[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 01:41:38 PDT 2007


XPI installations initiated from mozdev.org will still be vulnerable to 
MITM attacks... when the XPI isn't *installed* originally from a SSL 
protected server!

a.m.o is secure, so in that case you can get away with simply signing 
your updates, but each new installation will still be vulnerable to MITM 
attacks, and this will be the next step in this process... to prevent 
you from installing XPI's from insecure http: connections.

Why is this so hard to understand?

-- 
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer



More information about the Project_owners mailing list