I am a FireFox user, and I recently installed the GMail notifier add-on. When you first install the add on, it requests your GMail address and password, and will then use this to login to your Gmail account (presumably via SSL).
It shows a number on your taskbar, indicating how many unread emails are in your inbox, and also notifies you via a little modeless popup from the taskbar. This essentially turns email into a "push" medium, which is very useful as I know that I don't have to periodically check my email. I know that the GMail notifier will tell me.
This is not meant as any disrespect to the developer of the GMail notifier, or authors of other similar applications. But how do I know that the application isn't harvesting emailing addresses and passwords, which is can then use for malicious purposes? In this day and age, an email address/password combination is analogous to a PIN for your ATM keycard. Most websites allow you to reset your password by simply supplying your email address and emailing you a new password; this essentially makes an email address password a "skeleton key" to your entire online world.
I don't want to see applications like GMail notifier go away. What I would like to see is a more objective and transparent way for users to know that the application is doing nothing wrong. Open source applications are obviously less of a concern, but even then I wouldn't want to have to look through code to determine whether the program is doing the right thing. It can't be a subjective process, where you develop a trust for a particular author, as this is prone to abuse.
There was a case recently where an offline utility was discovered to be harvesting email addresses and passwords, and sending them to a separate email account - I can't remember the name of the application but this is the kind of thing we need to be able to prevent.
Does anyone know of any precedents for this sort of thing? Could a certification process (or something similar) be introduced?