But we should never stop demanding that we can install our own certificate roots for signed binaries to verify against, and that users are allowed to make their own decisions about allowing access outside the box (if they think they are capable).
A fresh verified binary (including all extensions) can be loaded into the sandbox each time the user opens the browser, so the infection would be limited to the current session only.
The sand-boxing problem is not infecting people with binary's they don't want. It's a social attack where users installing bonzi buddy style addons that have both wanted and unwanted behavior. Or people just clicking yes to download that video viewer software, etc. Because, in the end all sand boxing does is buy's you a popup which people are trained to click on.
What about a sandbox where all programs that came from the internet were locked in except for verified binaries. Then make it difficult to add new certificates, like require the user to enter a password (perhaps different from their login). Have microsoft say no program should require this, and as long they do a decent job of adding certificates themselves most users will not even bother learning how to.
For those users, I guess we'd hope they don't install their own certificates and Microsoft/Apple/Google/Canonical can invalidate the Bonzi Buddy certificates for bad behavior.
You're right that it's a difficult problem and probably unsolvable but IMO that doesn't mean we can't reduce it to much less than it is currently.
But we should never stop demanding that we can install our own certificate roots for signed binaries to verify against, and that users are allowed to make their own decisions about allowing access outside the box (if they think they are capable).