Firefox made insecure update via http

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: fdsc, Unassigned)

Tracking

32 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140917194002

Steps to reproduce:

Check for FireFox update in version 32.0.1 and update



Actual results:

Update will load from
http://download.mozilla.org/?product=firefox-32.0.2-partial-32.0.1&os=win&lang=ru


Expected results:

Update must load from
https://download.mozilla.org/?product=firefox-32.0.2-partial-32.0.1&os=win&lang=ru

Comment 1

4 years ago
We do download from HTTP, but this is not a security issue: the update is verified via a hash which is delivered separately from the update server over a secure channel.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.