Minimise the number of people getting downrev Firefox versions

NEW
Unassigned

Status

defect
3 years ago
3 years ago

People

(Reporter: gerv, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(firefox47 affected)

Details

Bouncer sends everyone who uses XP or Vista to download Firefox 43 instead of the latest version:
https://github.com/mozilla-services/go-bouncer/blob/master/handlers.go#L27

This is because people using Windows XP SP2 or below, or Vista SP1 and below aren't able to deal properly with SHA-256 signatures on binaries, which we are using for 44 and above. (People using later versions of those Oses have a patch which makes SHA-256 work.)

This bug is about finding a way to minimise the number of people we send to the downlevel version, because they will get the Firefox 43 first-run experience instead of any newer one, and they will also have to download a new build straight away after install. Neither of these are great things. If we have to do them, it's better than the installer not running, but we should avoid it as much as possible.

One suggestion would be to do better client detection in JS on www.mozilla.org and split the user stream there. We will have to do this in 2017 anyway because currently we use SHA-1 for our download servers and they will need to be upgraded to SHA-256 (as browsers will start outright rejecting SHA-1) and so these old browsers won't be able to download from the standard servers anyway. So OS detection, currently done in bouncer, would have to move to bedrock at that point regardless.

As a suggestion, we might be able to use this JS code, or principles from it:
https://github.com/pwnieexpress/metasploit-framework/blob/149c976e4af044b1b370f020712341f8f2155d1d/lib/rex/exploitation/javascriptosdetect.js#L698

Related bugs: bug 1079858, bug 1234882.

Gerv

Comment 1

3 years ago
Replacing my cc with one for :oremj, who wrote and committed what appears to be the majority of the SHA1 code for bouncer.

Note that one *possible* outcome for this bug is that we already minimize the number of people we send to the downlevel version, for reasons not yet made apparent here.
Would this affect Server 2008 as well?
(In reply to Ben Hearsum (:bhearsum) from comment #2)
> Would this affect Server 2008 as well?

Good catch: yes, it does[0], which means that users of Server 2008 without the relevant update cannot currently run the installer they get when clicking on the download button on https://www.mozilla.org/firefox/new/. The main use case I can think of for this would be for admins of windows terminal services, which are hopefully up to date with the security upgrades needed to run the SHA-256 signed installer they're currently getting, but it may be worth investigating.

[0] https://support.microsoft.com/en-us/kb/2763674
See Also: → 1245842
You need to log in before you can comment on or make changes to this bug.