[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 07:48:29 PDT 2007


Douglas E. Warner wrote:
> On Wednesday 18 July 2007, Michael Vincent van Rantwijk, MultiZilla wrote:
>> 1) start Mozilla Firefox
>> 2) visit http://www.mozilla.com/
>> 3) click on the link: "New! Firefox Add-ons" (SSL)
>> 4) click on the green button with the text: "Install Now" (SSL)
>> 5) I am on https://addons.mozilla.org/en-US/firefox/ (SSL)
>>
>> So, the *initial* installation from  amo *is* SSL protected, like this
>> https://addons.mozilla.org/en-US/firefox/addon/nnnn
>> Note: nnnn is the add-on number you which to install.
>>
>> p.s. see attached screen shot of software dialog clearly showing https://
> 
> Unfortunately, this is totally deceptive on their part.  The download *starts 
> out* as an SSL connection, then gets redirected to a non-secure; the 
> connection goes from:
> 
> https://addons.mozilla.org/en-US/firefox/downloads/file/16795/foxytunes-2.9.2-fx+mz+tb+sm+fl.xpi
> 
> and gets redirected to:
> 
> http://releases.mozilla.org/pub/mozilla.org/addons/219/foxytunes-2.9.2-fx+mz+tb+sm+fl.xpi
> 
> See the attached download log.
> 
> -Doug

But talk is that MoCo wants SSL protected downloads in the (near) 
future, but couldn't get it going for MF3 because of various reasons, 
and the same reason why this add-on signing of extensions was taken into 
account.

   Myk said to have troubles when people start using the mozdev.org 
certificate for other thingsIs this "no go" just a technical, or a 
political decision of mozdev.org? , like updates.rdf for examples, is 
this perhaps the reason, or what else is it that you guys are so 
reluctant to implement this?

"If you are serious about security and your extension/add-on, then you 
would get a code signing cert.

The best protection we have right now for extension security is to sign 
them. "

...and a host that supports SSL, or be prepared to get bitten one day 
soon ;)

-- 
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer



More information about the Project_owners mailing list