in fact even that isn't really true!:D
as i have already written in my reponse further up (1) windows update frequently downloads tiny executables that run quietly not displaying any progress but when you look at what is happening (preferebly through iptraf on a routing *nix box) you'll be certainly suprised what i happening. even uploads of half a megabyte aren't that unusual...
(1) http://it.slashdot.org/comments.pl?sid=133440&thre shold=1&commentsort=0&tid=172&mode=thread&cid=1114 3905
"It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?"
In fact, like many others before me already said: Firefox requires the user to explicitly state that he/she wants to even start the install procedure of a plugin. If the very same person then does not even read what's displayed and acts accordingly, it's his/her own fault. I have a strong feeling most people - running IE and related products - are used to be clicking OK in dialog boxes without care for there are so many, popping up in all kinds of situations, not saying anything understandable for the non-techie/MCSE or anything reasonable at all. A default (in my opinion) is not an security issue if it does not automaticly become effective as long as the user does not say so or is informed beforehand! (Which is not the case for IE's default setup!) There might as well be a box where "OK" and "Cancel" where switched by an already installed worm, right? Stupid (I know), but very possible!:-)
And how come I am not told were my windows update tool get's his data from? Why do certain updates seem to not do anything for minutes while they happily download further data from servers that sometimes might not even have a registered domain? On top of that, they install additional (to me) unknown stuff not even asking the me if I really wants to or for what reason! The worst thing about this I will never know what happened even if I were up to research, as I would most certainly end up violating some licenses that I have agreed on previously.
Another problem I see is that when I tell IE only to run ActiveX controls and other kinds of programs on userinput, why I only can say "Yes", I want to or "No", I do not? Why doesn't it tell me where that script came from at least? Or let me even browse its source (if available) without auditing previous (somtimes heavily) hirached HTML before???
Yes, I do agree when some people say, that they do not trust Verisign either. Sincerely, I do not understand what would make the enduser, not knowing what PGP or even encryption is, suddenly care for signed software products? The decision wether he/she trusts a package or not should always be left in his/her hands as it is his/her computer he/she bought and has a right to use it, for whatever (legal or not) thing he wants to, in the way he/she likes it best. Of course he/she should be aware of the responsibilty that requires as well. Instead of teaching these things from the start, some products available per default, seem to trick the unaware person into thinking otherwise easily.
Best regards from a happy KDE 3.3.2 user who trusts the Archlinux package repository, knowing where the source is available from, who wrote it, where it was downloaded from, who maintains that package per name and e-mail, how it was compile, which patches were applied and could even easily refuse to trust those and make his own in a breeze! Not only for Firefox...;-)
Slashdot Mirror
in fact even that isn't really true! :D
as i have already written in my reponse further up (1) windows update frequently downloads tiny executables that run quietly not displaying any progress but when you look at what is happening (preferebly through iptraf on a routing *nix box) you'll be certainly suprised what i happening. even uploads of half a megabyte aren't that unusual...
(1) http://it.slashdot.org/comments.pl?sid=133440&thre shold=1&commentsort=0&tid=172&mode=thread&cid=1114 3905
"It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?"
:-)
;-)
In fact, like many others before me already said: Firefox requires the user to explicitly state that he/she wants to even start the install procedure of a plugin. If the very same person then does not even read what's displayed and acts accordingly, it's his/her own fault. I have a strong feeling most people - running IE and related products - are used to be clicking OK in dialog boxes without care for there are so many, popping up in all kinds of situations, not saying anything understandable for the non-techie/MCSE or anything reasonable at all. A default (in my opinion) is not an security issue if it does not automaticly become effective as long as the user does not say so or is informed beforehand! (Which is not the case for IE's default setup!) There might as well be a box where "OK" and "Cancel" where switched by an already installed worm, right? Stupid (I know), but very possible!
And how come I am not told were my windows update tool get's his data from? Why do certain updates seem to not do anything for minutes while they happily download further data from servers that sometimes might not even have a registered domain? On top of that, they install additional (to me) unknown stuff not even asking the me if I really wants to or for what reason! The worst thing about this I will never know what happened even if I were up to research, as I would most certainly end up violating some licenses that I have agreed on previously.
Another problem I see is that when I tell IE only to run ActiveX controls and other kinds of programs on userinput, why I only can say "Yes", I want to or "No", I do not? Why doesn't it tell me where that script came from at least? Or let me even browse its source (if available) without auditing previous (somtimes heavily) hirached HTML before???
Yes, I do agree when some people say, that they do not trust Verisign either. Sincerely, I do not understand what would make the enduser, not knowing what PGP or even encryption is, suddenly care for signed software products? The decision wether he/she trusts a package or not should always be left in his/her hands as it is his/her computer he/she bought and has a right to use it, for whatever (legal or not) thing he wants to, in the way he/she likes it best. Of course he/she should be aware of the responsibilty that requires as well. Instead of teaching these things from the start, some products available per default, seem to trick the unaware person into thinking otherwise easily.
Best regards from a happy KDE 3.3.2 user who trusts the Archlinux package repository, knowing where the source is available from, who wrote it, where it was downloaded from, who maintains that package per name and e-mail, how it was compile, which patches were applied and could even easily refuse to trust those and make his own in a breeze! Not only for Firefox...