[Project_owners] InstallTrigger (was: XPI install still vulnerable to MITM attacks on mozdev.org)
eric.jung at yahoo.com
eric.jung at yahoo.com
Fri Jul 20 07:26:07 PDT 2007
There's great documentation on InstallTrigger here:
http://developer.mozilla.org/en/docs/Installing_Extensions_and_Themes_From_Web_Pages
Short of implementing a file release system like SourceForge, I'm not sure how mozdev could enforce each project-owner into publishing their download page with InstallTrigger.
Eric
----- Original Message ----
From: Douglas E. Warner <silfreed at silfreed.net>
To: project_owners at mozdev.org
Sent: Friday, July 20, 2007 7:35:26 AM
Subject: Re: [Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org
On Friday 20 July 2007, Mook wrote:
> I'd like to point out that, for the (hopefully typical) case of a
> Firefox user clicking on a Install link and immediately installing
> (and not downloading first then install, as is the case with
> Thunderbird &c), AMO's install buttons use InstallTrigger with a hash.
> This means that the mirror doesn't have to be secure (since the hash
> was transmitted over https, along with the page the user was seeing).
> Of course that still only protects a portion of the users...
>
> This may or may not have any bearing on what mozdev wishes to do :p
Mook,
Thanks for providing that information; I wasn't aware that there was any
install-time security on AMO. I'll take a look to see if it's something that
Mozdev could implement as well. It sounds very similar to the
link-fingerprinting that Michael was suggesting, as well.
-Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/project_owners/attachments/20070720/d49b878c/attachment.html
More information about the Project_owners
mailing list