[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org
Michael Vincent van Rantwijk, MultiZilla
mv_van_rantwijk at yahoo.com
Wed Jul 18 03:19:37 PDT 2007
Scott Grayban wrote:
> On 18/07/07, Michael Vincent van Rantwijk, MultiZilla
> <mv_van_rantwijk at yahoo.com> wrote:
>> XPI installations initiated from mozdev.org will still be vulnerable to
>> MITM attacks... when the XPI isn't *installed* originally from a SSL
>> protected server!
>> a.m.o is secure, so in that case you can get away with simply signing
>> your updates, but each new installation will still be vulnerable to MITM
>> attacks, and this will be the next step in this process... to prevent
>> you from installing XPI's from insecure http: connections.
>> Why is this so hard to understand?
>> Michael Vincent van Rantwijk
> The repercussion of using java script to update the addons.
> Firefox has been well known to be the best sure web browser out there
> but this flaw takes FF right back to the IE stone age.
> I am just curious why Firefox would use a vulnerable procedure to
> update any addon in the first place ?
Again, this is only true for mozdev.org which has no SSL to secure the
initial installation, but a.m.o does... and as such was only vulnerable
to the MITM attacks during the update checks!
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer
More information about the Project_owners