There's great documentation on InstallTrigger here: http://developer.mozilla.org/en/docs/Installing_Extensions_and_Themes_From_Web_Pages Short of implementing a file release system like SourceForge, I'm not sure how mozdev could enforce each project-owner into publishing their download page with InstallTrigger.
Eric ----- Original Message ---- From: Douglas E. Warner <[EMAIL PROTECTED]> To: project_owners@mozdev.org Sent: Friday, July 20, 2007 7:35:26 AM Subject: Re: [Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org On Friday 20 July 2007, Mook wrote: > I'd like to point out that, for the (hopefully typical) case of a > Firefox user clicking on a Install link and immediately installing > (and not downloading first then install, as is the case with > Thunderbird &c), AMO's install buttons use InstallTrigger with a hash. > This means that the mirror doesn't have to be secure (since the hash > was transmitted over https, along with the page the user was seeing). > Of course that still only protects a portion of the users... > > This may or may not have any bearing on what mozdev wishes to do :p Mook, Thanks for providing that information; I wasn't aware that there was any install-time security on AMO. I'll take a look to see if it's something that Mozdev could implement as well. It sounds very similar to the link-fingerprinting that Michael was suggesting, as well. -Doug
_______________________________________________ Project_owners mailing list Project_owners@mozdev.org http://mozdev.org/mailman/listinfo/project_owners
