Jean-Marc Desperrier wrote:He does not compute the SHA1/MD5, he returns the cert.sha1Fingerprint, cert.md5Fingerprint value from a nsIX509Cert object he gets back from nsISSLStatus status.
Darn. One supposes that this is authoritive, in that NSS will also
If you don't trust NSS to be able to compute a SHA1 correctly, you shouldn't use it to do SSL ... Mostly the point is that low level crypto is not available to js (most of the components involved are not scriptable), except through the installation of a specific extension (like Secclab that I believe is not compatible with recents Mozilla)
[...] the next wave of browser malware may be in Firefox extensions that act in ways nefarious and evil. Hence, I pondered, the interest in code signing as an application for the PKI (in addition to email and browsing). [...].
There is a closed as rejected bug about requiring XPI to be signed in the browser.
https://bugzilla.mozilla.org/show_bug.cgi?id=238960
(of course, Mozilla bug are not the right place to advocate for another decision)
Or, (still musing here) if the Mozilla Foundation were to be the root signer. Or something similar like the FSF.
That's what I defended in the last comment of that bug.
The rational for rejecting the bug was that if signed ActiveX failed for IE, signed XPI would fail for Firefox/Mozilla.
I tried to describe a list of measure to take to avoid that, mostly both have only one trusted signer and require the presence of an up to date CRL to allow extensions to install.
I'm convinced this would work better than the current site white list mechanism.
My opinion is that white-list forces to take a bad compromise between :
- allowing a small number of list, which will result in major bandwidth problems for those sites, and difficulties if the number of extension creators gets large to make their extension available from those few sites.
- augmenting the number of sites, and taking a large risk that one of them gets somehow subverted to download a bad extension.
I even think there's an intermediate threshold where you get hit by the inconveniences of both side at the same time.
I xpost this message to netscape.public.mozilla.security. _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
