I noticed that some addons.mozilla.org extensions were updated over plain HTTP, not over HTTPS. My Firefox 3.0 had found a new version of the NoScript extension and fetched it from some https:// URI on addons.mozilla.org. But that URI redirected to another, unencrypted http:// URI from where the .xpi file was actually downloaded.
Is this known behavior? Is it considered a security issue that should be fixed? A malicious extension being installed in your browser via some IP or DNS hijacking attack would be a disaster for many. So it would make sense for Firefox to require HTTPS when downloading extensions, at least for those coming from addons.mozilla.org. If there is a more appropriate place to discuss this, please let me know. -- Alexander _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
