Open
Bug 1146911
Opened 9 years ago
Updated 1 year ago
Malicious files are successfully downloaded through a download area using SSL enabled protocol.
Categories
(Firefox :: Downloads Panel, defect)
Tracking
()
NEW
People
(Reporter: VarCat, Unassigned)
References
Details
Attachments
(1 file)
|
294.17 KB,
image/png
|
Details |
Screen Shot 2015-03-24 at 9.55.43 AM.png
FF 38 Build id: 20150323004010 OS: Win 7 x64, Ubuntu 14.04 x86, Mac Os X 10.7.5 STR: 1. Go to http://www.eicar.org/85-0-Download.html 2. Download eicar.com from "Download area using the secure, SSL enabled protocol https" section (eg: https://secure.eicar.org/eicar.com) Issue: The file is successfully downloaded without being blocked.
|
||
Comment 1•9 years ago
|
||
Monica, do you know if the integrity check is bypassed for SSL downloads?
Flags: needinfo?(mmc)
|
||
Comment 2•9 years ago
|
||
Flags: needinfo?(mmc)
|
|
||
Comment 3•9 years ago
|
||
No, it is not skipped for SSL downloads. Francois is asking Google to put that download on their blocklist. Note that Chrome seems to be showing the POTENTIALLY_UNWANTED warning which we don't yet implement, but could now that the quarantine is implemented (see https://bugzilla.mozilla.org/show_bug.cgi?id=1019933).
Flags: needinfo?(francois)
|
||
Comment 4•9 years ago
|
||
Also related is that we don't currently do remote metadata lookups for Mac and Linux: https://bugzilla.mozilla.org/show_bug.cgi?id=1111741
|
|
||
Updated•9 years ago
|
Flags: needinfo?(francois)
|
||
Updated•1 year ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•