[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

eric.jung at yahoo.com eric.jung at yahoo.com
Wed Jul 18 08:00:19 PDT 2007


Michael Vincent van Rantwijk wrote:

>>Is this "no go" just a technical, or a political decision of mozdev.org? <<

Right now it is a little of both. Technically, the mirror sites don't have SSL certs and are unlikely to get them. I proposed that we drop the mirrors, but this was met with opposition. "Politically", as you call it, there is are conflicting opinions in the organization as to what an SSL connection means. Some believe an SSL download implies we are guaranteeing the download is not malware. Others believe an SSL download merely implies the download is encrypted and is coming from the proper host. None of the mozdev lawyers have, to my knowledge, looked at the T&C agreement with our SSL certificate authority to learn which of these opinions are accurate.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/project_owners/attachments/20070718/a1e86260/attachment.html 


More information about the Project_owners mailing list