Douglas E. Warner wrote: > On Wednesday 18 July 2007, Michael Vincent van Rantwijk, MultiZilla wrote: >> 1) start Mozilla Firefox >> 2) visit http://www.mozilla.com/ >> 3) click on the link: "New! Firefox Add-ons" (SSL) >> 4) click on the green button with the text: "Install Now" (SSL) >> 5) I am on https://addons.mozilla.org/en-US/firefox/ (SSL) >> >> So, the *initial* installation from amo *is* SSL protected, like this >> https://addons.mozilla.org/en-US/firefox/addon/nnnn >> Note: nnnn is the add-on number you which to install. >> >> p.s. see attached screen shot of software dialog clearly showing https:// > > Unfortunately, this is totally deceptive on their part. The download *starts > out* as an SSL connection, then gets redirected to a non-secure; the > connection goes from: > > https://addons.mozilla.org/en-US/firefox/downloads/file/16795/foxytunes-2.9.2-fx+mz+tb+sm+fl.xpi > > and gets redirected to: > > http://releases.mozilla.org/pub/mozilla.org/addons/219/foxytunes-2.9.2-fx+mz+tb+sm+fl.xpi > > See the attached download log. > > -Doug
But talk is that MoCo wants SSL protected downloads in the (near) future, but couldn't get it going for MF3 because of various reasons, and the same reason why this add-on signing of extensions was taken into account. Myk said to have troubles when people start using the mozdev.org certificate for other thingsIs this "no go" just a technical, or a political decision of mozdev.org? , like updates.rdf for examples, is this perhaps the reason, or what else is it that you guys are so reluctant to implement this? "If you are serious about security and your extension/add-on, then you would get a code signing cert. The best protection we have right now for extension security is to sign them. " ...and a host that supports SSL, or be prepared to get bitten one day soon ;) -- Michael Vincent van Rantwijk - MultiZilla Project Team Lead - XUL Boot Camp Staff member - iPhone Application Developer _______________________________________________ Project_owners mailing list Project_owners@mozdev.org http://mozdev.org/mailman/listinfo/project_owners
