| |||||||||||||
Firefox security statusFirefox security statusPosted Jun 7, 2007 11:43 UTC (Thu) by hawk (subscriber, #3195)In reply to: Firefox security status by ekj Parent article: Firefox security status
The problem that is "solved" with a certificate handed out from a trusted authority is obviously proving who the software came from in the first place. (So I wouldn't say that the hassle of buying a certificate is for no benefit!)
I do however agree that having this security on the HTTP layer is not really the right choice. On the other hand, having the extensions signed with a certificate handed out by a trusted party seems like a good idea to me.
What you describe (as your description does not seem to involve getting such a certificate) will only be able to tell whether updates come from the same source that you got the initial version from, which still leaves a big whole.
On the other hand, how do you know who to trust in the first place anyway....
(Log in to post comments)
Firefox security status Posted Jun 8, 2007 21:54 UTC (Fri) by ekj (guest, #1524) [Link] Sure, a certificate signed by one of the CAs that say Firefox trusts by default indicates *something*. Nothing that is useful for deciding if you trust software delivered from that host though. A Verisign-signed certificate for "foobar.org" shows that Verisign is convinced that the person who they at one time sent the certificate too is the same entity that owns foobar.org. This helps very nearly not at all.
|
|||||||||||||