Closed Bug 358360 Opened 18 years ago Closed 15 years ago

Add-on files are served over HTTP (not HTTPS) (but are usually hash-checked)

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

defect
Not set
minor

Tracking

(Not tracked)

RESOLVED WONTFIX
Future

People

(Reporter: jruderman, Unassigned)

Details

(Whiteboard: [sg:want P5])

What's the point of using HTTPS for addons.mozilla.org if the extensions themselves are hosted over HTTP? I bet this misleads users into thinking it is safe to install extensions even when using an untrusted wireless internet connection. Or some users could get owned the next time a router is compromised.
Whiteboard: [sg:want P3]
Component: Add-ons → Public Pages
QA Contact: add-ons → web-ui
Summary: Extensions on addons.mozilla.org are served over HTTP (not HTTPS) → Add-on files are served over HTTP (not HTTPS)
Version: unspecified → 2.0
The point is that we serve a sha1 hash over that https connection, which is verified prior to install, I do believe. See the last parameter to installTrigger...
Severity: major → normal
Oh, I forgot about InstallTrigger hashes. Those are nice, but: * They don't help if you have JavaScript disabled. (And ironically, some users disable JavaScript or use NoScript in order to improve their security.) * The status bar just shows an http URL, so it looks less safe than it is if you look at the status bar when hovering over the link. * The "Featured Add-on" on the front page of https://addons.mozilla.org/ does not have a hash.
I also filed bug 358384, "Force https for www.mozilla.com and Firefox downloads".
Eep, good catch on the front page -- Cameron's going to fix that right now (bug 358392). Yeah, I've thought about having the no-JS link go to a page that tells people that they should turn JS on for this site, and gives them the hashes for them to verify themselves. Not sure how much I care about "looks less safe than it is". I'm going to downgrade this to minor, given installTrigger and bug 358392 being major. Hope that's OK.
Severity: normal → minor
Summary: Add-on files are served over HTTP (not HTTPS) → Add-on files are served over HTTP (not HTTPS) (but are usually hash-checked)
Whiteboard: [sg:want P3] → [sg:want P5]
For clarification: the current remaining issue in this bug is that if a user has JavaScript disabled, the hash check is not done, so when the user clicks "Download Now", the content-type of the file brings up the xpinstall dialog and will install the addon from a http:// mirror without SSL. I think our solution here may be to add a note next to the install button when JS is disabled warning about this case.
Target Milestone: --- → Future
> I think our solution here may be to add a note next to the install button when > JS is disabled warning about this case. Hash fixes this problem except for JS-disabled case and I'm marking this wontfix for them.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.