[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Downloading Firefox add-ons trough Tor. Safe?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

7v5w7go9ub0o wrote:
> Given the add-ons are updated via SSL,

The versioncheck is performed over SSL, the download actually happens
over plain HTTP most of the times (depends on the addon) - but the
update is nontheless "safe" because the file hash is checked.
See
https://lists.torproject.org/pipermail/tor-talk/2011-June/020755.html
(incl. Mikes reply)

> as long as
> you check your certs for possible MIM attack using a "low integrity" CA.

Th check for Mozilla's certificate is hardcoded therefore it is not
possible to do a MITM attack with a different certificate.


-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk4ppSkACgkQyM26BSNOM7adCAD8Dov40brsqf5Ab3XK9Ux/SFLc
Ie1HgckITbWB94dIbMoA/0jK30/cSdwikKUOQO0lQxFqmHWhVXEsEHwVa00nQveo
=c9fF
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk