Dave Townsend wrote: > Hi all, I am looking for some feedback on a proposal I'm working on to > improve the security of add-on updates in Mozilla products. Let me give > an overview of the problem I wish to solve and then what I have come up > with so far as a potential solution. > > In the Mozilla applications we have an add-ons installed. I'm ignoring > how the add-ons are installed but let's assume that once there we have > some faith in them. The application periodically checks for available > updates to an add-on by downloading an update file from a url specified > by the installed add-on. > > What I want is to be able to be able to establish some trust that the > update file retrieved is correct, and has not been tampered with, > intercepted and is as it was originally written by the add-on author. > > The key problem is that I wish to do this in a way that does not cost > the add-on author any money (or at least a very small amount of money), > so getting a certificate signed by one of the root CA's is not an option > nor is serving the file from an ssl server.
$18/year is too expensive, eh? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
