User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20070309 Firefox/184.108.40.206 Build Identifier: This isn't really a bug, but I wasn't sure where to report it, so I am reporting it here. My apologies if this is an inconvenience. I am a Windows user, and as you probably know, there is lots of malware on this platform. When doing a Google search for "Chatzilla" and landing at Chatzilla's page on mozilla.org. But I was confused when I clicked the download link and I was sent to "hacksrus.com", a site I had never heard of before and which sounded very, well, unprofessional to say the least. After searching for the download link (which took me longer than I would've liked), I was disappointed to find that not only was the download coming from a tilde'd user directory ("~grinda"), it was also unsigned. This lack of any kind of trust information (unknown, suspicious sounding website and a non-signed installer) did a lot to dissuade me from making the download and as such you may want to consider either hosting the installer on mozilla.org, code-signing the installer, or both. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Its available from the Add-ons site as well... https://addons.mozilla.org/en-US/firefox/addon/16
1) https://addons.mozilla.org/en-US/firefox/addon/16 2) The ChatZilla name is trademarked by some company (see the redirect which used to be on http://www.chatzilla.com and probably still is). It prevents us from getting a really nice domain name for such purposes. 3) The link should actually have taken you to http://chatzilla.hacksrus.com/ which doesn't have the ~ directory. I'll check it in a bit and probably change it later tonight if that still isn't fixed. 4) Extension signing is hard, and getting a real certificate for it which is recognized by the default Firefox install is also hard. I'm not sure we want to go to that trouble, but I suppose it's a valid request. Confirming based on 3) and 4).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Thanks for the quick response! 1) is good, I only wish that's where Google had taken me. Have you considered linking to that page from the hacksrus site?
The new website, which we're working to deploy sometime soon, has the download link pointing at https://addons.mozilla.org/addon/16 (redirects to full URL).
James, can I get r+ from you to adjust the current m.org website to use chatzilla.hacksrus.com instead of rginda's user dir? That'd be great.
Absolutely! r=silver on any ChatZilla m.org URL fixes. (Just leave a list of pages changed in the bug.)
OS: Windows XP → All
Hardware: PC → All
Version: unspecified → Trunk
Alright, this should show up on the website in about an hour or so. I only had to touch index.html and style.html in http://www.mozilla.org/projects/rt-messaging/chatzilla/ . I'll morph this bug now into telling us the new website needs to get online, and I'll assign that to you James as you're working on it :-). We need to clean up the other pages in there for other things (the moztips faq is so badly out of date, for example, that I'd think we'd better remove it from the list of linked stuff, and we should add stuff like tH's pages, or possibly just integrate his and my own stuff on the websites we have into cz.hacksrus.com, assuming Robert's ok with that). Severity major just because I can, and because I think the website can't really get any worse from these changes. We should definitely be a bit more presentable. Personally, I think the signing issue is WONTFIX unless we're forced to (there's rumours (only rumours so far!) about that for addons.m.o) or unless we can actually easily get a cert that is recognized by moz by default.
Assignee: rginda → silver
Severity: normal → major
Summary: Chatzilla does not appear to be trust-friendly → Get new ChatZilla website online
Oh, addendum - or if we can get some help from MoCo in getting us a cert. Not sure how possible or desirable that is - James, reckon we want to ask the community giving program for money for a cert (at least, I'm pretty sure a cert that actually gets recognized will cost us money). As in, do we care enough to do that? :-)
I did some brief searching and found this statement from http://certs.mozdev.org/cadraft.html: -- Digital signatures originate from a certificate authority (CA), an organization that claims responsibility for any digital signature it creates. CAs act as gatekeepers by allowing only people who the organization trusts to create digital signatures. Large CAs like Verisign, whose certificates come preinstalled in many web browsers, enforce validity through large fees. For example, if you can afford $600, then you are an organization with whom the CA would be glad to associate. That $600 then also buys your application respectability with user's web browsers. You can see the CAs that come with the Mozilla browser by going to Privacy & Security > Certificates in your preferences panel and then by selecting the Manage Certificates option. Of the different types of CAs -- there's a type for SSL connections, for example, and another one for S/MIME -- the Netscape Object Signing certificate is what matters for signed applications. Fortunately, to get your remote applications signed by a CA, you don't have to pay for a Verisign Netscape Object Signing CA because other options are available. You can use the MozDev CA, for example, and even create your own. The next section tells you how use Mozilla tools to become your own certificate authority so you can sign your own applications and those of other Mozilla developers. The Section 12.6 section later in this chapter uses the MozDev CA to discuss both avenues. -- I looked in my own Mozilla certificate store and I do not appear to have a MozDev CA installed by default, though, so I'm not sure how viable this is. But honestly I am a little surprised that an open-source platform like Mozilla doesn't have a free, open CA that requires stricter proof of trust (such as a face-to-face meeting between a representative of the CA and the client) instead of lots of money, which IMO is a flawed way to ensure trust in the first place. In any case, though, I agree with Gijs regarding the WONTFIX--when I originally filed this bug, the fact that the Chatzilla installer wasn't digitally signed was really just icing on the cake. Normally I trust files when they simply come from a site I trust, such as mozilla.org, so it was really the combination of everything that made the installer seem suspicious that had me worried. So in other words, I think that doing everything you've already done is enough. A digital signature would be really nice, but IMO isn't required, especially if you tell people to download from addons.mozilla.org. By the way, I am impressed at the promptness at which this issue was resolved. On Windows, Chatzilla is a wonderful alternative to mIRC (not just because it's free--CZ is actually much *better* than mIRC and I'd sooner pay for the former than the latter) so I will be recommending it.
(In reply to comment #9): Just realised I hadn't gotten to this yet: Thanks for your support, and glad you like ChatZilla :-). Getting compliments in a bug is a nice change from the "I've been waiting to see a fix for six years now, you guys suck!" comments that are more common ;-).
So er, James, how is the new website coming?
Can we call it done for now? The new site is live and directs people to addons.mozilla.org for download, etc.
If we close the bug does that mean we never get to see the pages that are currently commented out of site.js? :p
Developers area and API have landed. Getting there!
You need to log in before you can comment on or make changes to this bug.