[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torbutton 1.1.14-alpha released

Thus spake Vlad SATtva Miller (sattva@xxxxxxxxx):

> Mike Perry wrote on 25.02.2008 09:33:
> > Torbutton 1.1.14-alpha has been released at
> > https://torbutton.torproject.org/dev/. 
> Hello Mike,
> Installation link at https://torbutton.torproject.org/dev/, namely
> http://torbutton.torproject.org/dev/torbutton-current-alpha.xpi has HTTP
> access schema even when opening https://torbutton.torproject.org/dev/
> with HTTPS. Not a good thing, I suppose.

This is actually how Firefox extensions operate. There is NO support
for actually installing an extension over https (at least under
Firefox 2). The best you can do is retreive the SHA1 sum via
javascript over https, and then download the extension over http and
check the sha1 afterwords. Of course, if you disable javascript, you
made your extension install+update process insecure. Funny how that
all works out, isn't it?

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpIVZCfUHlTz.pgp
Description: PGP signature