Overclock.net - An Overclocking Community - View Single Post - [Engadget] Firefox disabled all add-ons because a certificate expired (updated)
View Single Post
post #23 of (permalink) Old 05-05-2019, 06:04 PM
JackCY's Avatar
Join Date: Jun 2014
Posts: 10,353
Rep: 345 (Unique: 244)
Quote: Originally Posted by Imouto View Post
Mozilla signs the add-ons. You can spoof the site all you want and however you download wouldn't work anyway. That is precisely why they sign them.

You would need the private key held by Mozilla or hijack the browser distribution. Which is quite different than the walk in the park you presented as how easy it would be to distribute counterfeit add-ons.

Oh, please. Deflecting already? I never denied Mozilla screwed it up royally here. It is you who's wrong about the certificates.

Now that this is out of the way I wouldn't use your method because you obviously have no idea about what you're talking.
You don't need the key, you only need to get your addon to the store and get it signed, not so hard to hide malicious code in otherwise well behaved addon.
Not deflecting, only asking what other browsers bother with certification signed addons.
It's not my method all the links and source are there. It does resolve Mozilla's fiasco and they can't even give it to users themselves, users have to figure it out on their own how to fix their mess.

Quote: Originally Posted by Darren9 View Post
It requires you to fully audit the code or blindly trust the developer. I trust Mozilla far more than I trust some random dev with a couple of plugins he made one weekend.
So you trust some random dev with a couple of plugins he made one weekend that were signed by Mozilla? XD
Just because it's signed and all doesn't mean it's 100% clean and safe. As if Mozilla will read every source code line of every addon before signing it, they would still be reading in year 3000. Some automated checks at best. To make this "easier" they force removed a lot of features from the API that addons could use (infamous Quantum nonsense), annoyed all developers of addons and users.
JackCY is offline