On 1/4/09 9:10 PM, Bil Corry wrote:
If the data was tampered with,
the hash won't match and the bad update won't be applied.
Which hash algorithm is used?
SHA-1.
Example link:
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=2&id=inspec...@mozilla.org&version=2.0.
On Sun, 04 Jan 2009 23:10:52 -0600
Bil Corry wrote:
> Justin Dolske wrote on 1/4/2009 9:48 PM:
> > The update check, which happens over SSL, includes a hash in the
> > reply. When the update is then downloaded (without SSL), the data
> > is checked against the hash from the update check. If the
Justin Dolske wrote on 1/4/2009 9:48 PM:
> The update check, which happens over SSL, includes a hash in the reply.
> When the update is then downloaded (without SSL), the data is checked
> against the hash from the update check. If the data was tampered with,
> the hash won't match and the bad upd
On 1/4/09 2:18 PM, Alexander Konovalenko wrote:
I noticed that some addons.mozilla.org extensions were updated over
plain HTTP, not over HTTPS.
The update check, which happens over SSL, includes a hash in the reply.
When the update is then downloaded (without SSL), the data is checked
against
Alexander Konovalenko wrote, On 2009-01-04 14:18:
> I noticed that some addons.mozilla.org extensions were updated over
> plain HTTP, not over HTTPS. My Firefox 3.0 had found a new version of
> the NoScript extension and fetched it from some https:// URI on
> addons.mozilla.org. But that URI redire
I noticed that some addons.mozilla.org extensions were updated over
plain HTTP, not over HTTPS. My Firefox 3.0 had found a new version of
the NoScript extension and fetched it from some https:// URI on
addons.mozilla.org. But that URI redirected to another, unencrypted
http:// URI from where the .x