Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| reply to rick752
Re: Addons SSL - Conspiracy Theory?
There is no conspiracy on my end.
Just getting into the spirit of the conspiracy that is not there.
I figure MoFo is loaded and can spend or waste their money as they see fit but I am curious as to why not do secure everything well their at it.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
rick752
Premium
join:2006-01-27
New York
1 edit | reply to B
I must admit, B ... this topic is a bit intriguing.
Causing Grail Knight (the DSLR 'Mozilla Master") to do a "doubletake" on a topic is not easy to do. Therefore you have my interest as well with this one. 
--
EasyList filter subscriptions for Adblock Plus |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | reply to B
That old alphabet will get you every time. ha ha |
|
B
Premium,MVM
join:2000-10-28 | reply to Grail Knight
I just realized why I took your initial response so hard -- I thought "F." was an abbreviation for something else.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to B
There was no need to come around.
I was originally offering an answer that I give others based on the question.
I tell Mele20 all of the time to ask the developer the question if it something only they can really answer.
No, I am not saying you are like MMC but the question was similar in structure. 
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to mod_wastrel
Yet by protecting the addons they are protecting the browser as well as the computer which is basically what I said.
quote:
It's really an auto-check followed by a manual update--presuming you choose to go ahead and install the update.
True unless you use the Update Notifier extension which can and most likely is being used by some to install updates as they become available. Not manually buy automatically.
It can be argued that this then is not really on MoFo's shoulders if something happens but as it pulls updates from Addons that is another reason to secure their connections.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
mod_wastrel
join:2008-03-28
 ·magicjack.com
| reply to B
Auto-update is something of a misnomer. It's really an auto-check followed by a manual update--presuming you choose to go ahead and install the update. I've always turned off auto-updates, too--for everything I use (when possible). Fx3 and beyond will require a secure channel for add-ons (install.rdf: updateURL or -Key), which has only been a strong recommendation before now, so AMO is secured, and basic downloads are not. I figure it's simply a case of them not seeing any need to do so. Very few sites [I'm aware of] do it, either because it costs them more than they're willing to spend or just adds to the resource requirements. |
|
B
Premium,MVM
join:2000-10-28
| reply to mod_wastrel
I understand and appreciate the distinction you're making.
However, it is still an arguable waste of their CPU resources for mere web site visits and manually initiated downloads of XPIs to be SSL-encrypted by default.
I would think it would be trivial to distinguish between the two kinds of requests (web page visits and addon self-updates) even though both use htttp and/or https, possibly by user agent or command line argument in the addons.
Then again, I never let anything auto-update.
-- B
--
In a realm outside causality and function |
|
mod_wastrel
join:2008-03-28
·magicjack.com
| reply to Grail Knight
It's not a matter of AMO protecting the add-ons; it's a matter of protecting your browser (and your PC) from potentially malicious activity with add-ons using the auto-update process (at least, that's the theory). Add-ons don't require a secure channel either if you're just doing a simple XPI file download instead of an auto-update. |
|
B
Premium,MVM
join:2000-10-28
| reply to Grail Knight
said by Grail Knight  :Still if they are going to have addons protected the browser should be also be a secure download like some of the better security products. Just my opinion.  Boy have you come 'round.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to mod_wastrel
Still if they are going to have addons protected the browser should be also be a secure download like some of the better security products. Just my opinion.
MoFO can certainly afford the very best.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
33591094
join:2002-11-19
Canada
| reply to B
said by B :Oh it's a good thing the way they have it -- it minimizes the chances of being at the wrong place. I just don't see why they protect the addons but not the main product. -- B Please let us know what you find out when you ask them. |
|
mod_wastrel
join:2008-03-28 | reply to B
Add-ons are designed to be installed directly into your running browser. Downloading the latest version of the browser is just a "simple" http download like any other. It's that "install" part that makes them wary. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
1 edit | reply to B
That is something you would have to ask them.
Using Fx v3 since it was a wee lad I have had secure addons check disabled so even if MoFo has the addons protected I disabled the feature but I do not recommend that for everyone of course.
Edit* Seriously though it is odd that they protect their addons but not the browser.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28 | reply to Grail Knight
Oh it's a good thing the way they have it -- it minimizes the chances of being at the wrong place. I just don't see why they protect the addons but not the main product.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to B
I leave ranting to other folks like.....I can't say her name
I figure if a company providing my free browser wants to set up the Addons Site (which I seldom use) a certain way have at it.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28
| reply to Grail Knight
Come on, you call that ranting?
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to B
It does not bother me at all.
You did say and I quote, quote:
Alternate theories, comments, and ranting flames welcome.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28
| reply to Exidor
Thanks Exidor! Good find. Still doesn't explain why they wouldn't take the same precaution with their own stuff; I mean, they're hosting both. Downloading coolextension.xpi from addons.mozilla.org is the same as downloading firefox.exe from mozilla.com (and the latter is of course a considerably bigger target) insofar as SSL certs, DNS reliability, or lack thereof...
Grail Knight, if I had an easy and effective way of getting an answer directly from MoFoCo I might have tried that, but I don't, so I floated the question here. (I certainly did due googly diligence first.) Sorry if it bothers you.
-- B
--
In a realm outside causality and function |
|
Exidor
Premium
join:2001-05-04
Brampton, ON
| reply to B
Got me curious too..
»developer.mozilla.org/devnews/in···updates/
There are thousands of incredibly diverse add-ons for Firefox. This active participation by third party developers enhances browsing for many users. Add-ons are an important part of Firefox, so Mozilla is committed to helping developers create secure add-ons. This week there’s been some concern about updates that are distributed over non-SSL channels. Connections using HTTP (instead of HTTPS) can be redirected by an attacker to a hostile server and potentially install malicious code.
Add-ons that are hosted on the Mozilla Add-ons site are served over HTTPS and validated with a hash. These add-ons are not vulnerable to this attack. We strongly recommend that add-on developers require SSL for updates to prevent the attack described above.
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons. If you would like to participate in this discussion please join us in the Firefox development discussion group at news://news.mozilla.org/mozilla.dev.apps.firefox
More information for developers is available here: »developer.mozilla.org/en/docs/In···pdateURL
This entry was posted by window on Wednesday, May 30th, 2007 at 1:50 pm and is filed under Security. |
|
