-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> I concluded that the addon process is insecure because the versioncheck >> happens over HTTPS but the actual download of the new xpi file is over http. >> This simple conclusion is wrong if one doesn't check the entire update >> mechanism. >> To download something over an insecure channel is fine as long as you >> can check the file for modifications after the download. > > Authentication is done now.
Thanks for confirming this. >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4 >> >> http://kb.mozillazine.org/Software_Update > > This is extremely interesting. Seems to indicate that to preserve the > same level of update security that Mozilla provides, yes, the certificate is hardcoded - I tried an addon update doing a MITM with my own root CA (manually installed) result: update refused (good!) > we should be > hardcoding certificates for both the HTTPS-Everywhere and torbutton > update urls, as they do not go through versioncheck (anymore).. hardcoding your *.tpo wildcard cert will also make other services safer (check.tpo, www.tpo), but it will require new releases when the cert expires. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk4XWXUACgkQyM26BSNOM7ZtWQD7BaSlwl/1TGWQEoTFTLpEevEr L4/JcnMMKkAJroUB0qIBAIVpFM1RLnUN07a6DUzkx0F1dCXen/lT8A0yLbpYLcca =NwiA -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
