[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Mook mook.moz at gmail.com
Thu Jul 19 21:51:16 PDT 2007


On 7/18/07, Douglas E. Warner <silfreed at silfreed.net> wrote:
<snip that possibly takes things out of context>
>
> AMO does not provide SSL downloads for it's releases either - it's in the
> exact same boat as Mozdev.org is.
>
> (Try for yourself - Addons hosted by AMO are served from
> http://releases.mozilla.org/pub/mozilla.org/addons/; you won't be able to use
> the HTTPS version).
>
I'd like to point out that, for the (hopefully typical) case of a
Firefox user clicking on a Install link and immediately installing
(and not downloading first then install, as is the case with
Thunderbird &c), AMO's install buttons use InstallTrigger with a hash.
 This means that the mirror doesn't have to be secure (since the hash
was transmitted over https, along with the page the user was seeing).
Of course that still only protects a portion of the users...

This may or may not have any bearing on what mozdev wishes to do :p

-- 
Mook
mook dot moz plus stuff at gmail


More information about the Project_owners mailing list