btw, @HTTPSEverywhere dodged a bullet. Not affected by Heartbeat because we used offline code signing and weren't in Mozilla addons store.
-
-
Replying to @bcrypt
@garrettr_@dveditz@BRIAN_____ was AMO affected by Heartbeat? separate question: does Mozilla sign AMO addons?1 reply 0 retweets 0 likes -
Replying to @bcrypt
@bcrypt@dveditz@BRIAN_____ it's possible to sign xpi's and the sigs are checked on install. Not many add-ons are signed though.1 reply 0 retweets 0 likes -
Replying to @garrettr_
@garrettr_@dveditz@BRIAN_____ but only for self-hosted addons, right? AMO wouldn't let me upload an addon with an updatekey.2 replies 0 retweets 0 likes -
Replying to @bcrypt
@bcrypt@garrettr_@BRIAN_____ updatekey signs update metadata, not the .xpi. AMO itself uses cert-pinning and TLS to guarantee updates.1 reply 0 retweets 2 likes -
Replying to @dveditz
@dveditz@garrettr_@BRIAN_____ but we specify an updateHash in the rdf, which is a hash against the .xpi, right? https://developer.mozilla.org/en-US/docs/Extension_Versioning,_Update_and_Compatibility#Update_Hashes …2 replies 0 retweets 0 likes -
Replying to @bcrypt
@bcrypt@garrettr_@BRIAN_____ That's there in case you're using a non-TLS CDN or a mirror you don't entirely trust.2 replies 0 retweets 0 likes -
Replying to @dveditz
@dveditz@garrettr_@BRIAN_____ does AMO now count as an untrusted mirror? :/pic.twitter.com/9YM3zZHWt8
4 replies 0 retweets 0 likes -
Replying to @bcrypt
@bcrypt@dveditz@BRIAN_____ they told me it's not using OpenSSL today in IRC (although that's hard to believe) :/1 reply 0 retweets 0 likes
@garrettr_ @bcrypt @dveditz Stingray Traffic Manager. Has its own TLS implementation which uses OpenSSL's lcrypt library.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.