Originally Posted by Imouto
Mozilla signs the add-ons. You can spoof the site all you want and however you download wouldn't work anyway. That is precisely why they sign them.
You would need the private key held by Mozilla or hijack the browser distribution. Which is quite different than the walk in the park you presented as how easy it would be to distribute counterfeit add-ons.
Oh, please. Deflecting already? I never denied Mozilla screwed it up royally here. It is you who's wrong about the certificates.
Now that this is out of the way I wouldn't use your method because you obviously have no idea about what you're talking.
You don't need the key, you only need to get your addon to the store and get it signed, not so hard to hide malicious code in otherwise well behaved addon.
Not deflecting, only asking what other browsers bother with certification signed addons.
It's not my method all the links and source are there. It does resolve Mozilla's fiasco and they can't even give it to users themselves, users have to figure it out on their own how to fix their mess.
Originally Posted by Darren9
It requires you to fully audit the code or blindly trust the developer. I trust Mozilla far more than I trust some random dev with a couple of plugins he made one weekend.
So you trust some random dev with a couple of plugins he made one weekend that were signed by Mozilla? XD
Just because it's signed and all doesn't mean it's 100% clean and safe. As if Mozilla will read every source code line of every addon before signing it, they would still be reading in year 3000. Some automated checks at best. To make this "easier" they force removed a lot of features from the API that addons could use (infamous Quantum nonsense), annoyed all developers of addons and users.