Flaws in Mozilla's Handling of Security Certificates Discovered and Fixed

Tuesday July 27th, 2004

CNET is reporting that two new flaws in the way Mozilla handles security certificates have been discovered. The more serious vulnerability allows a site to appear to have a security certificate when it does not (bug 253121). The other hole makes it possible for an attacker to overwrite the root certificate authority certificates, causing an error message to appear whenever the user tries to access a (genuine) secure site (bug 249004). Both bugs have now been fixed, but updated end-user releases of Mozilla products are not yet available.

#11 Re: Re: no xpi

by mlefevre

Wednesday July 28th, 2004 7:14 AM

You are replying to this message

Last time I saw binary patches discussed, it was about Seamonkey. A binary patch between major versions (e.g. 1.6 and 1.7) was well over half the 13MB download size, so not really worth the effort. However, differences between 1.7.0 and 1.7.1 would be smaller. I don't know what would happen with Firefox.

The main problem is finding someone with the time and knowledge to implement a binary patch structure (which would need to be an open-source solution). So, if you have the time to test and/or implement, it might be interesting.