Mozilla to strengthen add-ons update mechanism

Mozilla’s Dave Townsend has announced a proposal for enhancing Firefox add-ons update mechanism. The proposal gathers a number of suggestions made via forum and blog posts and Mozilla newsgroups after it was revealed that the current add-on update mechanism is unnecessarily vulnerable to middle-man attacks where a hacker could fake the actual update site and serve some malicious software instead, as previously reported on late May.

The proposal would add three security measures:

• A hash that acts as an add-on update fingerprint. This would allow Firefox to know for sure the downloaded update file is the one expected.
• Digital signatures. Add-on authors will encrypt the updates with their private key and Firefox will open them with the private key previously obtained when the add-on was installed. Add-on authors will be able to issue their own private-public key pairs.
• Secure connections, the original weakness. It’s still recommended as a way to ensure the update is delivered from the authentic source. The digital signature is an alternative way for developers who don’t have access to a SSL server and don’t want to post it to Mozilla Add-ons, the main source for add-ons and updates.

The proposal is under discussion on Mozilla newsgroups right now but it sounds pretty good to know the issue is being addressed.

The implementation of these or other add-on update security mechanisms has been targeted for Firefox 3 Beta 1.