Paul B. Gallagher schrieb:
Without taking a position either way, how does the user know it's really
Mozilla supplying the update? Is there some kind of authentication
process, or do we just have to close our eyes and trust?
We require SSL-encryption for delivery of updates (both for the info
that updates are available and for the update download itself), verify
the checksums of the downloaded files with strong hashes, and we require
the certificate used for SSL there to be both valid and from the CAs
used by Mozilla. The only current way to compromise this is to
compromise (one of) those two CAs - and no, the only CA that we know had
hacker certificates issued is not among them, we wouldn't dare to use it
for our own stuff.
Robert Kaiser
--
Note that any statements of mine - no matter how passionate - are never
meant to be offensive but very often as food for thought or possible
arguments that we as a community should think about. And most of the
time, I even appreciate irony and fun! :)
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
