[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Remote Vulnerability in Firefox Extensions



coderman @ 2007/06/21 11:33:
> On 6/21/07, scar <scar@xxxxxxxxxx> wrote:
>> ...
>> it seems to me that many addons which are downloaded
>> from https://addons.mozilla.org/ use different, non-https,
>> addresses to check for and download updates.
> 
> the problem exists when non https is used for updates. any plugins
> getting updates via http port 80 would be vulnerable.
> 
> 
>> would this vulnerability exist with all of those addons as
>> well?  how to find out what address each addon uses to
>> download updates?
> 
> i haven't tested the various plugins myself.  a sniffer should tell
> you quickly if updates are performed insecurely, though you may need
> trial and error to determine which one is making the requests if it
> isn't obvious in the data.
> 
> this would be a good subject to document on the wiki if you pursue it :)
> 
> best regards,
> 

well, it's clear that noscript uses nonsecure http to download it's update.  i think many of us use that add-on.  so, how can we safely receive noscript and other add-ons that use nonsecure http updates?  do we need to tell firefox to not download the updates, and just notify us?  then, we go to https://addons.mozilla.org and manually install the update?  or, is there an easier way?

Attachment: signature.asc
Description: OpenPGP digital signature