Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Perhaps I misunderstand you but since it's HTTPS, in theory there are no MITM attacks.


Unless, as the article points out, the attacker has your private SSL key (perhaps leaked via Heartbleed).

Without cert pinning here's also the problem of the attacker convincing some browser-trusted CA to issue an SSL cert for addons.mozilla.org, then MITMing you with that.

(And with 600+ trusted roots, many of which are owned by various governments, against state level attackers an ssl connection's claim of authenticity has to be considered very close to worthless...)


> Without cert pinning

In the case of Firefox connecting to addons.mozilla.org, there is cert pinning.


I didn't know that, thanks.

(In retrospect, it's such an obvious thing for them to do - I don't know why I didn't assume it was likely enough to be implemented and check before I posted that...)


To be fair, I _think_ the pinning was only added in Firefox 32, back in September. So it's a pretty recent development.


http://arstechnica.com/information-technology/2013/11/quantu...

All they need is an authorised certificate.


Its possible to MITM an HTTPS connection, trick you into thinking it is secure by providing a green lock favicon, and intercepting or sniffing everything you do over that connection. And it will work on nearly every website in existance.

More people should be aware of SSL Strip and how to protect yourself against it.

http://www.thoughtcrime.org/software/sslstrip/


> Its possible to MITM an HTTPS connection

Not in the case of Firefox connecting to AMO, because it uses a pinned certificate for that.


Are you sure?

I perform HTTPS interception on all out-bound traffic on my network and I don't recall making an exception for AMO, and I have a number of add-ons installed. Though, it wouldn't be the first time I've forgotten about something like that.


Did you install your addons before updating to Firefox 32? That's when the pinning was introduced.


So with the system of mirrors that is in place with distributing some open source software (e.g. debian, ubuntu, etc.) this is less true. A local mirror could selectively serve bad packages (and serve the correct packages to the verification bots).


Debian has a pretty nice mirroring system. Not only are all packages signed, but the Release file (which includes checksums of package lists) is also signed, preventing a mirror from omitting packages. For repositories which receive security updates (say, wheezy-updates), the index is valid for only few days in the future, which helps to prevent mirrors from withholding security updates [1].

If a mirror isn't updated, the user is eventually warned during updates:

> E: Release file for http://mirrors/debian/dists/wheezy-updates/Release is expired (invalid since 1h 20min 30s). Updates for this repository will not be applied.

It mostly negates the need for https mirrors for authenticity, although many still offer it. To my knowledge, most projects with mirror networks operate similar to this.

[1] e.g. https://mirrors.ocf.berkeley.edu/debian/dists/wheezy-updates... has the pseudo-header Valid-Until: Tue, 02 Dec 2014 20:50:35 UTC


Actually, there's no requirement that .deb packages are signed. The system still provides a strong guarantee, because the releases file contains a list of checksums for each package, so it's impossible to tamper with the package, even though it's unsigned. However, if you manually download the package, all bets are off.

RPMs are usually signed directly.


Someone better tell these guys to stop selling SSL MITM hardware, then.

http://www.wired.com/2010/03/packet-forensics


In this situation, addons.mozilla.org is the hypothetical man in the middle so https doesn't protect you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: