Robert Kaiser wrote:
Paul B. Gallagher schrieb:
Without taking a position either way, how does the user know it's really
Mozilla supplying the update? Is there some kind of authentication
process, or do we just have to close our eyes and trust?
We require SSL-encryption for delivery of updates (both for the info
that updates are available and for the update download itself), verify
the checksums of the downloaded files with strong hashes, and we require
the certificate used for SSL there to be both valid and from the CAs
used by Mozilla. The only current way to compromise this is to
compromise (one of) those two CAs - and no, the only CA that we know had
hacker certificates issued is not among them, we wouldn't dare to use it
for our own stuff.
Thanks, this helps me both to understand the process and to feel secure.
--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
