Exidor
Premium
join:2001-05-04
Brampton, ON
| reply to B
Re: Addons SSL - Conspiracy Theory?
Got me curious too..
»developer.mozilla.org/devnews/in···updates/
There are thousands of incredibly diverse add-ons for Firefox. This active participation by third party developers enhances browsing for many users. Add-ons are an important part of Firefox, so Mozilla is committed to helping developers create secure add-ons. This week there’s been some concern about updates that are distributed over non-SSL channels. Connections using HTTP (instead of HTTPS) can be redirected by an attacker to a hostile server and potentially install malicious code.
Add-ons that are hosted on the Mozilla Add-ons site are served over HTTPS and validated with a hash. These add-ons are not vulnerable to this attack. We strongly recommend that add-on developers require SSL for updates to prevent the attack described above.
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons. If you would like to participate in this discussion please join us in the Firefox development discussion group at news://news.mozilla.org/mozilla.dev.apps.firefox
More information for developers is available here: »developer.mozilla.org/en/docs/In···pdateURL
This entry was posted by window on Wednesday, May 30th, 2007 at 1:50 pm and is filed under Security. |
|
B
Premium,MVM
join:2000-10-28
| Thanks Exidor! Good find. Still doesn't explain why they wouldn't take the same precaution with their own stuff; I mean, they're hosting both. Downloading coolextension.xpi from addons.mozilla.org is the same as downloading firefox.exe from mozilla.com (and the latter is of course a considerably bigger target) insofar as SSL certs, DNS reliability, or lack thereof...
Grail Knight, if I had an easy and effective way of getting an answer directly from MoFoCo I might have tried that, but I don't, so I floated the question here. (I certainly did due googly diligence first.) Sorry if it bothers you. 
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| It does not bother me at all.
You did say and I quote, quote:
Alternate theories, comments, and ranting flames welcome.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28
|
Come on, you call that ranting?
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| I leave ranting to other folks like.....I can't say her name 
I figure if a company providing my free browser wants to set up the Addons Site (which I seldom use) a certain way have at it.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28 | Oh it's a good thing the way they have it -- it minimizes the chances of being at the wrong place. I just don't see why they protect the addons but not the main product.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
1 edit | That is something you would have to ask them.
Using Fx v3 since it was a wee lad I have had secure addons check disabled so even if MoFo has the addons protected I disabled the feature but I do not recommend that for everyone of course.
Edit* Seriously though it is odd that they protect their addons but not the browser.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
33591094
join:2002-11-19
Canada
| reply to B
said by B  :Oh it's a good thing the way they have it -- it minimizes the chances of being at the wrong place. I just don't see why they protect the addons but not the main product. -- B Please let us know what you find out when you ask them. |
|
