Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

mechanism to generate certificates to extension users so that my server can trust api usage?

1 view
Skip to first unread message

lucy

unread,
Oct 26, 2009, 5:26:38 PM10/26/09
to
Hi,

My server has a REST API which my extension uses to report and
retrieve data. I'd like to ensure that only my extension is using that
API. I'd like to protect against malicious third parties tampering
with or (re)sending requests.

My server has a certificate from a CA, which allows clients (extension
users) to trust my server. To do the reverse I'd like to generate
certificates for each extension user. Or something.... is there a
Firefox service or standard for doing this?

Alternatively, I'm thinking about doing something like
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

or communicating the secret key over HTTPS during onInstall.

Thanks,
L.

Eric Jung

unread,
Oct 27, 2009, 11:07:20 PM10/27/09
to dev-ext...@lists.mozilla.org
If you aren't using AMO:

you can generate a unique key (UUID or whatever you like) for each extension
as it's downloaded from your server. Put the key into the XPI itself. have
the extnsion read the key at runtime to be sent along with an HTTPS POST
(not GET because the key would then be a URL parameter and not encrypted) to
your server. Your server can validate that the key is legitimite because it
should be keeping a list/database of all keys it's generated for XPI
download.

> _______________________________________________
> dev-extensions mailing list
> dev-ext...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-extensions
>

lucy

unread,
Nov 1, 2009, 9:55:09 AM11/1/09
to
On Oct 27, 11:07 pm, Eric Jung <eric.j...@yahoo.com> wrote:
> If you aren't using AMO:
>
> you can generate a unique key (UUID or whatever you like) for each extension
> as it's downloaded from your server. Put the key into the XPI itself. have
> the extnsion read the key at runtime to be sent along with an  HTTPS POST
> (not GET because the key would then be a URL parameter and not encrypted) to
> your server. Your server can validate that the key is legitimite because it
> should be keeping a list/database of all keys it's generated for XPI
> download.

thanks for replying.

what do you mean "if you aren't using AMO". is there some resource
that talks about extension certificates and AMO?

0 new messages