[HTTPS-Everywhere] "Author not verified" while trying to install "HTTPS Everywhere 2.2" (Firefox 14.0.1, Mac OS X 10.6.8)

[Seth David Schoen]

Tagglez Tagglez writes:

> Should I go ahead and allow the installation to complete even with the
> "Author not verified" message, or should I assume that the extension
> Firefox downloaded is not authentic? Having been hit by a malicious
> Trojan before (when I was tricked into downloading a so-called "Flash
> plug-in update" for Firefox many years ago, which has kept me away
> from Firefox until now), I am quite cautious these days. Are there
> alternative ways of confirming the authenticity of the downloaded
> "Https Everywhere" extension along the lines of an MD5 check-sum or
> something?

Hi Tagglez,

It's completely appropriate to be concerned about these warnings.
As you know, the security consequences of installing malicious
software in your browser or on your computer can be quite severe.

All HTTPS Everywhere software releases are digitally signed by an
update key, but your computer will normally not check this signature
until you already have HTTPS Everywhere installed.

Generally people believe in the authenticity of the first HTTPS
Everywhere release they install because they are getting it from
our web site over HTTPS, which is supposed to guarantee the
authenticity of the download.

For the current stable XPI, I see the following SHA-1 and MD5
checksums:

ccc77f7db23c76d5d0a082711835d0cb940a96f8  https-everywhere-2.2.1.xpi
f10f388352805f0ba2e9969968b22f1e  https-everywhere-2.2.1.xpi

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107