[tor-talk] Torbutton: 'Disable Updates During Tor' - Option
Mary Escondido
maqiq89 at aol.com
Thu Jul 14 09:26:04 UTC 2011
>>> I concluded that the addon process is insecure because the versioncheck
>>> happens over HTTPS but the actual download of the new xpi file is over http.
>>> This simple conclusion is wrong if one doesn't check the entire update
>>> mechanism.
>>> To download something over an insecure channel is fine as long as you
>>> can check the file for modifications after the download.
>>
>> Authentication is done now.
>
> Thanks for confirming this.
Is this something new to Firefox 4.0?
Is the authentication also done in Firefox 3.6?
Thanks...
More information about the tor-talk
mailing list