[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 06:09:21 PDT 2007

Pete Collins wrote:
>> and the one most easily supported without requiring developers get 
>> code-signing certs.
> If you are serious about security and your extension/add-on, then you 
> would get a code signing cert.
> The best protection we have right now for extension security is to sign 
> them.
> --pete

Right, and keep praying that nobody takes your Open Source code from 
either the XPI/JAR, or the CVS repository, or just fork or otherwise 
build his own malicious copy of your hard work.

So let's another example; Philip Chee's hard work, who single handed 
converted over 60 extensions from Mozilla Firefox to SeaMonkey, now 
think again.  What will happen if you, the original owner of the 
extension signed your work?  Will that invalidate Phil's work or not?

One thing is for sure, the original code signing should be removed, by 
Philip in this example, and replaced with his own one.  Does he have 
one?  Will he get one?  Can you still fork a project?  What will people 
think about two different certificates?

Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer

More information about the Project_owners mailing list