[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Downloading Firefox add-ons trough Tor. Safe?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Downloading Firefox add-ons trough Tor. Safe?
From: tagnaq <tagnaq@xxxxxxxxx>
Date: Fri, 22 Jul 2011 18:28:25 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 22 Jul 2011 12:30:13 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=+mkin4Nve3Dfj8HHVhHLZPn/tkCOBM5mqRiDl/0Fsp8=; b=xvHUNSsd2VHQ1Te3S/xv7E95LjeTzyorsJwBeg8Ui2Yi8oNZPPwBf9PiRyVtnHWldi yUpC474AD8UV0TSaH335RfGbVYXTrPbJkwrIm882klCAKkF3qc6rVdWg/HMwxkD08sDI CJEN3wTeFrSdF697nexama624VIPM8ZbigLgA=
In-reply-to: <4E297396.9060107@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110722121443.143970__28069.8032737293$1311337311$gmane$org@xxxxxxx> <4E297396.9060107@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

7v5w7go9ub0o wrote:
> Given the add-ons are updated via SSL,

The versioncheck is performed over SSL, the download actually happens
over plain HTTP most of the times (depends on the addon) - but the
update is nontheless "safe" because the file hash is checked.
See
https://lists.torproject.org/pipermail/tor-talk/2011-June/020755.html
(incl. Mikes reply)

> as long as
> you check your certs for possible MIM attack using a "low integrity" CA.

Th check for Mozilla's certificate is hardcoded therefore it is not
possible to do a MITM attack with a different certificate.

-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk4ppSkACgkQyM26BSNOM7adCAD8Dov40brsqf5Ab3XK9Ux/SFLc
Ie1HgckITbWB94dIbMoA/0jK30/cSdwikKUOQO0lQxFqmHWhVXEsEHwVa00nQveo
=c9fF
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Downloading Firefox add-ons trough Tor. Safe?
  - From: 7v5w7go9ub0o

Prev by Author: [tor-talk] "Firefox 4 Tor Browser Bundles"
Next by Author: Re: [tor-talk] Maintaining your privacy sending e-mails
Previous by thread: Re: [tor-talk] Downloading Firefox add-ons trough Tor. Safe?
Next by thread: Re: [tor-talk] Downloading Firefox add-ons trough Tor. Safe?
Index(es):
- Author
- Thread