Closed Bug 1132779 Opened 9 years ago Closed 1 month ago

Default Mozilla Tiles should use TLS, shouldn't point at european fan sites

Categories

(Content Services Graveyard :: Tiles, defect)

Product:
Content Services Graveyard
Component:
Tiles
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: dveditz, Unassigned)

Details

Several of the default Mozilla tiles in a new profile point at links that are not secure, it would be preferable if they were for a consistent message since they eventually redirect to the secure version of the site anyway.

One of the sites looks like a scam site since it's not even mozilla.org (but of course old-timers know it's the ancient mozilla-europe community site). These sites do eventually redirect to our correct, secure, site, but I have heard confusion from americans about why our privacy tile has anything to do with Europe.

Worse, since these are essentially fake sites (just a DNS name that redirects) they don't have real certs. Security conscious users who have an add-on like HTTPSEverywhere will have the http:// links automatically converted to https:// links, and then they get invalid certificate errors and Mozilla looks like we don't know how to manage our sites securely.

Please either
 a) get real certs for these redirector-only sites
 b) point at the real site they redirect to


"Mozilla Community" links to http://contribute.mozilla.org
  redirects to http://www.mozilla.org/contribute/
  redirects to httpS://www.mozilla.org/contribute/
  redirects to https://www.mozilla.org/en-US/contribute/

"Customize Firefox" links to http://fastestfirefox.com/firefox/desktop/customize/
  redirects to http://www.mozilla.org/firefox/desktop/customize/
  redirects to httpS://www.mozilla.org/firefox/desktop/customize/
  redirects to https://www.mozilla.org/en-US/firefox/desktop/customize/

"Firefox Sync" links to http://mozilla-europe.org/firefox/sync (mozilla-europe?)
  redirects to http://www.mozilla-europe.org/firefox/sync
  redirects to httpS://www.mozilla.org/firefox/sync
  redirects to https://www.mozilla.org/en-US/firefox/sync
  redirects to https://www.mozilla.org/en-US/firefox/sync/

"Privacy Principles" links to http://europe.mozilla.org/privacy/you (europe?)
  redirects to https://www.mozilla.org/privacy/you
  redirects to https://www.mozilla.org/en-US/privacy/you
  redirects to https://www.mozilla.org/en-US/privacy/you/

We can speed things up by avoiding some redirects (and using trailing '/')
We can make things more secure by avoiding some redirects
We can avoid cert errors by avoiding some redirects.

https://contribute.mozilla.org/ does not give a certificate error, but it's a completely different application than intended and instead of redirecting to the www.mozilla.org contribute page it gives an LDAP login prompt and then fails to an ugly Authorization Required page.

fastestfirefox.com looks like the kind of "Fake Firefox" domain Google search ads are always linking to.
For some context of why there's so many sites being used.. the new tab page only shows a single tile for any given site. Most of the Mozilla tiles want to link to a https://www.mozilla.org page, but because of the one-tile-per-site logic of the new tab page, we worked around that by finding sites that redirect to www.mozilla.org.

adw, I believe you had a patch at some point to allow for multiple directory tiles from the same site?

(In reply to Daniel Veditz [:dveditz] from comment #0)
> https://contribute.mozilla.org/ does not give a certificate error, but it's
> a completely different application than intended and instead of redirecting
> to the www.mozilla.org contribute page it gives an LDAP login prompt and
> then fails to an ugly Authorization Required page.
Indeed. That's partially why we link to http://contribute.mozilla.org instead of https. People have run into the https issue when using "https everywhere" as per bug 1123057.
OS: Mac OS X → All
Hardware: x86 → All
(In reply to Ed Lee :Mardak from comment #1)
> For some context of why there's so many sites being used.. the new tab page
> only shows a single tile for any given site.

Some context: bug 990322, bug 1045760 (I had to look these up to refamiliarize myself with your comment, Ed, so I'll paste them here)

> adw, I believe you had a patch at some point to allow for multiple directory
> tiles from the same site?

Yeah, in bug 1112018 there's a patch that lets links say, Don't squash me with any other link of the same domain.
Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.