[Project_owners] Secure installation of extensions, Project overview pages, and file release system
Onno Ekker
o.e.ekker at gmail.com
Fri Mar 28 08:04:21 PDT 2008
Douglas E. Warner wrote:
> On Friday 28 March 2008 05:31:27 Onno Ekker wrote:
>
>> I don't really see why end-users would believe they now have safe
>> downloads. To the user, the only thing that has changed, is that they
>> can start the download from a secure website, but they can't see that
>> the file is also verified and they cannot verify the file themselves,
>> since you don't display the md5sum. The download itself is still from an
>> unsecure website, so the user could download another file than he thinks.
>>
>
> The security comes from using InstallTrigger which will verify the hash
> against the downloaded file for the user automatically. This hash is served
> from a secure website, therefore the hash can be trusted. The file can then
> be downloaded from anywhere and compared against the trusted hash.
>
Ah. Now I get it. I missed the link with InstallTrigger:
http://developer.mozilla.org/en/docs/Installing_Extensions_and_Themes_From_Web_Pages
So it's for Installing only. And then probably only for Firefox (and
Seamonkey / Mozilla,...) extensions / themes, but not for Thunderbird
Extensions. The xpis I added and verified were Thunderbird only
extensions, so that will probably have very limited use...
Onno
More information about the Project_owners
mailing list