[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Douglas E. Warner silfreed at silfreed.net
Wed Jul 18 08:11:58 PDT 2007

On Wednesday 18 July 2007, Michael Vincent van Rantwijk, MultiZilla wrote:
> But talk is that MoCo wants SSL protected downloads in the (near)
> future, but couldn't get it going for MF3 because of various reasons,
> and the same reason why this add-on signing of extensions was taken into
> account.

If you have links to documentation or discussion that says this, please share 
it.  So far the only discussion that we've been part of has been the updates 
process for Firefox 3, and the solution we've chosen to support for 
Mozdev.org is valid by the current proposal.  SSL does not buy us anything.

>    Myk said to have troubles when people start using the mozdev.org
> certificate for other thingsIs this "no go" just a technical, or a
> political decision of mozdev.org? , like updates.rdf for examples, is
> this perhaps the reason, or what else is it that you guys are so
> reluctant to implement this?

SSL is very difficult for us to implement for several reasons; some are 
technical, some are financial, some are legal.

1) Our mirrors don't support SSL.  We can't force them to support SSL.  If we 
did force them to support SSL, it would probably be our responsibility to pay 
for the certs and additional server resources needed to serve SSL-encrypted 

2) Wildcard certs for *.mozdev.org are expensive.

3) We're not sure of the legal repercussions of getting a *.mozdev.org cert.  
Mozdev doesn't do the verification of a project owner that a Certificate 
Authority would do for an individual SSL certificate.  If we were to get a 
malicious project that was able to "securely" install by using our 
certificate, who would be responsible?

> "If you are serious about security and your extension/add-on, then you
> would get a code signing cert.
> The best protection we have right now for extension security is to sign
> them. "
> ...and a host that supports SSL, or be prepared to get bitten one day
> soon ;)

SSL is not the "end all", especially since it only proves that the package 
came from Mozdev.org, not that it should be trusted.

I'm sure there are other solutions available - unfortunately there aren't 
supported or being developed by Mozilla at the current time.  The other 
solutions just aren't technically and financially (and possibly legally) 
feasible for Mozdev right now.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070718/86efed20/attachment.bin 

More information about the Project_owners mailing list