Add-on updates
There are thousands of incredibly diverse add-ons for Firefox. This active participation by third party developers enhances browsing for many users. Add-ons are an important part of Firefox, so Mozilla is committed to helping developers create secure add-ons. This week there’s been some concern about updates that are distributed over non-SSL channels. Connections using HTTP (instead of HTTPS) can be redirected by an attacker to a hostile server and potentially install malicious code.
Add-ons that are hosted on the Mozilla Add-ons site are served over HTTPS and validated with a hash. These add-ons are not vulnerable to this attack. We strongly recommend that add-on developers require SSL for updates to prevent the attack described above.
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels and investigating ways to universally improve updates for add-ons. There are a number of options being considered, all of which are designed to make it easy to write secure add-ons. If you would like to participate in this discussion please join us in the Firefox development discussion group at news://news.mozilla.org/mozilla.dev.apps.firefox.
More information for developers is available here: http://developer.mozilla.org/en/docs/Install_Manifests#updateURL