[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org
Michael Vincent van Rantwijk, MultiZilla
mv_van_rantwijk at yahoo.com
Wed Jul 18 10:29:40 PDT 2007
David Boswell wrote:
>> Myk said to have troubles when people start using the mozdev.org
>> certificate for other thingsIs this "no go" just a technical, or a
>> political decision of mozdev.org? , like updates.rdf for examples, is
>> this perhaps the reason, or what else is it that you guys are so
>> reluctant to implement this?
> I think it makes the most sense for mozdev to follow AMO's policy in
> this matter. This will benefit project owners because they won't need
> to worry about dealing with two separate systems for installations and
But that *is* to have your own SSL certificate, and to provide a
secondary option (XPI signing), both in combination with link finger
> I also don't think we have been reluctant to implement this feature.
I'm not a native American so if I said something wrong, then I like to
apologize hereby for my silly errors.
> We've evaluated using the mozdev cert for downloads and installations
> and decided that this is unnecessary.
Probably because someone doesn't understand the meaning of SSL in
connection with updates.rdf and link finger printing.
> For some background, this issue
> came up earlier this year and we decided it wasn't needed then as well.
In fact, code signing came up much much earlier (see news archive).
> Evaluate code-signing certificate for XPI downloads
I agree, code signing with a mozdev.org certificate would be a bad
thing, but and I'm not asking for such certificate, but a SSL (as Secure
Socket Layer) protection certificate to be able to *initiate* a secure
download with help of link finger printing and ways to provide my
updates.rdf just as the way as a.m.o. does.
> I can understand if there is disagreement about this matter because it
> is complicated and AMO's policy about this is changing right now as
> well. I suggest we keep tracking this and change our plans as needed.
Complicated, yes and no, but I'm a cleaned desk person who things in
black and white too much probably ;)
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer
More information about the Project_owners