Thus spake Vlad SATtva Miller (sattva@xxxxxxxxx): > Mike Perry wrote on 25.02.2008 09:33: > > Torbutton 1.1.14-alpha has been released at > > https://torbutton.torproject.org/dev/. > > Hello Mike, > > Installation link at https://torbutton.torproject.org/dev/, namely > http://torbutton.torproject.org/dev/torbutton-current-alpha.xpi has HTTP > access schema even when opening https://torbutton.torproject.org/dev/ > with HTTPS. Not a good thing, I suppose. This is actually how Firefox extensions operate. There is NO support for actually installing an extension over https (at least under Firefox 2). The best you can do is retreive the SHA1 sum via javascript over https, and then download the extension over http and check the sha1 afterwords. Of course, if you disable javascript, you made your extension install+update process insecure. Funny how that all works out, isn't it? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpIVZCfUHlTz.pgp
Description: PGP signature