Closed Bug 252676 Opened 21 years ago Closed 21 years ago

configure update.mozilla.org to use ssl

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chofmann, Assigned: leaf)

References

(
URL
)

Details

this is to track getting the server, setting up tomcat, getting certs, reviewing the security set up, etc... for firefox 1.0
it would be good if we could get aviary1.0 flags on this bug to help in tracking
tomcat is running on rodan (currently still update.mozilla.org); i'll try and get a thawte cert bundle for these services. For update, do we want *everything* over ssl, or just certain pages (requiring auth for packages to be uploaded, for instance)?
Status: NEW → ASSIGNED
Once you're logged in, at least for UMO admin, you don't get re-authentiicated. I'd say only the login piece and the profile editor should be secured.
Is that really how http-auth works? I think the browser is sending the authentication on each page on your behalf. In any case, whether it's sending the auth or some session token, due to the fix for bug 226278 you can't authenticate over SSL and then interact over non-SSL, it'll request re-authentication which defeats the purpose of using SSL in the first place (to prevent password stealing as remote admins maintain the site on wireless or campus networks, etc.). In addition to the admin interface, the update SOAP interface must be secured so that an attacker can't hack a victim's DNS and send them bogus "you need an update" data. Possibly easiest just to secure the entire site (the large package downloads themselves come from the ftp server).
We're not using http auth for the backend, except as a temporary measure. I don't think the regular site should be secured, since that would be unnecessary strain on the cpu.
The developer/admin back-end uses cookie-based sessions.. not HTTP-Auth. There's HTTP Auth protecting the work-in-progress version that's up now, which is not the final version that'll be up for Firefox 1.0, so the few who need access to it, can get in, and keep out the masses. The easiest is probably to secure the whole site, most users would access the regular front-end on the regular HTTP port anyway, just have to make sure that the back-end on the non-SSL port redirects to the SSL, so that the SSL version is the only access point.
There are two issues, securing admin access is only one (risk: hackers steal a password and hack our repository). The other is that the update URL every client will regularly ping must be SSL to prevent DNS spoofers from redirecting some population (a campus network? an internet cafe?) to a set of fake updates. Obviously we also need to sign the updates to prevent hacking of the ftp mirrors or redirecting those links, but that's in a separate bug.
*** Bug 254448 has been marked as a duplicate of this bug. ***
Iguana, the new update.mozilla.org server has SSL enabled. As Firefox has chosen to drop the need for tomcat and go with RDF over HTTPS, that's all thats required for this bug to be fixed. Since leaf is gone, I'm going to mark this bug fixed on his behalf, as SSL now works. If I'm incorrect in resolving this bug, please reopen. Thanks.
URL: https://update.mozilla.org
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Component: Update → Web Site
Product: mozilla.org → Update
Version: other → unspecified
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.