[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Scott Grayban sgrayban at gmail.com
Wed Jul 18 02:26:37 PDT 2007


On 18/07/07, Scott Grayban <sgrayban at gmail.com> wrote:
> On 18/07/07, Michael Vincent van Rantwijk, MultiZilla
> <mv_van_rantwijk at yahoo.com> wrote:
> > XPI installations initiated from mozdev.org will still be vulnerable to
> > MITM attacks... when the XPI isn't *installed* originally from a SSL
> > protected server!
> >
> > a.m.o is secure, so in that case you can get away with simply signing
> > your updates, but each new installation will still be vulnerable to MITM
> > attacks, and this will be the next step in this process... to prevent
> > you from installing XPI's from insecure http: connections.
> >
> > Why is this so hard to understand?
> >
> > --
> > Michael Vincent van Rantwijk
>
> The repercussion of using java script to update the addons.
>
> Firefox has been well known to be the best sure web browser out there
> but this flaw takes FF right back to the IE stone age.

Opps typo..... should read "secure web browser".


More information about the Project_owners mailing list