[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Scott Grayban sgrayban at gmail.com
Wed Jul 18 02:21:22 PDT 2007


On 18/07/07, Michael Vincent van Rantwijk, MultiZilla
<mv_van_rantwijk at yahoo.com> wrote:
> XPI installations initiated from mozdev.org will still be vulnerable to
> MITM attacks... when the XPI isn't *installed* originally from a SSL
> protected server!
>
> a.m.o is secure, so in that case you can get away with simply signing
> your updates, but each new installation will still be vulnerable to MITM
> attacks, and this will be the next step in this process... to prevent
> you from installing XPI's from insecure http: connections.
>
> Why is this so hard to understand?
>
> --
> Michael Vincent van Rantwijk

The repercussion of using java script to update the addons.

Firefox has been well known to be the best sure web browser out there
but this flaw takes FF right back to the IE stone age.

I am just curious why Firefox would use a vulnerable procedure to
update any addon in the first place ?


More information about the Project_owners mailing list