« January 2010 | Main | March 2010 »

1 posts from February 2010

February 09, 2010

Firefox extension installation process vulnerable to MITM attack

Adrian Dimcev made an important discovery the other day: the Firefox installation process is vulnerable to MITM attack. If a man in the middle is able to intercept the traffic of someone installing an extension, he will be able to get the user to install something else. Firefox is supposed to check the integrity of the extensions before it installs them, but it seems something somewhere broke, and the check is no longer in place.

This problem will be fixed in the next release (it has been fixed in the repository, it seems), but the fact remains that the installation process is seriously misleading. Looking at the user interface alone, the impression is that the entire installation process is carried out ever SSL. Even worse, the main domain name where the extensions are "stored" uses an EV certificate, so you are made to feel super-safe. In truth, the extensions are downloaded over HTTP from who-knows-where.

Posted by Ivan Ristić at 4:41 PM in Firefox, SSL | Permalink | Comments (0) | TrackBack (0)

MY WORK

IronBee is the next generation web application firewall engine, and it's open source too.
ModSecurity Handbok cover
ModSecurity Handbook is the definitive guide to the world's most popular web application firewall.
Apache Security cover
Apache Security is the complete guide to securing your Apache web server.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below:

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS