1283672 - Enable HTTPS for Ebay search suggestions

Status: RESOLVED DUPLICATE of bug 958885

(Firefox :: Search, defect)

Description

[research]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160606113944

Steps to reproduce:

Autosuggestion feature in Firefox: enable ebay and enable search suggestions


Actual results:

Search suggestions go over HTTP without SSL, enabling a network attacker to spy on people or manipulate the results


Expected results:

Ebay now supports SSL on that URL as defined in this file:
https://dxr.mozilla.org/mozilla-central/source/browser/locales/en-US/searchplugins/eBay.xml

The following URL should be changed:
http://autosug.ebay.com/autosug

To:
https://autosug.ebay.com/autosug

Comment 1

[:Gijs (he/him)]

Not convinced this in and of itself needs to be sec-sensitive.

Mike, do we need to talk to eBay before making this change?

Florian, if we make this change, can we require https for suggestions even for external opensearch plugins?

Comment 2

[Florian Quèze [:florian]]

(In reply to :Gijs Kruitbosch from comment #1)

> Florian, if we make this change, can we require https for suggestions even
> for external opensearch plugins?

I think it would only make sense when the submission URL is https. For the current eBay plugin, both the suggestion and submission URLs are http.

Comment 3

[Daniel Veditz [:dveditz]]

I thought we had a policy that our pre-installed searches needed to use TLS? For old crufty ones, though, we can't switch without coordinating with the provider that they can handle the traffic (we've had issues in the past where we had to wait, but less likely to affect a non-default search provider).

Comment 4

[Mike Connor [:mconnor]]

Going to dupe this to bug 958885, which is now INVALID due to the global removal of eBay.