No Save as on AMO since 1.9.9.98rc1

Mc · Post by Mc » Thu Jul 01, 2010 9:04 am

Since version 1.9.9.98rc1 I must whitelist addons.mozilla.org to get the context menu with "Save as" to save a xpi file. I suppose it comes from the "Surrogate to use InstallTrigger on AMO even if addons.mozilla.org is not
whitelisted"
I don't want to whitelist amo generally, because there are some issues using SeaMonkey. Finally I deleted the about:config entry for noscript.surrogate.amo.sources. Seems that helped.

Post by **Giorgio Maone** » Thu Jul 01, 2010 9:41 am

That surrogate is quite important because prevents subverted mirrors or MITM attacks from installing rogue versions of AMO-hosted add-ons.
In order to get back the "Save as..." functionality (which is subject to the aforementioned vulnerability, though), you can just change the noscript.surrogate.amo.replacement preference to

Code: Select all

addEventListener('click',function(e){if(e.button) return;a=e.target.parentNode;var hash=a.getAttribute('data-hash');if(hash){var b=a.parentNode.parentNode;InstallTrigger.install({x:{URL:a.href,IconURL:b.getAttribute('data-icon'),Hash:hash,toString:function(){return a.href}}});e.preventDefault()}},false)

This will be made the default in next release.

Mc · Post by Mc » Thu Jul 01, 2010 10:49 am

Giorgio Maone wrote:In order to get back the "Save as..." functionality (which is subject to the aforementioned vulnerability, though), you can just change the noscript.surrogate.amo.replacement preference...

Thanks Giorgio, I've reset noscript.surrogate.amo.sources, made the change and it works.

Post by **therube** » Thu Jul 01, 2010 10:53 am

If you have FlashGot installed, you can Alt+Click the link, capturing the wanted download file.

Hmm. Is that actually accomplishing anything, or is that still going to be "subject to the aforementioned vulnerability"?

So you're say the only way to avoid 'MITM' is to either use the existing noscript.surrogate.amo.replacement or to Allow addons.mozilla.org?

Post by **Giorgio Maone** » Thu Jul 01, 2010 11:20 am

therube wrote:So you're say the only way to avoid 'MITM' is to either use the existing noscript.surrogate.amo.replacement or to Allow addons.mozilla.org?

Yes, and always use the left click install (no "save as" or download), because AMO's files are served from non-HTTPS "release.mozilla.org" mirrors.

Mc · Post by Mc » Thu Jul 01, 2010 12:16 pm

Giorgio Maone wrote:Yes, and always use the left click install (no "save as" or download), because AMO's files are served from non-HTTPS "release.mozilla.org" mirrors.

I'm modifying Firefox and Thunderbird extensions for my use in SeaMonkey, what needs downloads. If I understand you right, that's not save at all.

Mc · Post by Mc » Thu Jul 01, 2010 12:19 pm

Mc wrote:
Giorgio Maone wrote:Yes, and always use the left click install (no "save as" or download), because AMO's files are served from non-HTTPS "release.mozilla.org" mirrors.
I'm modifying Firefox and Thunderbird extensions for my use in SeaMonkey, what needs downloads. If I understand you right, that's not save at all.

...save is not safe

Mc · Post by Mc » Fri Jul 02, 2010 8:06 am

Fixed with 1.9.9.98rc4.
But still the question: "Save as" not safe on AMO?
Is there a way to get it safe with NoScript? Or why is download/install safe and download/save not?

Post by **Giorgio Maone** » Fri Jul 02, 2010 8:39 am

Mc wrote:But still the question: "Save as" not safe on AMO?

The add-ons files are served from a random releases.mozilla.org mirror over HTTP (unsecured).
Therefore, especially if you're using a proxy, a public Wi-Fi hotspot or an internet provider which you can't trust, a malicious file can be served instead through a MITM attack.

Mc wrote:Is there a way to get it safe with NoScript?

Nope. NoScript already does its best at ensuring you get the correct file, by forcing InstallTrigger to work even if scripts are disabled.

Mc wrote:Or why is download/install safe and download/save not?

Because install is carried on by the InstallTrigger function, which compares a cryptographic hash of the file provided by the install page (over secured HTTPS) with the one computed by the browser after the unsafe download has been completed over HTTP: if the two hashes don't match, you've got a tampered file and the installation fails.

Mc · Post by Mc » Fri Jul 02, 2010 9:27 am

Thanks Giorgio for your explanations.
So finally I suppose I'm rather safe, because I use the proxy of my trustworthy provider.

dhouwn · Post by **dhouwn** » Sat Jul 03, 2010 1:02 pm

Giorgio Maone wrote:Therefore, especially if you're using a proxy, a public Wi-Fi hotspot or an internet provider which you can't trust, a malicious file can be served instead through a MITM attack.

And you should also care when reading Giorgio's posts over an unsecured line, as a malicious text might be served instead.
Note: Giorgio will never ask you for your passwords in a forum post.

SCNR

InformAction Forums

No Save as on AMO since 1.9.9.98rc1

No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1

Re: No Save as on AMO since 1.9.9.98rc1