On Monday, July 22, 2019 at 7:08:19 PM UTC-4, [email protected] wrote: > The real issue is that they can quickly block update servers + instruct the > population to disable updates. Which means that banners won't make it > through, and the population will stay on today's versions permanently.
Hello Mozilla. I stumbled upon this thread from a news article. Yes, that means you will need to be faster than them, instead of dawdling. If they are only blocking HTTPS without the certificate, surely you can have updates delivered over HTTP, and you can check the code signature or whatnot. At least, quickly make an update that vastly increases the number of places it requests an update from. If it's signed you don't even need to control the mirrors. You aren't going to be able to find a permanent mathematical solution. It's going to be whack-a-mole. But if you do nothing while you can do something, you'll have to sleep with that for a long, long time.. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
