Closed Bug 1435147 Opened 6 years ago Closed 6 years ago

mozregression for Windows installation steps are insecure (download via http://)

Categories

(Testing :: mozregression, enhancement)

Product:
Testing
Component:
mozregression
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jan, Unassigned)

References

(
URL
)

Details

(Keywords: nightly-community)

Attachments

(1 file)

Screenshot_20180221_175030.png
2.42 MB, image/png
Details 
*lets
Blocks: why-still-http
Thanks for pointing this out, I will address it when I have a moment.
Flags: needinfo?(wlachance)
Ok, readme and website updated. Thanks again for the report.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(wlachance)
Resolution: --- → FIXED
(In reply to William Lachance (:wlach) (use needinfo!) from comment #3)
> Ok, readme and website updated. Thanks again for the report.

Thanks! :)

But this part is still a problem: The exe would be still downloaded via http://.
> https://www.activestate.com/activepython/downloads
> links to
> https://www.activestate.com/activepython/downloads/thank-you?dl=http://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe
> which let's me download
> http://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe

This is so cool:
https://downloads.[...]/downloads/fu**-you?dl=http://downloads.[...].exe

Could one of you contact them with your @mozilla.com address and also suggest https://hstspreload.org/?domain=activestate.com ?
https://observatory.mozilla.org/analyze.html?host=activatestate.com should be also interesting for them.
(They even redirect https://activestate.com back to http://www.activestate.com/.)

Thanks. ;D
Hey, I doubt a message from me would be any more effective than one from you. Feel free to bring this to their attention, but I don't think there's anything more I can do here.
I'll get in touch with them. Thanks for letting me know.
Note that their download redirect checks to verify that the URL begins with https://downloads.activestate.com/, so you can't just set it to any arbitrary URL.
(In reply to April King [:April] from comment #6)
> I'll get in touch with them. Thanks for letting me know.

Did they reply? The download still happens via http://.

Otherwise https://mozilla.github.io/mozregression/install.html could have a direct link to https://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe as a temporary solution.

If this can't get fixed soon, we would have to reopen this bug because this blocks bug 1436695, I think.
I haven't yet heard back from them. For now I would directly link to the Python version:

https://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe

It seems to work just fine over HTTPS (which I pointed out to them). I'll let you know if I hear back from them. They don't have any obvious points of content, so it was just sending them messages on Twitter.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: