As far as I understand, there is no difference. I am not a crypo expert, but here is my understanding of the process: 1) An active attacker can MITM the connection and falsify ANY data being sent, unless the server certificate is pinned (which it is not, by deafult). 2) The signature is verified against EFF public key hardcoded into the extension. The verification will fail if either the data or the signature is tampered with (unless the attacker can modify the hardcoded public key, but then the user is screwed anyway).
This is correct. Detached signatures are just as safe.
There's one little quirk in that you'd want to deploy a new update.json with a new detached sig simultaneously, otherwise some clients would fetch the old sig with the new update.json.
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
