coderman @ 2007/06/21 11:33: > On 6/21/07, scar <scar@xxxxxxxxxx> wrote: >> ... >> it seems to me that many addons which are downloaded >> from https://addons.mozilla.org/ use different, non-https, >> addresses to check for and download updates. > > the problem exists when non https is used for updates. any plugins > getting updates via http port 80 would be vulnerable. > > >> would this vulnerability exist with all of those addons as >> well? how to find out what address each addon uses to >> download updates? > > i haven't tested the various plugins myself. a sniffer should tell > you quickly if updates are performed insecurely, though you may need > trial and error to determine which one is making the requests if it > isn't obvious in the data. > > this would be a good subject to document on the wiki if you pursue it :) > > best regards, > well, it's clear that noscript uses nonsecure http to download it's update. i think many of us use that add-on. so, how can we safely receive noscript and other add-ons that use nonsecure http updates? do we need to tell firefox to not download the updates, and just notify us? then, we go to https://addons.mozilla.org and manually install the update? or, is there an easier way?
Attachment:
signature.asc
Description: OpenPGP digital signature