Hacker News new | past | comments | ask | show | jobs | submit login

Great question!

I think you'll need to review whatever method Firefox uses to flag what extensions the user approved.

In general, the OS provides different ways to store data in an encrypted manner so that only your application can read it back. (Keychain on Mac, and DPAPI on Windows.)

Furthermore, modern OSes provide sandboxing so that your application can not be tampered with. I'm not sure if Firefox uses this.

Also, if you're able to figure out how to hide a private key, (perhaps in the Keychain or via DPAPI) you can then use things like digital signatures to know what the user really allowed, and know if your approval mechanism was tampered with.

Granted, these mechanisms aren't foolproof... They just make it harder for malware to see things it shouldn't.




AFAIK DPAPI is basically encryption with key specific for current user, not application. So malicious application can easily replicate that process.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: