Extension Manager:Addon Update Security: Difference between revisions

Jump to navigation Jump to search

Extension Manager:Addon Update Security (view source)

Revision as of 17:51, 29 June 2007

76 bytes added ,  29 June 2007
m
Added words to make it clearer what the problem is
m (Rephrasing to make it clearer (to me :) that this will still touch install experience.)
m (Added words to make it clearer what the problem is)
Line 21: Line 21:
Firefox currently automatically checks for updates to add-ons using a url specified in the add-on's install manifest. The file retrieved from this url must be an update manifest. This in turn contains urls for update packages for the add-on.
Firefox currently automatically checks for updates to add-ons using a url specified in the add-on's install manifest. The file retrieved from this url must be an update manifest. This in turn contains urls for update packages for the add-on.


Currently there are no requirements placed on these urls. They can both be insecure http which allows methods of compromising either the update manifest or the update package. A demonstration of one form of compromise is [http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html already public].
Currently there are no requirements placed on these urls. In particular, neither url is required to be https.  This allows either the update manifest or the update package to be compromised, potentially resulting in the injection of malicious updates. A demonstration of one form of compromise is [http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html already public].


== Proposed Implementation ==
== Proposed Implementation ==
Johnath
Confirmed users
1,349

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/60927"

Navigation menu