Closed Bug 1608112 Opened 6 years ago Closed 3 months ago

Update download pages to show hash values to assist with verification and integrity of any downloads.

Categories

(www.mozilla.org :: Product Details, defect)

Product:
www.mozilla.org
Component:
Product Details
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: egberts, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Beginner's Method:

  1. Visited https://www.firefox.com/ and got "Download Firefox" page.
  2. Click on "Download" button
  3. Received the binary file in my Downloads folder (Linux x64)
  4. Browser redirected to "Thanks" page. (https://www.mozilla.org/en-US/firefox/download/thanks/)
  5. Cannot find any hash value on associated with recent download

Advance Method:

  1. Visited https://www.firefox.com/ and got "Download Firefox" page.
  2. Click on "Advanced Install options & other platforms" hyperlink located just below its "Download" button
  3. Received the binary file in my Downloads folder (Linux x64)
  4. Browser redirected to "Download Firefox" (please note different title) page. (https://www.mozilla.org/en-US/firefox/download/thanks/)
  5. Cannot find any hash value on associated with recent download

Expert Method

    1. Visited https://www.firefox.com/ and got "Download Firefox" page.
  2. Click on "Linux 64-bit" hyperlink located just right of its "Download" button
  3. Received the binary file in my Downloads folder (Linux x64)
  4. No browser redirect, (same page, https://www.mozilla.org/en-US/firefox/new/?redirect_source=firefox-com).
  5. Cannot find any hash value on associated with recent download

So, where can we find these security verification SHA1/SHA256/MD5 hash values for various binaries?

Actual results:

Beginner Method

  1. No hash value found

Advanced Method

  1. No hash value found

Expert Method

  1. No hash value found

Expected results:

Display a hash value?

Removed the security-sensitive flag as theres nothing security sensitive in this bug and to increase visibility.

Group: websites-security

I'm pretty sure all of the Firefox installations have digital signatures, and so have all of this built-in.

Built-in? Built-in!?

OK, as an OpSec, we should trust you to deliver the binaries to our Download folders through hostile Internet zones?

What if I was using a compromised Firefox binary? Could I tell if the download too was compromised?

What did I miss?

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Resolution: --- → WONTFIX

The download pages on mozilla.org / firefox.com do not know about the effective build being served on that download/CDN link.

For checksums, head over to https://archive.mozilla.org/pub/firefox/ and compare the archived downloads there with the SHA* files provided next to them; e.g.: https://archive.mozilla.org/pub/firefox/releases/128.12.0esr/

You need to log in before you can comment on or make changes to this bug.