Closed Bug 929474 Opened 11 years ago Closed 11 years ago

Add plugin check natively into Firefox

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 602795

People

(Reporter: BenB, Unassigned)

Details

Right now, we have a webpage-based plugin check that enumerates all plugins and checks whether any of them contain any known security holes, and if so, warns about them.

This is a great and very useful idea to make the end users more secure. The fact that this is just a webpage is nice, but
* the user has to navigate to the page. It can be done as part of the "welcome page" after a browser update, but that's only every 6 weeks, which is way too slow for security updates
* the plugin enumeration will go away (bug 757726).

I therefore suggest to make the plugin check similar and at the same time as the browser update check: After the browser and addon update check, a component downloads the list of known plugins and their insecure and secure versions, then compares it with the list of installed plugins. If one or several are determined to be an insecure version, a dialog pop ups suggesting to install the new, secure versions, with a rationale and warning. The dialog looks similar to (or is even the same implementation as) the addon update check.

This will help the security of end users a lot, because outdated plugins are the main attack vector of security exploits right now.



Privacy and server load considerations:
Sending the full list of installed plugins and their versions would be fingerprintable and would allow Mozilla to track users. Therefore, the client should first download the whole list (currently 45 plugins) from the server and then compare on the client.
If that's really too much traffic, then the client should at least not send the installed versions of the plugins, just the names, and the server returns the insecure and secure versions of these plugins.
However, the last solution (and a server-based compare) would require the server to do processing and return individual files to each client. Sending the whole list to every client has the advantage of being a simple file serve (which is more traffic, but less CPU) and can be cached by downstream networks (e.g. proxies).
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.