Gervase Markham wrote: > Dave Townsend wrote: >> What I want is to be able to be able to establish some trust that the >> update file retrieved is correct, and has not been tampered with, >> intercepted and is as it was originally written by the add-on author. > > Link Fingerprints was designed for precisely this purpose, and is > currently being implemented in Firefox by Ed Lee, who is sitting next to > Dan Veditz: > http://www.gerv.net/security/link-fingerprints/
No this is really a different case to where link fingerprints are useful. The update manifest file cannot be hashed before hand, i.e. in version 1 of my extension I don't know the hash of the update manifest in advance for when 2 is released. > You get the URL from a trusted source (i.e. the updates.rdf downloaded > from addons.mozilla.org over SSL) and then use the fingerprint to verify > that the data you get is actually the correct data. You can download it > over HTTP, from an "untrusted" site, because if you get the wrong data, > the implementation throws it away and tells you so. Yes for retrieving the final xpi a hash specified in the update manifest is useful, and already implemented. And were there a possibility to host third party update manifests on addons.mozilla.org then this could work without any extra effort. Currently that is not in place, however I will be speaking to them to find out what possibilities exist along those lines. Note however that some authors may not even want to do that (I would certainly prefer not to). Cheers Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
