MozillaZine

Extensions.checkUpdateSecurity

From MozillaZine Knowledge Base

Contents

Background

In Firefox 2 and earlier, the browser can check installed extensions for updates. Often, this is done over an unencrypted HTTP connection, which means the updates are vulnerable to man-in-the-middle attacks. In this way, someone could trigger an update of an extension, but replace the update with malicious code, which would then run with chrome privileges. This vulnerability was reported by Christopher Soghoian and detailed in bug 378216.

To address this vulnerability, extensions are now required to use one of the following approaches for updates: an SSL-encrypted update URL, no update URL at all, or an update key/hash for verifying the validity of the update. The application “McCoy” aids developers in the last option.

If an extension does not use one of the mentioned methods for securing updates, Firefox will prevent it from being installed. This preference allows the user to bypass the check and install the extension anyway.

Possible values and their effects

True

Verify that the update method for any extension is secure before installing. (Default)

False

Do not check for update security.

Recommended settings

Setting this preference to false is not recommended, as it leaves the user open to the man-in-the-middle attack described above.

First checked in

2007-09-03 by Dave Townsend

Has an effect in

  • Mozilla Firefox (trunk builds after 2007-09-03)
  • Mozilla Thunderbird (trunk builds after 2007-09-03)
  • SeaMonkey (trunk builds after 2007-09-03)

Related bugs

External links