On 20/06/07, Ian Pascoe <[EMAIL PROTECTED]> wrote: > Hi Folks > > As this has split into two threads, I'm gonna confuse everyone and reply to > both in one. > > Firefox - hasn't there just been a security breach with FF's extensions > whereby some of them don't conform to using SSL to update so can be duped to > update from a interposing server?
Hi Ian, The vulnerability at the moment doesn't affect any extensions from addons.mozilla.org, since they use https to download the update to your browser. The problem is with some extensions developed by e.g. Google and Yahoo (del.icio.us). Other big companies also are at risk. Basically, any extension hosted at a site with an http URL that periodically checks the server for an update could be at risk. The security risk involves changing the user's DNS so that the update URL points to a different server. Since SSL (https) isn't used in the update check, there's no way for the browser to verify that it's a trusted site and it will then merrily download a hacked version of the extension. Google's extensions even suppress the update message, so you can't tell that it's been hacked! Hwyl, Neil. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
