[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Wed Jul 18 10:29:40 PDT 2007

David Boswell wrote:
>> Myk said to have troubles when people start using the mozdev.org 
>> certificate for other thingsIs this "no go" just a technical, or a 
>> political decision of mozdev.org? , like updates.rdf for examples, is
>> this perhaps the reason, or what else is it that you guys are so 
>> reluctant to implement this?
> I think it makes the most sense for mozdev to follow AMO's policy in
> this matter.  This will benefit project owners because they won't need
> to worry about dealing with two separate systems for installations and
> downloads.  

But that *is* to have your own SSL certificate, and to provide a 
secondary option (XPI signing), both in combination with link finger 

> I also don't think we have been reluctant to implement this feature. 

I'm not a native American so if I said something wrong, then I like to 
apologize hereby for my silly errors.

> We've evaluated using the mozdev cert for downloads and installations
> and decided that this is unnecessary. 

Probably because someone doesn't understand the meaning of SSL in 
connection with updates.rdf and link finger printing.

> For some background, this issue
> came up earlier this year and we decided it wasn't needed then as well.

In fact, code signing came up much much earlier (see news archive).

> Evaluate code-signing certificate for XPI downloads
> https://www.mozdev.org/bugs/show_bug.cgi?id=15482 

I agree, code signing with a mozdev.org certificate would be a bad 
thing, but and I'm not asking for such certificate, but a SSL (as Secure 
Socket Layer) protection certificate to be able to *initiate* a secure 
download with help of link finger printing and ways to provide my 
updates.rdf just as the way as a.m.o. does.

> I can understand if there is disagreement about this matter because it
> is complicated and AMO's policy about this is changing right now as
> well.  I suggest we keep tracking this and change our plans as needed.

Complicated, yes and no, but I'm a cleaned desk person who things in 
black and white too much probably ;)

> David


Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer

More information about the Project_owners mailing list