On 2007-03-05, Gervase Markham <[EMAIL PROTECTED]> wrote: > Jonathan Watt wrote: >> Do we have systems in place to stop this sort of thing from happening: >> >> http://wordpress.org/development/2007/03/upgrade-212/ > > You mean apart from those normal security mechanism (passwords etc.) > which prevent random people uploading builds to our download servers? :-) > > The article linked above mentions a problem, but not an attack vector. > Did you have one in mind?
Well, it seems that someone somehow got user-level access to one of their download servers. Given the quantity and diversity of Mozilla download mirrors, I imagine it would be pretty hard for Mozilla to directly keep track of the security of every download server (but correct me if I'm wrong). I guess the questions to answer would be what steps Mozilla takes to ensure that the mirrors are managed well by the third parties that manage them, and, in the event that a mirror somewhere got hacked, is there some system in place to protect people from getting bad stuff. I guess answers to that may include the Windows builds being signed, md5 checksums (although if the place to get those is just from ftp mirrors that doesn't help much - are they on the website or a non-mirrored host?), and maybe even what you blogged about http://weblogs.mozillazine.org/gerv/archives/2007/03/wordpress_download_tarball_com.html -- Michael _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
