Security

Security means two things for the Outfoxed extension. First, can it (or its helper applications) be exploited to harm users? And second, how safe is the users data from tampering?

In answer to the first question, all that can be said is that attempts were made to make the system secure. For example, HTML from user reports is severely filtered before it displays in the sidebar to prevent javascript in a report from being run in a priviledged context. And of course, the MDDB only listens to requests originating on the same machine on which it is being run.

The answer to second question is, unfortunately, that a user's data is not very safe at the moment. (Or rather, it is safe only in that it is not popular enough to have attracted the attention of would-be attackers.) The core problem is that the MDDB will listen to any application. So if an attacker was able to install a program on a user's machine, the program could modify the contents of the MDDB at will. False reports and informers could be added, for example.

The solution is to use the same public-key security measures which are planned for Outfoxed web security: The MDDB maintains a list of the public keys of applications which it will listen too, and performs a challenge-response protocol to any application wanting to modify (or retreive?) data.

[TODO: more needed. And seperate page for challenge-response/public key stuff.]