![]() ![]() It turns out that Firefox's release system makes it especially tricky to download a known-good version of Firefox. When obtaining hashes, you have to make sure the hash is trustworthy, or it was all a waste of time. When checking the signature, you have to make sure that the signer matches who you expect and that the organization name is correct. When downloading over HTTPS, you have to make sure you haven't been exposed to some chain of redirects that takes you back to HTTP. But then you have to ask: how do we make sure we got the correct hash? For that, see the above answers: you either download it over HTTPS from a trusted, reputable source, or you get a signed version and then somehow validate that it was signed by the right key.Īll of these methods have significant pitfalls. The hardest method is to separately obtain a hash checksum of the correct file from a trusted source, then check that the hash of what you downloaded matches the known-good hash checksum.Some places will sign the installer, and you can check the signature as Wladimir Palant suggests and check that it is signed by the organization you expect. The next-easiest is to check the signature on the installer.The easiest method is to make sure you download it over HTTPS, and from a site that has a good reputation and that you trust.I can suggest three ways you can validate a download: Glad you asked about Firefox, because they do something funky. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |