Gervase Markham wrote: > Michael Vincent van Rantwijk, MultiZilla wrote: >> Which are you talking about here? >> >> If a hacker has control over a box, and is interested in distributing >> a trojan, then he will most certainly know about the link >> fingeprinting and change the hash code as well, or otherwise all his >> work is useless. > > Link Fingerprints provide the greatest improvement in security when the > fingerprint and the download are communicated by different means. For > example, the link with the fingerprint might come in a secure email, and > the download might be on a webserver. Or, the link is on > www.mozilla.org, and the download is from a Russian mirror.
Let's go back one step: *if* Joe Hacker gets control over mozdev.org somehow, then he _can_ change the links and the downloads, easily, because the mirrors pull from that box, and that is the same for mozilla.org I suppose! > So "the download is trojaned" does not automatically imply that the > hacker has access to change the fingerprint. In this case it does, and I'm not alone on this. > Gerv _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
