-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 7v5w7go9ub0o wrote: > Given the add-ons are updated via SSL,
The versioncheck is performed over SSL, the download actually happens over plain HTTP most of the times (depends on the addon) - but the update is nontheless "safe" because the file hash is checked. See https://lists.torproject.org/pipermail/tor-talk/2011-June/020755.html (incl. Mikes reply) > as long as > you check your certs for possible MIM attack using a "low integrity" CA. Th check for Mozilla's certificate is hardcoded therefore it is not possible to do a MITM attack with a different certificate. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk4ppSkACgkQyM26BSNOM7adCAD8Dov40brsqf5Ab3XK9Ux/SFLc Ie1HgckITbWB94dIbMoA/0jK30/cSdwikKUOQO0lQxFqmHWhVXEsEHwVa00nQveo =c9fF -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
