Be careful with your Safari Extensions

My Macworld compadre Lex Friedman on Safari extensions:

Safari can update your extensions automatically. Included in the extension is a URL that the developer may optionally provide, and Safari checks that URL on occasion to see if a new version of your extension is available. If it is, Safari will install that new version silently.

Lex raises an excellent point (plus, he got fireballed!), but I would argue that explicit update notifications would not make extensions any more secure.

First, there is nothing that prevents an extension from advertising itself as harmless and get nasty with your computer behind the scenes, updates or not. In other words, it’s not the updates that make an extension insecure. Second, in my experience users will blindly click on just about anything that stands between them and doing whatever it is that they want to do. I’ll be the first one to honestly say that I cannot remember the last time when I read all the release notes that came with an update or any kind¹. Besides, even then, what guarantee do I have that the developer is telling the truth? In the end, it all boils out to whether you trust whoever issues the update or not.

Not all is lost, however. In order to be installed, extensions need to be signed using a digital certificate, which is issued by our friends at Apple to every developer who wants to distribute extensions. Without a certificate, extensions will not install  There is a good reason behind this: if an extension were found to be disruptive or malicious, Apple can simply revoke that developer’s digital certificate and effectively yank the extension from under the feet of every single user that has installed in one fell swoop. This won’t prevent a malicious update, but it will certainly stop one².

To me this approach is far, far superior to the corresponding update mechanism in Firefox, which takes the geek approach, believes that people will know what they’re doing and notifies them that an update is about to take place. But most people don’t know what they’re doing and, once something is installed on your machine, you’re on your own.

Personally, I’m on the fences as to whether the fact that Safari updates extensions silently is good or bad—I think that notifications would be useful, but ultimately pointless. However, I think the right question to ask is: will Apple act swiftly enough to prevent an extension that is proven to be malicious from becoming a problem?

⇥ What antenna problem?

It took six hours of standing in line on an uncharacteristically cold summer night¹, but I finally have an iPhone 4, which means that I can tell you the truth about the antenna problem: I have no idea what these people are talking about.

I live in an area where my provider has reasonably good signal, with four bars on both my old 3G and the new handset. As shown countless times by countless talking heads on countless media outlets, if i touch one of the black gaps on the side of the phone, the number of bars decreases to two, but I haven’t noticed any degradation in either data rates or voice in day-to-day usage. In areas where there is less signal (like, ironically, my local Apple Store), I can make the signal go down to a single bar or no bars, though this still doesn’t affect my ability to make phone calls in a manner that is substantially different from my old phones; in other words, I honestly can’t see any difference and, had there not been so much noise made about this issue, I likely would have never noticed.

It almost looks like the press has latched on to this problem—in my eyes completely irrelevant—and keeps picking at it the way one picks at a scab that’s healing. It’s the itch that some people just don’t seem to be able to let go of and, frankly, it seems like a pretty small problem to be so worked up about.

Now, if the press really had wanted something to complain about, they certainly could have spent a few words on the way Apple has handled the launch of the iPhone 4. It’s been a complete disaster, at least here. Far from being the smooth even that one would have expected from a company that, say, has launched three of these before, the whole affair bordered on the ridiculous: Apple’s website had no information until the morning of the launch and, were it not for press leaks and a small sign that appeared at the entrance of the stores in the days before the launch, there was no official confirmation that a phone was coming on July 30th, or what the pricing would be. To top it off, the Rogers activation system was down most of the morning—because, you know, it’s not like they were handling a major launch or anything.

I can’t speak for what happened south of the border, but based on what my friends told me, things weren’t that much smoother there, either—particularly for those decided to forego pre-orders and stood in line so that they could get their handset early on the morning, only to find out that many of those who had pre-ordered theirs had, in fact, received the phone the day before the official launch.

Of course, one can say that it’s just a hiccup. Or—excuse me while I laugh—that the company was so overwhelmed by demand that it couldn’t handle the load. But, honestly, who buys that? An organization like Apple isn’t “caught off-guard,” and certainly not twice in a row². This is a publicity move, pure and simple. Apple wants the big lines and the impression of tight supply to drive media coverage—and, of course, the latter laps it up without ever questioning how a multi-billion dollar company can’t seem to launch their flagship product in a way that doesn’t upset so many customers³.

This said, the iPhone 4 is a beautiful device. The construction feels solid—dense, even, as if you’re holding a device that is packed to the gills and has absolutely no empty space inside. The screen, as advertised and widely reported is that good. Pictures look like they have been painted on the glass, rather than being generated by a screen underneath it. And speed, especially coming from a 3G, is quite simply amazing. The phone itself seems to have improved considerably: I no longer have trouble having a conversation with someone on my home line, which probably precedes the discovery of America and therefore tends to attenuate the signal slightly, and the Prius’s Bluetooth handsfree no longer sounds like the Hypnotoad while undergoing a colonoscopy while I wait for a call to engage. Oh, and FaceTime is loads of fun, too.