Nightly and Aurora convert http to https automatically

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: Ray Satiro, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20150807030210

Steps to reproduce:

Go to http://click.mail.whitehouse.gov in Nightly or Aurora



Actual results:

Nightly converts the link to https://click.mail.whitehouse.gov

This is a bad idea because they clearly aren't expecting that and the certificate provided by click.mail.whitehouse.gov doesn't list it as an alternate name, resulting in this error:

click.mail.whitehouse.gov uses an invalid security certificate. The certificate is only valid for the following names: *.s6.exacttarget.com, s6.exacttarget.com (Error code: ssl_error_bad_cert_domain)

I ran mozregression but I encountered some errors using it. I ran both the gui and command line tool. I was able to narrow it down to good 2015-07-30 and bad 2015-07-31, then I did the inbounds:

 4:24.85 LOG: MainThread Bisector INFO Narrowed inbound regression window from [54e85cce, 57273aac] (4 revisions) to [104b0bbd, 57273aac] (2 revisions) (~1 steps left)
 4:24.85 LOG: MainThread Bisector INFO Oh noes, no (more) inbound revisions :(
 4:24.85 LOG: MainThread Bisector INFO Last good revision: 104b0bbd714f
 4:24.85 LOG: MainThread Bisector INFO First bad revision: 57273aac7996
 4:24.85 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=104b0bbd714f&tochange=57273aac7996

The problem is I had to do this several times and I'm not convinced mozregression was working properly. I know definitely that 2015-08-07 is bad and 2015-07-20 is good.


Expected results:

If a link is http I'd think it should stay that way unless the host wants https. Otherwise you'll run into certificate errors like this quite often I imagine.
Firefox and other browsers support HSTS
- https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

Each Firefox build contains a preloaded list of domains where https will be enforced and depending on the Firefox build date you have different sites in this preloaded list.
The list is maintained by google here: https://hstspreload.appspot.com/ 
The whole whitehouse.gov domain is in the preloaded list and that explains why https is enforced for http://click.mail.whitehouse.gov/

See also https://www.washingtonpost.com/news/the-switch/wp/2015/02/11/your-browser-may-soon-force-you-to-connect-securely-to-some-u-s-government-web-sites/
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.