-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> - I assume requests to mozilla are encrypted + authenticated > > This assumption was and is wrong. > Disabling such insecure update paths makes sense.
I concluded that the addon process is insecure because the versioncheck happens over HTTPS but the actual download of the new xpi file is over http. This simple conclusion is wrong if one doesn't check the entire update mechanism. To download something over an insecure channel is fine as long as you can check the file for modifications after the download. The versioncheck mechanism provides the location of the new xpi file and the SHA256 Hash over SSL to the browser: ====== [...] <em:updateLink>http://releases.mozilla.org/pub/mozilla.org/addons/722/noscript-2.1.1.1-fx+sm+fn.xpi</em:updateLink> <em:updateInfoURL>https://addons.mozilla.org/versions/updateInfo/1246876/%APP_LOCALE%/</em:updateInfoURL> <em:updateHash>sha256:738eafacb3d3273b9d8ab46f7ffb34d6ba756dd7a35548ad73332106be88ae02</em:updateHash> [...] ====== If firefox actually checks the SHA256 hash before installing the xpi it should be reasonable safe (beside the information leaks). Regarding SSL MITM: Mozilla seams to have a hardcoded check for the certificate of the versioncheck host.[1] What let Torbutton to the conclusion that the update mechanism is insecure and therefore disabled by default? (TBB: "Add-on update security checking is disabled. You may be compromised by updates.") Is 'compromised' meaning in this context: someone may install arbitrary xpis or was it more the kind of "your anonymity gets compromised because you disclose your addons incl. their versions" I suppose thats a question for, Mike? thanks! [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4 http://kb.mozillazine.org/Software_Update -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk4HGpIACgkQyM26BSNOM7ZclgD9Ft2mbuVLR5Qj7Ny3TS1B4aU5 bZYzAqh51szODEvr9TIA/jPbRxrrE2ixnn7eMeIFo52v3eNS+dmxyOLpylMAup9z =A1VT -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
