[tor-talk] Torbutton: 'Disable Updates During Tor' - Option

[tagnaq]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

"
Disable Updates During Tor (recommended)

Under Firefox 2, many extension authors did not update their extensions
from SSL-enabled websites. It is possible for malicious Tor nodes to
hijack these extensions and replace them with malicious ones, or add
malicious code to existing extensions. Since Firefox 3 now enforces
encrypted and/or authenticated updates, this setting is no longer as
important as it once was (though updates do leak information about which
extensions you have, it is fairly infrequent).
"
https://www.torproject.org/torbutton/torbutton-options.html.en

Note: The current Torbutton (1.3.3-alpha) doesn't display the
"(recommended)" next to this option.

I think it is better to not enable this option, meaning: you should make
updates - also - over Tor. I would like to hear your opinion if you
don't agree.

- - I assume requests to mozilla are encrypted + authenticated

- - I assume 3th-party extensions are update via mozilla server

- - update requests leak your version and used addons to mozilla but
mozilla shouldn't be able to connect that information with other
information about you. It is a problem if these versioncheck requests
would set a cookie that is transmitted while browsing mozilla sites.

- - enabling this option (disabling upates) will result in outdated
software which may contain security issues

- - updates my contain security issues too, but that is a question of
whether you trust that addon or not

- - Firefox 2 is not supported any more (for quite some time now)
-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk32GYsACgkQyM26BSNOM7Zd7QD/cLJGeg3Q7GWWQd1tlXPjbBkU
6/i00gRp1ZOf2MduU0EBAKSXRsdnqj8Z7EhuFq+z9GFfGoGmTDBPY2FrBF4Jg06E
=cfU1
-----END PGP SIGNATURE-----