[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torbutton 1.1.14-alpha released

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Torbutton 1.1.14-alpha released
From: Mike Perry <mikeperry@xxxxxxxxxx>
Date: Tue, 26 Feb 2008 01:12:11 -0800
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 26 Feb 2008 04:12:17 -0500
In-reply-to: <47C28432.2060705@xxxxxxxxx>
References: <20080225033337.GA25968@xxxxxxxxxx> <47C28432.2060705@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.2i

Thus spake Vlad SATtva Miller (sattva@xxxxxxxxx):

> Mike Perry wrote on 25.02.2008 09:33:
> > Torbutton 1.1.14-alpha has been released at
> > https://torbutton.torproject.org/dev/. 
> 
> Hello Mike,
> 
> Installation link at https://torbutton.torproject.org/dev/, namely
> http://torbutton.torproject.org/dev/torbutton-current-alpha.xpi has HTTP
> access schema even when opening https://torbutton.torproject.org/dev/
> with HTTPS. Not a good thing, I suppose.

This is actually how Firefox extensions operate. There is NO support
for actually installing an extension over https (at least under
Firefox 2). The best you can do is retreive the SHA1 sum via
javascript over https, and then download the extension over http and
check the sha1 afterwords. Of course, if you disable javascript, you
made your extension install+update process insecure. Funny how that
all works out, isn't it?


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpIVZCfUHlTz.pgp
Description: PGP signature

References:
- Torbutton 1.1.14-alpha released
  - From: Mike Perry
- Re: Torbutton 1.1.14-alpha released
  - From: Vlad \"SATtva\" Miller

Prev by Author: Torbutton 1.1.14-alpha released
Next by Author: Torbutton 1.1.15-alpha released
Previous by thread: Re: Torbutton 1.1.14-alpha released
Next by thread: Tor 0.2.0.20-rc is out
Index(es):
- Author
- Thread