Following up a bit on the excellent info that Robert Johnston provided in the comments on my last post...
I'm pretty happy with the way the installer guides me through an 'in place' update - i.e. effectively craming what amounts to a signed extension into my FF browser. That's all secure.
What I think sucks about this whole affair can be seen with the help of some photoshopping.
1) It's nice that FF makes security a priority and forces the url of the site serving a minimized page into the title of the window. That said, I won't want to serve my spyware from:
http://woah.something.is.fishy.here.com.ALERT!!!DANGER DANGER!!!
Instead, I'll want to confuse the average computer user with lots of computer-ese:
http://update227.my.firefoxupdate.com
That's got soothing/re-assuring words in it like my, update, and firefox. Plus it's a .com... what more security could anyone need ;)
Here's a screen cap (rember it's been photoshopped... so ignore the rough edges):
2) Now... once someone has clicked the pillage button... we WON'T be doing any type of extension, or anything else. Instead we'll prompt them to install an executable. Now... unlike IE, which will let you run .msi and .exe from the web (at least I think it does... no flaming me if it doesn't)... FF doesn't allow that. It only allows you to save them to disk.
No biggie. Again we're all about lying at this point. Imagine the following screen cap as 'Page 2' in the installer process:
Now, some things to note: I've got not only a link to the security information pertaining to this 'update', but I've also added a security warning at the bottom. WOAH, this thing is legit.. it's totally secure. And if I doubt that, I just need click on the security information link, where I'll be taken directly to the REAL FF site to be shown that: YES INDEED, there is a patch. (Think in terms of your typical phishing vicitim here... they're toast at this point.)
3) Finally... we now just need some BS story about why they're going to be promted to SAVE this update, instead of have it run 'in place.' Remember... this IS ROCKET SCIENCE for lots of users...
Could we get all of them? No. Could we get most? Dunno. Could we get some? I'd IMAGINE that we could - just make sure the Installer looks like something that comes from Mozilla/FF... and hope you catch a few suckas. Even if you got... 3% of the people that clicked, I imagine that would be OOODLES more people/traffic than my site sees in a year ;)