Closed
Bug 644403
Opened 14 years ago
Closed 7 years ago
Do more strict certificate checks for add-on installs from AMO
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
INACTIVE
People
(Reporter: BenB, Unassigned)
Details
This is the cousin of bug 643461 and bug 544442 (verify SSL certs more strictly during updates),
triggered by bug 642395 and bug 470897 (fake certs issued by Comodo, including for addons.mozilla.org):
Anything that protects binaries shouldn't rely (or be intercepted by) on DV certs (or in fact any third-party CA at all IMHO).
We should also cover addon (first-time) installs.
If the install comes from *.mozilla.org (or: our whitelist in prefs), we should mandate *at least* EV and a certain CA (better yet a signature from us).
addons.mozilla.org is more important, because we hook up this site in the browser UI, and lead users there.
|
Reporter | |
Updated•14 years ago
|
OS: Linux → All
Hardware: x86 → All
|
|
Reporter | |
Comment 1•14 years ago
|
||
|
||
Comment 2•14 years ago
|
||
Since the actual XPI files that we install from AMO come from insecure mirrors there are actually a few different places that we'd have to verify the certificate for to fix this:
* The AMO site when it calls InstallTrigger
* The discovery pane (also uses InstallTrigger so probably shared with the above)
* The search results in the add-ons manager
I'm not sure there is any verification we can do if the user has disabled JavaScript, in which case the first time we know that an extension download is starting is by the time we've been redirected to the insecure mirror.
|
||
Comment 3•12 years ago
|
||
(In reply to Ben Bucksch (:BenB) from comment #0)
> This is the cousin of bug 643461 and bug 544442 (verify SSL certs more
> strictly during updates).
I suggest we resolve this as a dup of bug 643461. In particular, see bug 643461 comment 8 on why SSL server certificate checks are a poor solution to this problem, especially when we've already built a better solution for Mozilla-hosted packaged apps that can be reused for Mozilla-hosted addons.
|
||
Comment 4•7 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•