[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org
Michael Vincent van Rantwijk, MultiZilla
mv_van_rantwijk at yahoo.com
Wed Jul 18 08:34:43 PDT 2007
eric.jung at yahoo.com wrote:
> Michael Vincent van Rantwijk wrote:
>>> Is this "no go" just a technical, or a political decision of mozdev.org? <<
> Right now it is a little of both.
That's what I expected, yes.
> Technically, the mirror sites don't have SSL certs and are unlikely to get them.
Is there an accurate list, with contact info, that we can *ask* before
making assumptions here?
> I proposed that we drop the mirrors, but this was met with opposition.
Yeah, that'll be good for mozdev.org No wonder ;)
> "Politically", as you call it, there is are conflicting opinions in the organization as to what an SSL connection means.
> Some believe an SSL download implies we are guaranteeing the download is not malware. Others believe an SSL download
> merely implies the download is encrypted and is coming from the proper host.
Can these people step forward and explain to me what they think is
right/wrong from their point of view?
> None of the mozdev lawyers have, to my
> knowledge, looked at the T&C agreement with our SSL certificate authority to learn which of these opinions are accurate.
Easy, just ask the certificate provider. Or will this go OT delays about
what the heck a certificate/SSL connection stands for?
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer
More information about the Project_owners