InformAction Forums

Since version 1.9.9.98rc1 I must whitelist addons.mozilla.org to get the context menu with "Save as" to save a xpi file. I suppose it comes from the "Surrogate to use InstallTrigger on AMO even if addons.mozilla.org is not
whitelisted"
I don't want to whitelist amo generally, because there are some issues using SeaMonkey. Finally I deleted the about:config entry for noscript.surrogate.amo.sources. Seems that helped.

That surrogate is quite important because prevents subverted mirrors or MITM attacks from installing rogue versions of AMO-hosted add-ons.
In order to get back the "Save as..." functionality (which is subject to the aforementioned vulnerability, though), you can just change the noscript.surrogate.amo.replacement preference to This will be made the default in next release.

Giorgio Maone wrote:In order to get back the "Save as..." functionality (which is subject to the aforementioned vulnerability, though), you can just change the noscript.surrogate.amo.replacement preference...

Thanks Giorgio, I've reset noscript.surrogate.amo.sources, made the change and it works.

If you have FlashGot installed, you can Alt+Click the link, capturing the wanted download file.

Hmm. Is that actually accomplishing anything, or is that still going to be "subject to the aforementioned vulnerability"?

So you're say the only way to avoid 'MITM' is to either use the existing noscript.surrogate.amo.replacement or to Allow addons.mozilla.org?

therube wrote:So you're say the only way to avoid 'MITM' is to either use the existing noscript.surrogate.amo.replacement or to Allow addons.mozilla.org?

Yes, and always use the left click install (no "save as" or download), because AMO's files are served from non-HTTPS "release.mozilla.org" mirrors.

Giorgio Maone wrote:Yes, and always use the left click install (no "save as" or download), because AMO's files are served from non-HTTPS "release.mozilla.org" mirrors.

I'm modifying Firefox and Thunderbird extensions for my use in SeaMonkey, what needs downloads. If I understand you right, that's not save at all.

Mc wrote:

Giorgio Maone wrote:Yes, and always use the left click install (no "save as" or download), because AMO's files are served from non-HTTPS "release.mozilla.org" mirrors.

I'm modifying Firefox and Thunderbird extensions for my use in SeaMonkey, what needs downloads. If I understand you right, that's not save at all.

...save is not safe

Fixed with 1.9.9.98rc4.
But still the question: "Save as" not safe on AMO?
Is there a way to get it safe with NoScript? Or why is download/install safe and download/save not?

Mc wrote:But still the question: "Save as" not safe on AMO?

The add-ons files are served from a random releases.mozilla.org mirror over HTTP (unsecured).
Therefore, especially if you're using a proxy, a public Wi-Fi hotspot or an internet provider which you can't trust, a malicious file can be served instead through a MITM attack.

Mc wrote:Is there a way to get it safe with NoScript?

Nope. NoScript already does its best at ensuring you get the correct file, by forcing InstallTrigger to work even if scripts are disabled.

Mc wrote:Or why is download/install safe and download/save not?

Because install is carried on by the InstallTrigger function, which compares a cryptographic hash of the file provided by the install page (over secured HTTPS) with the one computed by the browser after the unsafe download has been completed over HTTP: if the two hashes don't match, you've got a tampered file and the installation fails.

Thanks Giorgio for your explanations.
So finally I suppose I'm rather safe, because I use the proxy of my trustworthy provider.

Giorgio Maone wrote:Therefore, especially if you're using a proxy, a public Wi-Fi hotspot or an internet provider which you can't trust, a malicious file can be served instead through a MITM attack.

And you should also care when reading Giorgio's posts over an unsecured line, as a malicious text might be served instead.
Note: Giorgio will never ask you for your passwords in a forum post.

SCNR