[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org
Douglas E. Warner
silfreed at silfreed.net
Wed Jul 18 08:11:58 PDT 2007
On Wednesday 18 July 2007, Michael Vincent van Rantwijk, MultiZilla wrote:
> But talk is that MoCo wants SSL protected downloads in the (near)
> future, but couldn't get it going for MF3 because of various reasons,
> and the same reason why this add-on signing of extensions was taken into
If you have links to documentation or discussion that says this, please share
it. So far the only discussion that we've been part of has been the updates
process for Firefox 3, and the solution we've chosen to support for
Mozdev.org is valid by the current proposal. SSL does not buy us anything.
> Myk said to have troubles when people start using the mozdev.org
> certificate for other thingsIs this "no go" just a technical, or a
> political decision of mozdev.org? , like updates.rdf for examples, is
> this perhaps the reason, or what else is it that you guys are so
> reluctant to implement this?
SSL is very difficult for us to implement for several reasons; some are
technical, some are financial, some are legal.
1) Our mirrors don't support SSL. We can't force them to support SSL. If we
did force them to support SSL, it would probably be our responsibility to pay
for the certs and additional server resources needed to serve SSL-encrypted
2) Wildcard certs for *.mozdev.org are expensive.
3) We're not sure of the legal repercussions of getting a *.mozdev.org cert.
Mozdev doesn't do the verification of a project owner that a Certificate
Authority would do for an individual SSL certificate. If we were to get a
malicious project that was able to "securely" install by using our
certificate, who would be responsible?
> "If you are serious about security and your extension/add-on, then you
> would get a code signing cert.
> The best protection we have right now for extension security is to sign
> them. "
> ...and a host that supports SSL, or be prepared to get bitten one day
> soon ;)
SSL is not the "end all", especially since it only proves that the package
came from Mozdev.org, not that it should be trusted.
I'm sure there are other solutions available - unfortunately there aren't
supported or being developed by Mozilla at the current time. The other
solutions just aren't technically and financially (and possibly legally)
feasible for Mozdev right now.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070718/86efed20/attachment.bin
More information about the Project_owners