[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

Douglas E. Warner silfreed at silfreed.net
Fri Jul 20 04:35:26 PDT 2007


On Friday 20 July 2007, Mook wrote:
> I'd like to point out that, for the (hopefully typical) case of a
> Firefox user clicking on a Install link and immediately installing
> (and not downloading first then install, as is the case with
> Thunderbird &c), AMO's install buttons use InstallTrigger with a hash.
>  This means that the mirror doesn't have to be secure (since the hash
> was transmitted over https, along with the page the user was seeing).
> Of course that still only protects a portion of the users...
>
> This may or may not have any bearing on what mozdev wishes to do :p

Mook,

Thanks for providing that information; I wasn't aware that there was any 
install-time security on AMO.  I'll take a look to see if it's something that 
Mozdev could implement as well.  It sounds very similar to the 
link-fingerprinting that Michael was suggesting, as well.

-Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070720/7729b91b/attachment-0001.bin 


More information about the Project_owners mailing list