On Sun, 04 Jan 2009 23:10:52 -0600 Bil Corry <[email protected]> wrote: > Justin Dolske wrote on 1/4/2009 9:48 PM: > > The update check, which happens over SSL, includes a hash in the > > reply. When the update is then downloaded (without SSL), the data > > is checked against the hash from the update check. If the data was > > tampered with, the hash won't match and the bad update won't be > > applied. > > Which hash algorithm is used?
SHA-1, though I have a patch submitted (bug 419906) to change it to use SHA-256 instead, but I need to rework my patch to address some pre-review comments. ~reed -- Reed Loden <[email protected]> _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
