[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 05:52:56 PDT 2007


Douglas E. Warner wrote:
> On Wednesday 18 July 2007, Michael Vincent van Rantwijk, MultiZilla wrote:
>> XPI installations initiated from mozdev.org will still be vulnerable to
>> MITM attacks... when the XPI isn't *installed* originally from a SSL
>> protected server!
>>
>> a.m.o is secure, so in that case you can get away with simply signing
>> your updates, but each new installation will still be vulnerable to MITM
>> attacks, and this will be the next step in this process... to prevent
>> you from installing XPI's from insecure http: connections.
>>
>> Why is this so hard to understand?
> 
> AMO does not provide SSL downloads for it's releases either - it's in the 
> exact same boat as Mozdev.org is.
> 
> (Try for yourself - Addons hosted by AMO are served from 
> http://releases.mozilla.org/pub/mozilla.org/addons/; you won't be able to use 
> the HTTPS version).

1) start Mozilla Firefox
2) visit http://www.mozilla.com/
3) click on the link: "New! Firefox Add-ons" (SSL)
4) click on the green button with the text: "Install Now" (SSL)
5) I am on https://addons.mozilla.org/en-US/firefox/ (SSL)

So, the *initial* installation from  amo *is* SSL protected, like this
https://addons.mozilla.org/en-US/firefox/addon/nnnn
Note: nnnn is the add-on number you which to install.

p.s. see attached screen shot of software dialog clearly showing https://

-- 
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: amo-install-crunched.png
Type: image/png
Size: 8299 bytes
Desc: not available
Url : http://mozdev.org/pipermail/project_owners/attachments/20070718/e029419a/attachment-0001.png 


More information about the Project_owners mailing list