Hi, yesterday there was an interestind discussion on the irc about security and downloaded files, and especially the net installer.
I'd like to summarize it here (as far as I don't forget someting ;) and hope that someone has some good ideas to improve the situation. OK, imagine the following situation: You got the net installer and you start downloading the remaining files. This prozess is vulnerable to a man in the middle attack (of whatever kind), and it's possible that you will get a manipulated version (of whatever kind) of Mozilla. I don't know how often someting like this might happen, but at least it's possible, especially in a lan. The question is: How to detect such an attack? One solution might be to get the installer from a "secure source" (well, a nice word for something that doesn't exist in relity, imho), and this installer contains md5 sums to verify the files to be downloaded. This would mean, that you could use the installer only for this one special build, and some code changes would have to be made. Some people also don't seem to like the idea to have cryptographical code in the installer. Another idea was to provide md5 sums of all Mozill builds, but this only semms to make sens if you also sign these md5 sums, because someone who can spoof ftp.mozilla.org can also spoof any other server for you. This signing could happen via pgp, or at least a signed https connection. Don't use the net installer (and, for maximum security no downloaded build), but a version provided and verified by you favourite computer magazine. This one is very ugly, the verification work would only be pushed to another place. OK, I hope I forgot nothing important, if so please correct me :-)
