My server has a REST API which my extension uses to report and
retrieve data. I'd like to ensure that only my extension is using that
API. I'd like to protect against malicious third parties tampering
with or (re)sending requests.
My server has a certificate from a CA, which allows clients (extension
users) to trust my server. To do the reverse I'd like to generate
certificates for each extension user. Or something.... is there a
Firefox service or standard for doing this?
Alternatively, I'm thinking about doing something like
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
or communicating the secret key over HTTPS during onInstall.
Thanks,
L.
you can generate a unique key (UUID or whatever you like) for each extension
as it's downloaded from your server. Put the key into the XPI itself. have
the extnsion read the key at runtime to be sent along with an HTTPS POST
(not GET because the key would then be a URL parameter and not encrypted) to
your server. Your server can validate that the key is legitimite because it
should be keeping a list/database of all keys it's generated for XPI
download.
> _______________________________________________
> dev-extensions mailing list
> dev-ext...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-extensions
>
thanks for replying.
what do you mean "if you aren't using AMO". is there some resource
that talks about extension certificates and AMO?