You are clueless. Nothing about a digital signature system requires encryption. "Cryptography" refers to the broader field that encompasses the topic under discussion. Part of that field deals with digital signatures. These provide authenticity: i.e., proof that a message is actually from who it's purported to be from. Encryption is another, different part of the same field. It concerns providing confidentiality that prevents a message being observed. Another field is the study of digest algorithms, including keyed hashes. These provide integrity: i.e., proof that a message has not been tampered with. These are all separate and distinct areas, and you are conflating them. A keyed hash is not a digital signature system.

simply force the user to re-approve all plugins

Do that when the signature doesn't match. No need for encryption.

The only thing that's important here is ensuring that the browser, on behalf of the user, is the only one that can write the manifest to disk. There's no harm in other applications reading the state of the manifest

And that's *precisely* why encryption is pointless here: it provides confidentiality and nothing else, and we've already established that the plugin list is not confidential.

My interpretation was in the spirit of intellectual charity, not arrogance; i.e., I gave you the benefit of the doubt, employing the only interpretation that makes any sense.

Encryption without authentication is worthless. Either you're using symmetric encryption and you make the user enter the password every time the browser wants to read the plugin list (or worse, store the key on disk), or you're using asymmetric encryption and creating a message that can be decrypted by a given public key is simple.

Encryption *and* authentication is pointless in this case because the browser needs to be able to decrypt plugin information at all times using only information in persistent storage. Encryption does not provide any security properties in this context.

So we're left with authentication itself being the task at hand, which I assumed is what you meant. But instead of having an adult conversation about the issue, you have a temper tantrum. I'm through.

Encrypt the list of enabled plugins with a user password

"Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.

At all times, the browser would store the list of enabled plugins and sign it with the encrypted private key. Nobody can generate a valid signature for a list of enabled plugins without the password, and the browser will not use a plugin list unless it comes with a valid signature.

All this is fine as far as it goes, but it'll only work until our malicious plugin installer patches the browser binary and makes it skip the key check; the malware could also replace both the public and the private key with replacements of its choosing. Either way, the user may or may not eventually notice that something is wrong, but if he does, it probably won't be a while, and he probably won't be able to track the malfunction back to the evil installer.

Malware vendors can also wait for the user to type his password when installing a different plugin, then use that password to generate a valid signature for a plugin list that includes anything desired.

The moral is that applications still need to be sandboxed. They're not protected from each other. Without OS-level protection, applications can do horrible things (often without needing elevated privileges at all). Half-measures aren't the answer.

This approach is doomed.

The browser has to somewhere remember that a user approved an extension. It does this by writing state to disk. A malicious extension installer can simply modify this saved state to make the browser think the user installed and approved the payload. The same goes for a startup message advertising extensions that have been installed since the last browser run.

You can't win this fight without OS involvement. The correct solution is application-level sandboxing, which quite a few people are working on.

Blame? Who said anything about blame? Moralizing and pointing fingers doesn't accomplish anything. I don't begrudge the rich for taking advantage of their access to the levers of power. Human nature is immutable.

Ideally, we'd align incentives so that actions taken in self interest benefit all. Unfortunately, we don't have that incentive structure today. If we want to remedy that situation, we need to convince or force those currently in power to be more egalitarian; it just so happens that the people in power today (as is usually the case) are the ultra-wealthy.

Another point is to consider the efficient market hypothesis and the relative competence of people. If our system allocated resources efficiently, then the variance in personal incomes should match the variance of intrinsic talent. Consider software development: this field is highly unusual because some people can be an order of magnitude more productive than others.

In most fields, the gap is far smaller. Yet income disparity in the United States is on the order of tens of orders of magnitude. The difference between the theoretical and actual figures can only happen if rent seeking is occurring: that is, that income disparity is so severe is a strong indicator that our market system, instead of being free, fair, and efficient, is actually corrupt.

Your class-baiting, "the pie can never grow, so the only way for anyone to enter the middle class is to take money from somebody else" clap-trap is embarassingly juvenile.

The pie is growing, but the wealthy are taking the vast majority of the increase:

In recent years, the statistics regarding income disparity in America have been startling. After-tax annual income for the bottom fifth of American households inched up just 6 percent form 1979 to 2005, according to the Congressional Budget Office. During that time, income for the middle fifth of households grew by a modest 21 percent, with much of that gain caused by women in many households working more hours. Over that same period, income for the top fifth of households jumped by an impressive 80 percent, while income for the top 1 percent more than tripled, soaring by 228 percent.

The wealth disparity itself is a problem, but worse is the corrosive effect this wealth has on our political structure: those with money and influence are increasingly able to purchase government policies that further increase their share of the pie even at the expense of the total size of the pie. It's a positive feedback loop: more wealth leads to more power, and more power leads to greater wealth. This feedback is why I'm so dour about our prospects: the cycle seems impossible to break.

The little things we agitate about today: censorship, abuse of copyright, overzealous airport security, our foreign wars, the loss of our manufacturing jobs, are all caused by the increasing ability of the wealthy to pervert government to work in their favor. When power is concentrated in a few hands, the result is inevitably selfish exercise of that power and poor outcomes.

I'm impressed: I couldn't squeeze that many fallacies into the same sentence if I tried. You're arguing that poor people aren't productive, and that the welfare state, with its progressive taxation, is "slavery"? You're really arguing that people who make millions would be less "productive" if taxed at a higher rate? If you're posting on Slashdot, it's exceedingly likely that you are not wealthy enough for our current plutocratic policies to work in your favor.

You illustrate my point perfectly: you've been convinced by the propaganda of the ultra-wealthy and their lapdogs to argue (and presumably, vote) against your own economic interests and damn our country in the process.

I'm afraid you're right. The maldistribution of income in the United States is now worse than it was in the 1920s before the crash, worse than it was for most Latin American countries during their "banana republic" phases, and worse than it was for the Weimar Republic. A disgusting excess of wealth accumulated at the top has distorted our political system, making government insensible to the needs of the common people. This Internet censorship is just a tiny example of the ongoing decay of our society. Growing corruption and socioeconomic leads to civil unrest, and eventually, a violent revolution.

Revolutions are not pretty things. While there have been a few good outcomes (e.g., the American Revolution), the vast majority of post-revolutionary governments end up being oppressive theocracies (Iran [a perversion of the original intent]), violent tyrannies (France, the Bolsheviks), or fascist nightmare states (Germany, Italy, Spain). All were belligerent, and all led to war.

In the 1930s, we dodged lightning. FDR was a visionary who managed to head off a growing revolutionary movement by using public works programs, social security, and the rest of the "new deal" to improve the life of the common man. If we'd elected another Hoover, we would have most likely had a fascist revolt.

Today, we're not so lucky, and we have all the ingredients for a political hellstorm: severe and ostentatious socioeconomic inequality; rampant corruption in all branches of government; a climate of anti-intellectualism; and millions of angry, ignorant, and powerless people eager to hang their hats on whatever demagogue gives them the best scapegoat and massages their egos to his (or her) greatest advantage. It's a powder keg.

The revolution may not come tomorrow, next week, or next year, but barring a political miracle, it is coming. And when it does, the most reactionary, unstable, and angry elements of our society will control a military more powerful than the rest of the world combined and enough nuclear weapons to turn every city in the world to glass that glows in the dark. Napoleon and the fascist states of the mid-20th century had nothing on our power. God help us, and God help the world.

If your side seems powerless and morale is low, a symbolic victory is better than none at all.

The mechanism to accomplish what you state is called an injunction. If party A is doing something that harms party B and the cessation of the activity cannot wait until trial, party B asks a judge to issue a temporary injunction. A and B show up in court, and if the judge believes B, he orders A to stop under penalty of contempt of court.

That's how due process is supposed to work. Note that both parties have their say. What the DHS did is not due process.

It looks like a security boundary, acts like a security boundary, and smells like a security boundary. It is a security boundary as far as application developers and user are concerned. Even the terminology involved ---- "elevation", "integrity level", and so on --- suggests this interpretation. Claiming after the fact that "it was never intended as a security boundary" is just an exercise in weasel working.

UAC isn't there because we want to deal with it. If it isn't a security boundary, what's the goddamned point? If there are known holes MS refuses to fix, black hats will use these holes, and you might as well turn UAC off and avoid the inconvenience.

Yet a huge number of technology people are opposed to both organized labor and government regulation, all in the name of libertarianism? And you vote Republican?

The world wonders.

Oh, get real. We're talking about a few hundred dollars per seat. It's not unreasonable to pay that every few years for a tool you use to make your living. If you own a business, you pay more than that for artificial lighting.