Alexander Konovalenko wrote, On 2009-01-04 14:18: > I noticed that some addons.mozilla.org extensions were updated over > plain HTTP, not over HTTPS. My Firefox 3.0 had found a new version of > the NoScript extension and fetched it from some https:// URI on > addons.mozilla.org. But that URI redirected to another, unencrypted > http:// URI from where the .xpi file was actually downloaded. > > Is this known behavior?
Yes. > Is it considered a security issue that should be fixed? No. The scheme for authenticating updates for addons has several means, each of which works. One is to use SSL. Another is to use signed updates. Signed updates may be downloaded over an unencrypted channel. Their authenticity is verified using the digital signature, before they are applied. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
