(wiki.mozilla.org)

288 points fernandotakai | 5 comments | 11 Aug 15 03:51 UTC | HN request time: 0.833s | source

1. hobarrera ◴[11 Aug 15 14:15 UTC] No.10041187[source]▶

> [...] plugins don't need to be signed.

So the worst kind of threat is still there. Great job, Mozilla!

2. fernandotakai ◴[11 Aug 15 14:24 UTC] No.10041250[source]▶

yup, and that's what i don't get. statistically, plugins like java and flash are a bigger security threat than addons. i don't even remember an addon going rogue.

replies(1): >>10041276 #

3. hobarrera ◴[11 Aug 15 14:28 UTC] No.10041276[source]▶

>>10041250 #

I also quite clearly recall mozilla stating that plug-ins are responsible for over 95% of all browser crashes.

4. MacsHeadroom ◴[11 Aug 15 14:48 UTC] No.10041442[source]▶

>>10041187 (TP) #

That's because plugins are going to need to be white-listed (modifiable via about:config). The win64 (beta) edition of Firefox only allows the Flash Player Plugin, for example.

replies(1): >>10042147 #

5. nightpool ◴[11 Aug 15 16:12 UTC] No.10042147[source]▶

>>10041442 #

isn't this still vulnerable to the attack reported up-thread where whatever malware just goes and changed about:config before installing their plugin? (and the reason that the addon opt-out is being removed from ff42)

↑

Firefox 42 will not allow unsigned extensions