[tor-bugs] #9769 [EFF-HTTPS Everywhere]: Move HTTPS Everywhere back to addons.mozilla.org
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 1 23:09:22 UTC 2013
#9769: Move HTTPS Everywhere back to addons.mozilla.org
--------------------------------------+----------------------
Reporter: micahlee | Owner: micahlee
Type: project | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
--------------------------------------+----------------------
Comment (by mikeperry):
With respect to the third point from the description: Mozilla does not
sign updates. It also turns out that cert pinning is still not implemented
for addons.mozilla.org, so anyone with any compromised CA cert will be
able to feed addon updates that trojan/subvert/replace HTTPS-Everywhere.
According to Camilo, A.M.O. pinning won't land until at least Q1 2014.
I am not sure if it is possible to use a custom addon update key with
A.M.O. Probably not by default, since it would require that your addon
have its own update.rdf URL still on EFF's servers (and signed with your
key). This is forbidden by the A.M.O. upload process, but maybe you can
get them to craft an exemption for you.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9769#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list