[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 03:19:37 PDT 2007


Scott Grayban wrote:
> On 18/07/07, Michael Vincent van Rantwijk, MultiZilla
> <mv_van_rantwijk at yahoo.com> wrote:
>> XPI installations initiated from mozdev.org will still be vulnerable to
>> MITM attacks... when the XPI isn't *installed* originally from a SSL
>> protected server!
>>
>> a.m.o is secure, so in that case you can get away with simply signing
>> your updates, but each new installation will still be vulnerable to MITM
>> attacks, and this will be the next step in this process... to prevent
>> you from installing XPI's from insecure http: connections.
>>
>> Why is this so hard to understand?
>>
>> -- 
>> Michael Vincent van Rantwijk
> 
> The repercussion of using java script to update the addons.
> 
> Firefox has been well known to be the best sure web browser out there
> but this flaw takes FF right back to the IE stone age.
> 
> I am just curious why Firefox would use a vulnerable procedure to
> update any addon in the first place ?

Again, this is only true for mozdev.org which has no SSL to secure the 
initial installation, but a.m.o does... and as such was only vulnerable 
to the MITM attacks during the update checks!

-- 
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer



More information about the Project_owners mailing list