[Project_owners] InstallTrigger (was: XPI install still vulnerable to MITM attacks on mozdev.org)

Douglas E. Warner silfreed at silfreed.net
Fri Jul 20 11:03:50 PDT 2007


On Friday 20 July 2007, eric.jung at yahoo.com wrote:
> Yeah, I understand. If anything, promoting the use of InstallTrigger on
> mozdev without a file release system would only serve to get people to
> deliver their XPIs outside of the mirror system (i.e., linked from a
> regular HTML or PHP project page under their own control).

It *is* possible to link to a file directly, it's just not completely 
intuitive (or maybe even supported).

For example, if you goto http://download.mozdev.org you will be redirected to 
a mirror; from there you can navigate to some file you want to download/link 
to, I'll take:

http://mozdev.oregonstate.edu/multizilla/multiviews-v1900.xpi

This same file on another mirror may be:

http://ftp.iasi.roedu.net/mirrors/mozdev.org/multizilla/multiviews-v1900.xpi

But you can refer to that single file by:

http://download.mozdev.org/multizilla/multiviews-v1900.xpi

and this will be served from one of our mirrors.

So with this it should be possible to use InstallTrigger with our current 
mirror system, it's just not intuitive, easy, or secure (ie, susceptible to 
MITM attacks).

-Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070720/17e5277a/attachment-0001.bin 


More information about the Project_owners mailing list