[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9769 [EFF-HTTPS Everywhere]: Move HTTPS Everywhere back to addons.mozilla.org



#9769: Move HTTPS Everywhere back to addons.mozilla.org
--------------------------------------+----------------------
     Reporter:  micahlee              |      Owner:  micahlee
         Type:  project               |     Status:  new
     Priority:  normal                |  Milestone:
    Component:  EFF-HTTPS Everywhere  |    Version:
   Resolution:                        |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |
--------------------------------------+----------------------

Comment (by mikeperry):

 With respect to the third point from the description: Mozilla does not
 sign updates. It also turns out that cert pinning is still not implemented
 for addons.mozilla.org, so anyone with any compromised CA cert will be
 able to feed addon updates that trojan/subvert/replace HTTPS-Everywhere.
 According to Camilo, A.M.O. pinning won't land until at least Q1 2014.

 I am not sure if it is possible to use a custom addon update key with
 A.M.O. Probably not by default, since it would require that your addon
 have its own update.rdf URL still on EFF's servers (and signed with your
 key). This is forbidden by the A.M.O. upload process, but maybe you can
 get them to craft an exemption for you.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9769#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs