Closed Bug 1356463 Opened 8 years ago Closed 6 years ago

"Your connection is not secure" when downloading Firefox from https://download-sha1.allizom.org/?product=firefox-stub&os=win&lang=en-US

Categories

(www.mozilla.org :: Bedrock, defect)

Product:
www.mozilla.org
Component:
Bedrock
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: luweitest, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170323110425 Steps to reproduce: Download Firefox for WindowsXP on Mozilla: https://www.mozilla.org/en-US/firefox/new/ The URL is: https://download-sha1.allizom.org/?product=firefox-stub&os=win&lang=en-US Actual results: "Your connection is not secure" page appeared: Your connection is not secure The owner of download-sha1.cdn.mozilla.net has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate. Learn more… Report errors like this to help Mozilla identify and block malicious sites download-sha1.cdn.mozilla.net uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Expected results: Download Firefox
Component: Untriaged → Operations: Product Delivery
Product: Firefox → Cloud Services
QA Contact: oremj
Summary: download Firefox error → "Your connection is not secure" when downloading Firefox from https://download-sha1.allizom.org/?product=firefox-stub&os=win&lang=en-US
Version: 52 Branch → unspecified
Assignee: nobody → oremj
The windows regex is "Windows (?:NT 5.1|XP|NT 5.2|NT 6.0)" (https://github.com/mozilla-services/go-bouncer/blob/master/handlers.go#L29), so it makes sense that this request is being directed to the sha1 endpoint. Rail, is it safe to only direct WindowsXP/Vista users that are on IE to download-sha1 or do we need to send other browsers there as well?
Flags: needinfo?(rail)
Something will also need to change on the bedrock side, since it decides which bouncer (sha1 or not) to send users to.
Actually, I think this only needs to be changed on the bedrock side. If I recall correctly, XP users should get the sha1 installer from bouncer no matter what, but only IE users should hit the download-sha1.allizom.org bouncer. pmac, does that sound right?
Flags: needinfo?(pmac)
I thought we were sending only IE users. Firefox on XP handles modern TLS just fine. I'll move this to the bedrock component since your right, it has to be done at the bedrock step.
Component: Operations: Product Delivery → Bedrock
Flags: needinfo?(pmac)
Product: Cloud Services → www.mozilla.org
QA Contact: oremj
Target Milestone: --- → 1.0
Version: unspecified → Production
:agibson do you know if we're sending Fx users to the win-sha1 bouncer?
Flags: needinfo?(agibson)
(In reply to Paul [:pmac] McLanahan from comment #5) > :agibson do you know if we're sending Fx users to the win-sha1 bouncer? We already have some logic in bedrock that checks to make sure the user is not on Firefox [1]. If I pass the user agent supplied by the reporter "Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0", the needsSha1() function returns `false`, so I'm a bit amiss how they could end up being served the sha-1 version of bouncer. [1] https://github.com/mozilla/bedrock/blob/master/media/js/base/site.js#L137-L146
Flags: needinfo?(agibson)
I also just went to /firefox/new/ using Windows XP (SP2) and Firefox 52.0 ("Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0") and the download gets sent to: https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US
(In reply to Alex Gibson [:agibson] from comment #7) > I also just went to /firefox/new/ using Windows XP (SP2) and Firefox 52.0 > ("Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0") and > the download gets sent to: > > https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US I get the clue. Enabled javascript and the download link changed to https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US Download pops up correctly. As I will not upgrade OS, maybe this is my last time downloading Firfox... Thanks for all your good work and best wishes.
That does make sense. The button does say "Windows XP" I believe. It's confusing, but nearly impossible to get across in a button that it's only for people that don't already have Firefox and are on Windows XP. Apologies for the confusion nonetheless. Does anyone have suggestions on how we might make this case more clear?
(In reply to Paul [:pmac] McLanahan from comment #9) > That does make sense. The button does say "Windows XP" I believe. It's > confusing, but nearly impossible to get across in a button that it's only > for people that don't already have Firefox and are on Windows XP. Apologies > for the confusion nonetheless. > I see. So this link is for IE. My situation is I am downloading an install package for others, and me in case of re-installation and testing. And also for a software collection that will be buried with WindowsXP. > Does anyone have suggestions on how we might make this case more clear? Maybe "secure download" and "insecure download for IE". By the way, I tested with IE and it redirect me to an insecure URL: http://www.firefox.com.cn/?utm_medium=referral&utm_source=mozilla.org with insecure download: http://download.firefox.com.cn/releases-sha2/stub/official/zh-CN/Firefox-latest.exe and http://download.firefox.com.cn/releases-sha2/full/52.0/zh-CN/Firefox-full-latest.exe
Ah Ok, thanks for the additional info. We show all the possible buttons for users with JS disabled, as there's little we can do to try guess what they need. I'm going to close this.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Oops, sorry I missed the bit about making the label more clear. Going to reopen.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Also http://www.firefox.com.cn isn't part of www.mozilla.org, but you're quite right they are pointing their downloads to insecure URLs. We should probably try and contact them to either update their site to https, or point their buttons to bouncer.
As for appropriate labels, I'm really not sure what makes sense here. The "Windows XP/Vista" label is used not just for no JS users, but also as labels in other areas like firefox/all - so replacing it with something like "secure download" wouldn't really work (it would also need translating). We could add a localised string that gets shown only to users with JS disabled perhaps, but then this is probably such a small percentage of users I'm not really sure it's worth it. I'll leave this open for any other suggestions/ideas.
(In reply to Alex Gibson [:agibson] from comment #13) > Also http://www.firefox.com.cn isn't part of www.mozilla.org, but you're > quite right they are pointing their downloads to insecure URLs. We should > probably try and contact them to either update their site to https, or point > their buttons to bouncer. I typed in the IE address mozilla.org and was redirected to www.firefox.com.cn. It will make a non-tech person think www.firefox.com.cn is part of Mozilla network, or a paranoid, hijacked. Personally I don't like this way -- is this for zh-CN only? Someone may suspect that it is demanded by Chinese government, yet I hope it is only an co-operation with the website for better distribution of Firefox.
Yes it looks like the zh-CN locale is redirected - we should definitely contact whomever maintains http://www.firefox.com.cn/
I've cc'd jxia who I believe is in charge of supporting this property.
(In reply to Jeremy Orem [:oremj] from comment #1) > The windows regex is "Windows (?:NT 5.1|XP|NT 5.2|NT 6.0)" > (https://github.com/mozilla-services/go-bouncer/blob/master/handlers.go#L29), > so it makes sense that this request is being directed to the sha1 endpoint. > > Rail, is it safe to only direct WindowsXP/Vista users that are on IE to > download-sha1 or do we need to send other browsers there as well? I think this is a bit different. Correct me if I'm wrong. * Bouncer redirects *all* Vista/XP users (regardless of browser) to ESR52 based installers, because XP/Vista are not supported in 53. They are signed with SHA1 certs, but this is nothing to do with the network connection. * Bouncer is involved after Bedrock, so we should tweak Bedrock to redirect to the sha1/sha2 webheads depending on the browser.
Flags: needinfo?(rail)
(In reply to Alex Gibson [:agibson] from comment #13) > Also http://www.firefox.com.cn isn't part of www.mozilla.org, but you're > quite right they are pointing their downloads to insecure URLs. We should > probably try and contact them to either update their site to https, or point > their buttons to bouncer. :agibson,we'll take a look at this, thanks.
The noscript version should present the download links for the most common case, not for the most uncommon case. OS and Browser type and version can be detected on the server. There is no need to require Javascript for that. The computer that does the download is not always the same where the software will be installed. The download page https://www.mozilla.org/firefox/all/#de may use its detection logic for offering a default, but should offer a way to choose a different version.
(In reply to hartnegg from comment #21) > OS and Browser type and version can be detected on the server. There is no > need to require Javascript for that. A site as high traffic as mozorg pages need to be heavily cached, so server side UA detection is not really a viable option.
Assignee: oremj → agibson
Assignee: agibson → nobody
users trying to download firefox without javascript enabled (eg. noscript) are hitting this certificate issue, and are unable to download firefox or firefox-esr. would it be possible for the cert on download-sha1.allizom.org to be fixed?
(In reply to Byron Jones ‹:glob› from comment #23) > would it be possible for the cert on download-sha1.allizom.org to be fixed? I don't think it is possible. no one can get a new public SHA-1 certificate since 2016. Moreover, Firefox allows a SHA-1 certificate only if it is an imported root.

sha-1 bouncer links were removed from www.mozilla.org some time ago.

Status: REOPENED → RESOLVED
Closed: 8 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.