B
Premium,MVM
join:2000-10-28
| Addons SSL - Conspiracy Theory?
I can't figure out why Mozilla (famously both for and not for profit) uses nothing but SSL for its »addons.mozilla.org site (it immediately redirects to https for all pages).
It's not a trivial question -- every SSL connection occupies significantly increased server side resources, which is why so many cheapass banks and web commerce sites don't turn it on until absolutely the last minute (for only the actual transmission of user credentials, for only the credit card number entry, etc.).
But go and download a piddly extension for the Fireweasel and you're looking at nothing but highly secure SSL links throughout.
I can't work up a good conspiracy theory though -- download links for the actual browsers at both the .org and .com Mozilla sites are not forced into SSL connections.
Do you think this is:
a. An oversight?
b. Intended to assure legitimacy of addons (and if so then why the heck not do the same for Firefox, Seamonkey, et al. themselves)?
c. An evil conspiracy to track addon popularity?
d. A waste of your time?
e. All of the above?
If nothing else it's just... weird. Alternate theories, comments, and ranting flames welcome.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | F. Ask MozillaFoundation instead of playing guessing games. |
|
Exidor
Premium
join:2001-05-04
Brampton, ON
| reply to B
Got me curious too..
»developer.mozilla.org/devnews/in···updates/
There are thousands of incredibly diverse add-ons for Firefox. This active participation by third party developers enhances browsing for many users. Add-ons are an important part of Firefox, so Mozilla is committed to helping developers create secure add-ons. This week there’s been some concern about updates that are distributed over non-SSL channels. Connections using HTTP (instead of HTTPS) can be redirected by an attacker to a hostile server and potentially install malicious code.
Add-ons that are hosted on the Mozilla Add-ons site are served over HTTPS and validated with a hash. These add-ons are not vulnerable to this attack. We strongly recommend that add-on developers require SSL for updates to prevent the attack described above.
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons. If you would like to participate in this discussion please join us in the Firefox development discussion group at news://news.mozilla.org/mozilla.dev.apps.firefox
More information for developers is available here: »developer.mozilla.org/en/docs/In···pdateURL
This entry was posted by window on Wednesday, May 30th, 2007 at 1:50 pm and is filed under Security. |
|
B
Premium,MVM
join:2000-10-28
| Thanks Exidor! Good find. Still doesn't explain why they wouldn't take the same precaution with their own stuff; I mean, they're hosting both. Downloading coolextension.xpi from addons.mozilla.org is the same as downloading firefox.exe from mozilla.com (and the latter is of course a considerably bigger target) insofar as SSL certs, DNS reliability, or lack thereof...
Grail Knight, if I had an easy and effective way of getting an answer directly from MoFoCo I might have tried that, but I don't, so I floated the question here. (I certainly did due googly diligence first.) Sorry if it bothers you. 
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| It does not bother me at all.
You did say and I quote, quote:
Alternate theories, comments, and ranting flames welcome.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28
|
Come on, you call that ranting?
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| I leave ranting to other folks like.....I can't say her name 
I figure if a company providing my free browser wants to set up the Addons Site (which I seldom use) a certain way have at it.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28 | Oh it's a good thing the way they have it -- it minimizes the chances of being at the wrong place. I just don't see why they protect the addons but not the main product.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
1 edit | That is something you would have to ask them.
Using Fx v3 since it was a wee lad I have had secure addons check disabled so even if MoFo has the addons protected I disabled the feature but I do not recommend that for everyone of course.
Edit* Seriously though it is odd that they protect their addons but not the browser.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
mod_wastrel
join:2008-03-28 | reply to B
Add-ons are designed to be installed directly into your running browser. Downloading the latest version of the browser is just a "simple" http download like any other. It's that "install" part that makes them wary. |
|
33591094
join:2002-11-19
Canada
| reply to B
said by B  :Oh it's a good thing the way they have it -- it minimizes the chances of being at the wrong place. I just don't see why they protect the addons but not the main product. -- B Please let us know what you find out when you ask them. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to mod_wastrel
Still if they are going to have addons protected the browser should be also be a secure download like some of the better security products. Just my opinion.
MoFO can certainly afford the very best.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28
| said by Grail Knight :Still if they are going to have addons protected the browser should be also be a secure download like some of the better security products. Just my opinion. Boy have you come 'round.
-- B
--
In a realm outside causality and function |
|
mod_wastrel
join:2008-03-28
 ·magicjack.com
| reply to Grail Knight
It's not a matter of AMO protecting the add-ons; it's a matter of protecting your browser (and your PC) from potentially malicious activity with add-ons using the auto-update process (at least, that's the theory). Add-ons don't require a secure channel either if you're just doing a simple XPI file download instead of an auto-update. |
|
B
Premium,MVM
join:2000-10-28
| I understand and appreciate the distinction you're making.
However, it is still an arguable waste of their CPU resources for mere web site visits and manually initiated downloads of XPIs to be SSL-encrypted by default.
I would think it would be trivial to distinguish between the two kinds of requests (web page visits and addon self-updates) even though both use htttp and/or https, possibly by user agent or command line argument in the addons.
Then again, I never let anything auto-update.
-- B
--
In a realm outside causality and function |
|
mod_wastrel
join:2008-03-28
·magicjack.com
| Auto-update is something of a misnomer. It's really an auto-check followed by a manual update--presuming you choose to go ahead and install the update. I've always turned off auto-updates, too--for everything I use (when possible). Fx3 and beyond will require a secure channel for add-ons (install.rdf: updateURL or -Key), which has only been a strong recommendation before now, so AMO is secured, and basic downloads are not. I figure it's simply a case of them not seeing any need to do so. Very few sites [I'm aware of] do it, either because it costs them more than they're willing to spend or just adds to the resource requirements. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to mod_wastrel
Yet by protecting the addons they are protecting the browser as well as the computer which is basically what I said.
quote:
It's really an auto-check followed by a manual update--presuming you choose to go ahead and install the update.
True unless you use the Update Notifier extension which can and most likely is being used by some to install updates as they become available. Not manually buy automatically.
It can be argued that this then is not really on MoFo's shoulders if something happens but as it pulls updates from Addons that is another reason to secure their connections.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to B
There was no need to come around.
I was originally offering an answer that I give others based on the question.
I tell Mele20 all of the time to ask the developer the question if it something only they can really answer.
No, I am not saying you are like MMC but the question was similar in structure.
--
"When the questions get tough the tough pull a MuMu". - unknown |
|
B
Premium,MVM
join:2000-10-28 | I just realized why I took your initial response so hard -- I thought "F." was an abbreviation for something else.
-- B
--
In a realm outside causality and function |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | That old alphabet will get you every time. ha ha |
|
