Torbutton 1.1.14-alpha released
Mike Perry
mikeperry at fscked.org
Tue Feb 26 09:12:11 UTC 2008
Thus spake Vlad SATtva Miller (sattva at pgpru.com):
> Mike Perry wrote on 25.02.2008 09:33:
> > Torbutton 1.1.14-alpha has been released at
> > https://torbutton.torproject.org/dev/.
>
> Hello Mike,
>
> Installation link at https://torbutton.torproject.org/dev/, namely
> http://torbutton.torproject.org/dev/torbutton-current-alpha.xpi has HTTP
> access schema even when opening https://torbutton.torproject.org/dev/
> with HTTPS. Not a good thing, I suppose.
This is actually how Firefox extensions operate. There is NO support
for actually installing an extension over https (at least under
Firefox 2). The best you can do is retreive the SHA1 sum via
javascript over https, and then download the extension over http and
check the sha1 afterwords. Of course, if you disable javascript, you
made your extension install+update process insecure. Funny how that
all works out, isn't it?
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080226/1eab9bc7/attachment.pgp>
More information about the tor-talk
mailing list