On Tue, 2014-03-04 at 22:39 -0800, Yan Zhu wrote:
> We've gotten this suggestion a couple times before. Seth Schoen tells me
> that the HTTPS Finder rules are often buggy or incomplete, so it's
> better if humans look at them first and submit them to us (rather than
> have HTTPS Finder automatical
On 2014-03-04 22:39, Yan Zhu wrote:
(There's a good argument that ruleset security should be equivalent to
extension security, since an attacker can submit a ruleset update that
rewrites the extension update URL to a malicious one!)
Perhaps it would be wise to have the extension refuse to re-wr
On 03/05/2014 01:13 AM, Dave Warren wrote:
> Perhaps it would be wise to have the extension refuse to re-write any
> URL involved with the update mechanism (or at least require any rule
> that does to be signed using the offline key), along with the use of
> certificate pinning to validate the SS
