I concluded that the addon process is insecure because the versioncheck happens over HTTPS but the actual download of the new xpi file is over http. This simple conclusion is wrong if one doesn't check the entire update mechanism. To download something over an insecure channel is fine as long as you can check the file for modifications after the download.Authentication is done now.Thanks for confirming this.
Is this something new to Firefox 4.0? Is the authentication also done in Firefox 3.6? Thanks... _______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk