[acdha]

Microsoft already disproved this belief with Window’s UAC mechanism. Unless you have an unusually savvy user-base, you have to assume that a non-trivial percentage of people will approve any prompt which is claimed to give music, games, coupons, porn, etc.

Just to illustrate how unworkable this is currently, Facebook had to include a huge warning in the developer console telling you not to XSS yourself because people would follow instructions to open the developer tools and paste in a blob of JavaScript: https://www.facebook.com/help/246962205475854

[Lawtonfogle]

In which case they will also download and run SomethingSagaCheats.exe without second thought. Should Firefox disable exe downloads without a setting to turn them on? What about users who download SomethingSagaCheats.jpg and rename it to exe before running? We should disable all downloads then, no?

In general I do not like restricting rights to protect people. Now Mozilla is no government, but the same basic idea is going on here. Removing (instead of disabling or discouraging) features in the name of safety. At some point you have to tell someone they are responsible for their own online safety, give them the resources to educate themselves, and let them face the consequences if they choose not to.

[userbinator]

give them the resources to educate themselves

Exactly. Instead of encouraging an environment of healthy suspicion and "I don't know what this does, maybe I should find out more first; else I shouldn't run it" type of attitude, we've gotten into a situation where people are seemingly loathe to educate themselves - and have been conditioned to trust whatever some piece of software says about whether something is malware or not.

As this comment a few days ago mentions:

https://news.ycombinator.com/item?id=9032087

Exposure to malware helps build the "immune system" in users. This is similar to the biological concept too:

http://en.wikipedia.org/wiki/Hygiene_hypothesis

[danielweber]

I appreciate your desire to improve user security, but it is a huge uphill battle, and many things that you imagine will help will just make users switch to something that nags them less.

Teaching users to be safe -- assuming that's possible -- is a battle that has to be won in very very small steps.

[Lawtonfogle]

>make users switch to something that nags them less.

Or perhaps even worse, conditions them to bypass any nags automatically without thought as to if they should or not.

[acdha]

> At some point you have to tell someone they are responsible for their own online safety, give them the resources to educate themselves, and let them face the consequences if they choose not to.

If you follow the Mozilla security blogs, they've spent the last couple of years removing the ability of not-quite-malware to alter the browser without both the user opting-in and having an easy way to disable anything if they change their mind. That doesn't stop outright malware but it removes one of the legal fig-leaves which ad-ware vendors rely on and exactly supports your stated goal above by allowing a user to learn how to manage add-ons and remove something annoying without having their decision reset by the adware.

The real problem, however, is that it's currently fantasy to assume that any has enough information to make these decisions because a) the permissions models are still basically all-or-nothing and b) the halting problem has not yet been solved. Unfortunately, it's not just a question of tweaking the permissions models – as Android has shown, all that does is train users to approve blindly because every single app requests access to just about everything. That's not something we can fix overnight because it involves both things like better permissions models and changing the structure of the environment to be closer to something like WebIntents where many classes of add-on are only executed in response to specific user actions.

Until we reach that promised land, however, I don't see the big deal to Mozilla requiring you follow a free signing process for an extension so add-ons can easily be killed if needed and publishing something deceptive will require you to burn a developer account. It's not like they're talking about anything based on the content of the add-on.