I do not grant "at least the right
to read all my files" when installing a GM script, and I don't require
that users of my GM scripts grant me that right.

I do acknowledge that noone has come up with a way to efficiently
manage a large set of ACLs - this is still an active area of research.
 I also recognize that many people apparently don't think twice before
granting all privileges - the consequences are discussed here:
http://it.slashdot.org/article.pl?sid=05/07/18/2157210&tid=220&tid=201&tid=137

That is why more fine-grained security models have been developed.
Consider, for instance, NSA's SE Linux as an example in a completely
different domain.

 - Godmar

On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> > How many people want to grant GM script writers access to their local
> > harddrive when they install a GM script?
> 
> You give at least that trust to extension authors.  Are they more
> trustworthy because they can manage to write more complex code?
> 
> No, there is a (non-technical) mechanism in place to regulate evil
> extensions.  So it is with user scripts.  The story's been consistent
> -- don't install scripts you're not sure about.
> 
> The sky is not falling.
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list