Scott Grayban wrote: > On 18/07/07, Michael Vincent van Rantwijk, MultiZilla > <[EMAIL PROTECTED]> wrote: >> XPI installations initiated from mozdev.org will still be vulnerable to >> MITM attacks... when the XPI isn't *installed* originally from a SSL >> protected server! >> >> a.m.o is secure, so in that case you can get away with simply signing >> your updates, but each new installation will still be vulnerable to MITM >> attacks, and this will be the next step in this process... to prevent >> you from installing XPI's from insecure http: connections. >> >> Why is this so hard to understand? >> >> -- >> Michael Vincent van Rantwijk > > The repercussion of using java script to update the addons. > > Firefox has been well known to be the best sure web browser out there > but this flaw takes FF right back to the IE stone age. > > I am just curious why Firefox would use a vulnerable procedure to > update any addon in the first place ?
Again, this is only true for mozdev.org which has no SSL to secure the initial installation, but a.m.o does... and as such was only vulnerable to the MITM attacks during the update checks! -- Michael Vincent van Rantwijk - MultiZilla Project Team Lead - XUL Boot Camp Staff member - iPhone Application Developer _______________________________________________ Project_owners mailing list Project_owners@mozdev.org http://mozdev.org/mailman/listinfo/project_owners
