Closed Bug 265357 Opened 20 years ago Closed 20 years ago

Force https on update.mozilla.org

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
Windows XP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: myk)

References

Details

http://update.mozilla.org/ should redirect to https://update.mozilla.org/, etc.  

This will prevent some man-in-the-middle and dns-poisoning attacks by
encouraging people to link to the https version and making frequent UMO users
expect it to be https.  This will also allow the default whitelist to be changed
from { update.mozilla.org } to { https://update.mozilla.org/ }, making
man-in-the-middle attacks even harder.
Blocks: 265358
I personally don't support this, as any content that's from umo comes from ftp
anyway, therefore https'ing umo is pretty much easy to workaround if the
malicious individual changes ftp.mozilla.org's DNS for the user. As well as
server-load concerns for SSL encrypting *everything* constantly. I supported it
for the back-end admin where passwords would be sent, and for the webservice
between clients, but not for the regular site. I personally feel there's a bit
of paranoia here, as even sites such as windows update are not https but http.
but in any case, that's not for me to decide. 

--> Server Operations.
Assignee: psychoticwolf → myk
Component: Update → Server Operations
QA Contact: mozilla.update → justdave
Windows Update transfers are actually done over HTTPS, just not the content pages.
Done as of a couple days after the Firefox 1.0 release (out of necessity for
scaling issues :)
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
No longer depends on: 261900
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.