Remote Vulnerability in Firefox Extensions
scar
scar at drigon.com
Wed Aug 1 19:44:40 UTC 2007
coderman @ 2007/06/21 11:33:
> On 6/21/07, scar <scar at drigon.com> wrote:
>> ...
>> it seems to me that many addons which are downloaded
>> from https://addons.mozilla.org/ use different, non-https,
>> addresses to check for and download updates.
>
> the problem exists when non https is used for updates. any plugins
> getting updates via http port 80 would be vulnerable.
>
>
>> would this vulnerability exist with all of those addons as
>> well? how to find out what address each addon uses to
>> download updates?
>
> i haven't tested the various plugins myself. a sniffer should tell
> you quickly if updates are performed insecurely, though you may need
> trial and error to determine which one is making the requests if it
> isn't obvious in the data.
>
> this would be a good subject to document on the wiki if you pursue it :)
>
> best regards,
>
well, it's clear that noscript uses nonsecure http to download it's update. i think many of us use that add-on. so, how can we safely receive noscript and other add-ons that use nonsecure http updates? do we need to tell firefox to not download the updates, and just notify us? then, we go to https://addons.mozilla.org and manually install the update? or, is there an easier way?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070801/d05c42c6/attachment.pgp>
More information about the tor-talk
mailing list