User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160606113944 Steps to reproduce: Autosuggestion feature in Firefox: enable ebay and enable search suggestions Actual results: Search suggestions go over HTTP without SSL, enabling a network attacker to spy on people or manipulate the results Expected results: Ebay now supports SSL on that URL as defined in this file: https://dxr.mozilla.org/mozilla-central/source/browser/locales/en-US/searchplugins/eBay.xml The following URL should be changed: http://autosug.ebay.com/autosug To: https://autosug.ebay.com/autosug
Not convinced this in and of itself needs to be sec-sensitive. Mike, do we need to talk to eBay before making this change? Florian, if we make this change, can we require https for suggestions even for external opensearch plugins?
Component: Untriaged → Search
(In reply to :Gijs Kruitbosch from comment #1) > Florian, if we make this change, can we require https for suggestions even > for external opensearch plugins? I think it would only make sense when the submission URL is https. For the current eBay plugin, both the suggestion and submission URLs are http.
I thought we had a policy that our pre-installed searches needed to use TLS? For old crufty ones, though, we can't switch without coordinating with the provider that they can handle the traffic (we've had issues in the past where we had to wait, but less likely to affect a non-default search provider).
Status: UNCONFIRMED → NEW
Ever confirmed: true
2 years ago
platform-rel: --- → ?
Going to dupe this to bug 958885, which is now INVALID due to the global removal of eBay.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 958885
You need to log in before you can comment on or make changes to this bug.