[tor-bugs] #9769 [EFF-HTTPS Everywhere]: Move HTTPS Everywhere back to addons.mozilla.org
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Aug 14 22:05:49 UTC 2014
#9769: Move HTTPS Everywhere back to addons.mozilla.org
--------------------------------------+----------------------
Reporter: micahlee | Owner: micahlee
Type: project | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
--------------------------------------+----------------------
Comment (by jsha):
zyan's bugzilla bug to allow offline signatures for AMO extensions was
rejected.
Public key pinning has landed in Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=744204 and
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning.
However, that's for HTTPS requests, but the documentation to use CA-
signing for XPIs appears to be about code signing. I'm willing to bet that
the PKP implementation does not extend to code signing.
Also, kmag on the bugzilla thread
(https://bugzilla.mozilla.org/show_bug.cgi?id=999014) has a very good
point. If there's a universal hotfix addon that is not offline-signed and
can deliver updates to any addon, there's no additional security for
Firefox users in our current method. TBB users, of course, don't get their
HTTPS Everywhere from AMO, and so are not affected.
I think we should proceed with adding HTTPS Everywhere to AMO. zyan, any
objections?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9769#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list