Open
Bug 1342582
Opened 8 years ago
Updated 3 years ago
Stop accepting SHA-1 for download and update hashes
Categories
(Toolkit :: Add-ons Manager, defect, P3)
Toolkit
Add-ons Manager
Tracking
()
NEW
People
(Reporter: kmag, Unassigned)
Details
(Whiteboard: [triaged])
JSON update manifests already require SHA-2 hashes, but the RDF format still accepts SHA-1, as does the downloader for initial installations. SHA-1 now has exploitable collisions, so it's probably time to stop supporting it.
|
||
Updated•8 years ago
|
Flags: needinfo?(amckay)
|
||
Comment 1•8 years ago
|
||
The RDF format is not going to matter too much in 57 since everything on release should be a WebExtension. However, until we remove the code that's there we should make sure its secure. For doing this we'd need to let people know beforehand and give them time to up date their hashes. Does that mean we need to just do this in an upcoming release and let people know on the add-ons blog, or should we do any more planning or communication?
Flags: needinfo?(jorge)
Flags: needinfo?(dveditz)
|
|
Reporter | |
Comment 2•8 years ago
|
||
We currently support the RDF format for both WebExtensions and legacy extensions. And we still use it for AMO updates.
|
||
Comment 3•8 years ago
|
||
I see a couple things we need to do:
1) Have AMO serve the JSON update file for clients that support it. Not sure if this requires changing something in the Add-ons Manager.
2) Communicate to unlisted developers (blog and direct messaging) that use the RDF format and give them time to adjust. We can add a validation warning that could be turned into an error when we decide we don't want to support the RDF case anymore.
Alternatively we could look into using SHA-2 for the RDF update manifest, but that just delays dropping RDF.
Flags: needinfo?(jorge)
|
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #3)
> Alternatively we could look into using SHA-2 for the RDF update manifest,
> but that just delays dropping RDF.
We already support SHA-2 for RDF updates. The only change that would need to happen is on the side of whoever generates the manifests.
On our side, we'd just need to remove support the way we've already done for MD5.
|
|
||
Updated•8 years ago
|
Assignee: nobody → scolville
|
|
||
Comment 6•8 years ago
|
||
go through comments from everyone and put next action items in
Flags: needinfo?(sescalante)
|
|
||
Comment 7•8 years ago
|
||
Seems like the best first steps are to switch to SHA-2 in the existing RDF update manifests. When changing them on AMO, however, we need to consider if there are Firefox versions that we care about and don't support SHA-2 in updates.
Moving AMO to JSON updates can be a followup.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(sescalante)
Flags: needinfo?(dveditz)
Priority: -- → P2
Whiteboard: [triaged]
|
||
Updated•5 years ago
|
Flags: needinfo?(mixedpuppy)
Priority: P2 → P3
|
|
||
Comment 8•5 years ago
|
||
This bug looks closable. aswan, it seems like most of the issue is resolved with bug 857458, but I'm a little muddy on the "the downloader for initial installations" as mentioned in comment 0.
Flags: needinfo?(mixedpuppy) → needinfo?(andrew.swan)
|
||
Comment 9•5 years ago
|
||
There are various ways to initiate an install and include a hash, including InstallTrigger, mozAddonManager, and an X-Target-Digest header on a redirect on an xpi file (and maybe others I'm not thinking of). I think those collectively are what Kris was referring to.
Flags: needinfo?(andrew.swan)
|
||
Updated•5 years ago
|
Assignee: scolville → nobody
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•