It's been a while since I had a look at github pages of one of my favorite ongoing opensource projects <3
Nonetheless, I have been surprised that add-on is still distributed through http://convergence.io via one-click install option.
The add-on is to be distributed in the same fashion Tor products are — we are to ship .xpi signed with Moxie's pubkey.
Rationale behind is that being fully http://, convergence.io is exposed to the attacks of hostile network environments.
Imagine convergence that accepts all the certificates your browser receives just because you used poisoned WiFi to install it or live in Iran.
I don't have the exact statistics about the popularity of convergence nowadays, but as far as I can tell from the number of fetches of the.notary file at my web server it's growing at at least logartihmical speed, thus convergence-related attacks can become real scenario any time soon. We are to be ready.
So what needs to be done is
write instructions about how to verify the signature
write instructions covering the .xpi installation process
put those at convergence.io and duplicate those on — say — wiki pages of convergence project (https://)
My English isn't perfect, though I can take some time to write those things (asking native speakers to check for mistakes) and send those over to Moxie.
It's been a while since I had a look at github pages of one of my favorite ongoing opensource projects <3 Nonetheless, I have been surprised that add-on is still distributed through http://convergence.io via one-click install option. The add-on is to be distributed in the same fashion Tor products are — we are to ship .xpi signed with Moxie's pubkey.
Rationale behind is that being fully http://, convergence.io is exposed to the attacks of hostile network environments. Imagine convergence that accepts all the certificates your browser receives just because you used poisoned WiFi to install it or live in Iran. I don't have the exact statistics about the popularity of convergence nowadays, but as far as I can tell from the number of fetches of the.notary file at my web server it's growing at at least logartihmical speed, thus convergence-related attacks can become real scenario any time soon. We are to be ready.
So what needs to be done is
My English isn't perfect, though I can take some time to write those things (asking native speakers to check for mistakes) and send those over to Moxie.
Jonn Mostovoy, DA234FE7