I am pushing for digital signature verification on installer packages,
to verify that the code you download is legitimate at the time of the
download and install. That's coming. As for detecting subsequent
tampering on your own machine, there's no way (that I know of) for a
remote attacker to modify code on your machine. If they could, they
could also modify the code that does the verification on startup, so
that it would not detect the modification. Because of that, I don't
think the mechanism ypu suggest would be of any use.
-Mitch
rvj wrote:
> I am pretty much a novice at security and therefore get the impression much
> of the security issues are to do with transfer to and from host.
>
> What mechanisms exist on the workstation to verify that downloaded code,
> packages, etc are not subsequently tampered with.
>
> Does Mozilla have any mechanism for verification checking on startup? e.g.
> some sort of hash fingerprint maintained via the download or installation
> routine
