Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

headers Alexander Konovalenko | 4 Jan 2009 23:18

I noticed that some addons.mozilla.org extensions were updated over
plain HTTP, not over HTTPS. My Firefox 3.0 had found a new version of
the NoScript extension and fetched it from some https:// URI on
addons.mozilla.org. But that URI redirected to another, unencrypted
http:// URI from where the .xpi file was actually downloaded.

Is this known behavior? Is it considered a security issue that should be fixed?

A malicious extension being installed in your browser via some IP or
DNS hijacking attack would be a disaster for many. So it would make
sense for Firefox to require HTTPS when downloading extensions, at
least for those coming from addons.mozilla.org.

If there is a more appropriate place to discuss this, please let me know.

 -- Alexander

Mon	Tue	Wed	Thu	Fri	Sat	Sun

			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

7	May 2013
54	April 2013
26	March 2013
17	February 2013
14	January 2013
6	December 2012
19	November 2012
10	October 2012
7	September 2012
42	August 2012
25	July 2012
96	June 2012
35	May 2012
239	April 2012
332	March 2012
20	February 2012
13	January 2012
1	December 2011
4	October 2011
27	September 2011
14	August 2011
10	July 2011
12	June 2011
9	May 2011
37	April 2011
21	March 2011
6	February 2011
3	January 2011
26	December 2010
3	November 2010
3	October 2010
10	September 2010
9	August 2010
4	July 2010
22	June 2010
4	May 2010
11	April 2010
40	March 2010
50	February 2010
9	January 2010
15	December 2009
94	November 2009
122	October 2009
3	September 2009
42	August 2009
88	July 2009
16	June 2009
9	May 2009
54	April 2009
30	March 2009
36	February 2009
27	January 2009
40	December 2008
26	November 2008
13	October 2008
43	September 2008
27	August 2008
47	July 2008
60	June 2008
20	May 2008
23	April 2008
14	March 2008
25	February 2008
31	January 2008
13	December 2007
9	November 2007
8	October 2007
24	September 2007
17	August 2007
15	July 2007
14	June 2007
44	May 2007
41	April 2007
87	March 2007
266	February 2007
47	January 2007
11	December 2006
203	November 2006
20	October 2006
10	September 2006
23	August 2006
32	July 2006
8	June 2006
6	May 2006
4	April 2006
3	March 2006
7	January 2006
12	December 2005
11	November 2005
3	October 2005
8	September 2005
46	August 2005
18	July 2005
165	June 2005
205	May 2005
196	April 2005
312	March 2005
219	February 2005
21	January 2005
55	December 2004
15	November 2004
30	October 2004
35	September 2004
40	August 2004
54	July 2004
51	June 2004
29	May 2004
49	April 2004
42	March 2004
31	February 2004
34	January 2004
30	December 2003
91	November 2003
24	October 2003
40	September 2003
58	August 2003
30	July 2003
27	June 2003
29	May 2003
27	April 2003
25	March 2003
31	February 2003
18	January 2003
36	December 2002
46	November 2002
38	October 2002
37	September 2002
26	August 2002
28	July 2002
19	June 2002
37	May 2002
41	April 2002
1	February 2002

Firefox extensions updated over plain HTTP (not HTTPS)

Re: Firefox extensions updated over plain HTTP (not HTTPS)

Re: Firefox extensions updated over plain HTTP (not HTTPS)

Re: Firefox extensions updated over plain HTTP (not HTTPS)

Re: Firefox extensions updated over plain HTTP (not HTTPS)

Re: Firefox extensions updated over plain HTTP (not HTTPS)

Re: Firefox extensions updated over plain HTTP (not HTTPS)

Re: Content Security Policy feedback

Re: HTTPOnly cookies specification

A / V / Text encryption methods