Closed
Bug 265357
Opened 21 years ago
Closed 21 years ago
Force https on update.mozilla.org
Categories
(mozilla.org Graveyard :: Server Operations, task)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: myk)
References
Details
http://update.mozilla.org/ should redirect to https://update.mozilla.org/, etc.
This will prevent some man-in-the-middle and dns-poisoning attacks by
encouraging people to link to the https version and making frequent UMO users
expect it to be https. This will also allow the default whitelist to be changed
from { update.mozilla.org } to { https://update.mozilla.org/ }, making
man-in-the-middle attacks even harder.
|
||
Comment 1•21 years ago
|
||
I personally don't support this, as any content that's from umo comes from ftp
anyway, therefore https'ing umo is pretty much easy to workaround if the
malicious individual changes ftp.mozilla.org's DNS for the user. As well as
server-load concerns for SSL encrypting *everything* constantly. I supported it
for the back-end admin where passwords would be sent, and for the webservice
between clients, but not for the regular site. I personally feel there's a bit
of paranoia here, as even sites such as windows update are not https but http.
but in any case, that's not for me to decide.
--> Server Operations.
Assignee: psychoticwolf → myk
Component: Update → Server Operations
QA Contact: mozilla.update → justdave
|
||
Comment 2•21 years ago
|
||
Windows Update transfers are actually done over HTTPS, just not the content pages.
|
||
Comment 3•21 years ago
|
||
Done as of a couple days after the Firefox 1.0 release (out of necessity for
scaling issues :)
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
||
Updated•21 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•