Yesterday we have got a report, that download links on http://www.mozilla.cz/stahnout/firefox/ redirect to https://download.cdn.mozilla.net/pub/firefox/releases/49.0.1/win64/cs/Firefox%20Setup%2049.0.1.exe, which results to an HTTPS error due to wrong certificate domain name. I was unable to reproduce it, but can confirm that download.cdn.mozilla.net produces warning when accessed over HTTPS. Probably the redirection from download.mozilla.org is misconfigured and should use https://download-installer.cdn.mozilla.net instead of https://download.cdn.mozilla.net ?
download.cdn.mozilla.net is intended to be HTTP only. This happens when someone has an addon that forces HTTPS. Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty sure we can't do this, because we may require http in some instances. Michal, for a quick fix on your side, can you instead link to "-ssl" products e.g., https://download.mozilla.org/?product=firefox-49.0.1-ssl&os=win&lang=cs.
Thank you, I will use it. I just wonder what is the use case for distributing Firefox in an "insecure" way over HTTP.
Seems the "-ssl" does not work for SeaMonkey, but will server good for Firefox and Thunderbird.
(In reply to Jeremy Orem [:oremj] from comment #1) > Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty > sure we can't do this, because we may require http in some instances. My only worry is the stub installer which uses the non-https bouncer entry: https://dxr.mozilla.org/mozilla-central/source/browser/branding/official/branding.nsi#21 used in https://dxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/stub.nsi#1373 I'm not sure if the stub installer handles https, Matt may have more information here.
I'm not sure if we've ever tried it, but the stub installer just uses WinINet for its downloads, and specifically accepts HTTPS URL's, so I don't see a reason why it wouldn't work.