[HTTPS-Everywhere] Fwd: URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere --- RE: HTTPS Everywhere doesn't cover all Facebook sub domains
Osama Khalid
osamak at gnu.org
Fri May 6 12:20:27 PDT 2011
On Fri, May 06, 2011 at 12:04:38PM -0700, Peter Eckersley wrote:
> There is supposed to be a second layer of defense here, too: it
> shouldn't be possible to modify the URL and updateHash in the
> update.rdf file -- that file is signed, and last time I tested it
> Firefox would refuse to upgrade via an unsigned update.rdf. But
> I'll double check this.
This is confirmed in:
https://wiki.mozilla.org/Extension_Manager:Addon_Update_Security#Securing_Update_Manifests_Through_Digital_Signatures
--Osama Khalid
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20110506/6a8015bf/attachment.sig>
More information about the HTTPS-everywhere
mailing list