User: Password:
|
|
Subscribe / Log in / New account

Firefox security status

Firefox security status

Posted Jun 7, 2007 11:43 UTC (Thu) by hawk (subscriber, #3195)
In reply to: Firefox security status by ekj
Parent article: Firefox security status

The problem that is "solved" with a certificate handed out from a trusted authority is obviously proving who the software came from in the first place. (So I wouldn't say that the hassle of buying a certificate is for no benefit!)

I do however agree that having this security on the HTTP layer is not really the right choice. On the other hand, having the extensions signed with a certificate handed out by a trusted party seems like a good idea to me.

What you describe (as your description does not seem to involve getting such a certificate) will only be able to tell whether updates come from the same source that you got the initial version from, which still leaves a big whole.

On the other hand, how do you know who to trust in the first place anyway....


(Log in to post comments)

Firefox security status

Posted Jun 8, 2007 21:54 UTC (Fri) by ekj (guest, #1524) [Link]

Sure, a certificate signed by one of the CAs that say Firefox trusts by default indicates *something*. Nothing that is useful for deciding if you trust software delivered from that host though.

A Verisign-signed certificate for "foobar.org" shows that Verisign is convinced that the person who they at one time sent the certificate too is the same entity that owns foobar.org.

This helps very nearly not at all.

  • It doesn't tell you what policy foobar.org has for letting people host stuff on their https-server.
  • It doesn't tell you if foobar.org has been compromised and the files trojaned.
  • It doesn't tell you if the developers/owners/administrators of foobar.org are dependable or not.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds