DuncanL wrote:But anything can be signed simply by paying the fee. There are no tests involved; a signature only proves that it was signed by the person it says signed it (and even that could be faked by using a stolen credit card). Plenty of spyware is signed.
But that's the point here - if people know they trust mozilla.org, then if something is signed by mozilla.org they know they can trust it, even when they're downloading from a random mirror with a name they don't know (or no name at all in some cases, as this guy pointed out).
There are no magic solutions (though Firefox's whitelist seems a sensible route to me - it places the burden of trust on the end user)
There aren't any magic solutions. Firefox's whitelist is a good thing, but again - that's not a security feature as such. It's based on the referring site, and doesn't tell you anything about the destination site, or who made the software.