[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 08:34:43 PDT 2007


eric.jung at yahoo.com wrote:
> Michael Vincent van Rantwijk wrote:
> 
>>> Is this "no go" just a technical, or a political decision of mozdev.org? <<
> 
> Right now it is a little of both. 

That's what I expected, yes.

> Technically, the mirror sites don't have SSL certs and are unlikely to get them. 

Is there an accurate list, with contact info, that we can *ask* before 
making assumptions here?

> I proposed that we drop the mirrors, but this was met with opposition. 

Yeah, that'll be good for mozdev.org  No wonder ;)

> "Politically", as you call it, there is are conflicting opinions in the organization as to what an SSL connection means. 
> Some believe an SSL download implies we are guaranteeing the download is not malware. Others believe an SSL download 
> merely implies the download is encrypted and is coming from the proper host. 

Can these people step forward and explain to me what they think is 
right/wrong from their point of view?

> None of the mozdev lawyers have, to my 
> knowledge, looked at the T&C agreement with our SSL certificate authority to learn which of these opinions are accurate.

Easy, just ask the certificate provider. Or will this go OT delays about 
what the heck a certificate/SSL connection stands for?

-- 
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer



More information about the Project_owners mailing list