tg
  • Posts
  • Addon-Signing - and why Mozilla is doing it wrong.

  • Categories
  • bike (feed) (1)
  • misc (feed) (9)
  • other (feed) (1)
  • personal (feed) (5)
  • projects (feed) (4)
  • tricks (feed) (4)

  • Tags
  • other (feed) (15)
  • pyneo (feed) (1)
  • projects (feed) (2)
  • firefox (feed) (1)
  • firefox nginx (feed) (1)
  • enlightenment (feed) (3)
  • gentoo (feed) (4)
  • bike (feed) (1)

  • Contact
  • Mail / Jabber: thomas@gstaedtner.net

Addon-Signing - and why Mozilla is doing it wrong.

Do 19 Februar 2015
By Thomas Gstaedtner
Category: other , Tags: firefox

While it seems to have been in development for a while, it only recently got public coverage: Mozilla is planning to introduce addon-signing in firefox. First of all: I welcome that.

However, as beneficial signed addons can be, mozilla is still doing it wrong, and I'll elaborate on how so, and why.

What does it mean?

The idea behind signing addons is, that a trusted party can verify that the addon is what it claims to be, and - in a stretch - does not misbehave. For this, the addon is signed with a cryptographic key that cannot be faked and the person/organization who does the signing guarantees for the addon with their name. This certainly isn't a new concept, it is very sound and used in many places. For example: windows device drivers are signed by Microsoft, Linux kernel source releases are signed by Linus Torvalds, debian packages are signed by debian developers, and so on.

How does it work in firefox?

If signed addons are introduced in firefox, it means, that addons need to be signed so firefox will load them. I have not looked in detail on how mozilla will do that, but the easiest way ...

read more

Page 1 / 1


Atom feed for Entries
© 2010-2015 Thomas Gstaedtner - site-sources available
Unless stated otherwise, all textual and visual (image/video) content by me can be used under the
CC BY-SA 3.0 or GNU FDL 1.3 licenses.