On 1/4/09 2:18 PM, Alexander Konovalenko wrote:
I noticed that some addons.mozilla.org extensions were updated over plain HTTP, not over HTTPS.
The update check, which happens over SSL, includes a hash in the reply. When the update is then downloaded (without SSL), the data is checked against the hash from the update check. If the data was tampered with, the hash won't match and the bad update won't be applied.
This allows update bandwidth to be pushed to mirrors, without requiring them to support SSL.
Justin _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security