Closed Bug 718740 Opened 14 years ago Closed 9 years ago

ENH: Upgrade security - sign jars, check cert attributes

Categories

(Mozilla Labs Graveyard :: Test Pilot, defect)

Product:
Mozilla Labs Graveyard
Component:
Test Pilot
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: glind, Unassigned)

Details

Per Rob Strong, suggestions for hardening Test Pilot: 1. When making an SSL connection to the Test Pilot server, don't just verify the certificate (as we're doing now) -- also verify the certificate attributes. There is code for doing this in Certutils.jsm, which is locaed under toolkit/mossup/shared. It should not be very hard - it sounds like we can just call an existing function and pass in a pref branch containing some config data. 2. Sign all the jars and XPIs. Talk to mossup (Dave Townsend) and/or Blair McBride about how to sign, and verify signatures of, .jars and .xpis. 3. Ask Brian Smith to get involved in our security review. He is, and these are Rob's exact words, "extremely anal and will beat the hell out of it"
Product: Mozilla Labs → Mozilla Labs Graveyard
decommissioned
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.