Closed
Bug 358360
Opened 18 years ago
Closed 15 years ago
Add-on files are served over HTTP (not HTTPS) (but are usually hash-checked)
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
Future
People
(Reporter: jruderman, Unassigned)
Details
(Whiteboard: [sg:want P5])
What's the point of using HTTPS for addons.mozilla.org if the extensions themselves are hosted over HTTP? I bet this misleads users into thinking it is safe to install extensions even when using an untrusted wireless internet connection. Or some users could get owned the next time a router is compromised.
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:want P3]
Component: Add-ons → Public Pages
QA Contact: add-ons → web-ui
Summary: Extensions on addons.mozilla.org are served over HTTP (not HTTPS) → Add-on files are served over HTTP (not HTTPS)
Version: unspecified → 2.0
Comment 1•18 years ago
|
||
The point is that we serve a sha1 hash over that https connection, which is verified prior to install, I do believe. See the last parameter to installTrigger...
Severity: major → normal
Reporter | ||
Comment 2•18 years ago
|
||
Oh, I forgot about InstallTrigger hashes. Those are nice, but:
* They don't help if you have JavaScript disabled. (And ironically, some users disable JavaScript or use NoScript in order to improve their security.)
* The status bar just shows an http URL, so it looks less safe than it is if you look at the status bar when hovering over the link.
* The "Featured Add-on" on the front page of https://addons.mozilla.org/ does not have a hash.
Reporter | ||
Comment 3•18 years ago
|
||
I also filed bug 358384, "Force https for www.mozilla.com and Firefox downloads".
Comment 4•18 years ago
|
||
Eep, good catch on the front page -- Cameron's going to fix that right now (bug 358392).
Yeah, I've thought about having the no-JS link go to a page that tells people that they should turn JS on for this site, and gives them the hashes for them to verify themselves.
Not sure how much I care about "looks less safe than it is".
I'm going to downgrade this to minor, given installTrigger and bug 358392 being major. Hope that's OK.
Severity: normal → minor
Reporter | ||
Updated•18 years ago
|
Summary: Add-on files are served over HTTP (not HTTPS) → Add-on files are served over HTTP (not HTTPS) (but are usually hash-checked)
Whiteboard: [sg:want P3] → [sg:want P5]
Comment 5•17 years ago
|
||
For clarification: the current remaining issue in this bug is that if a user has JavaScript disabled, the hash check is not done, so when the user clicks "Download Now", the content-type of the file brings up the xpinstall dialog and will install the addon from a http:// mirror without SSL.
I think our solution here may be to add a note next to the install button when JS is disabled warning about this case.
Target Milestone: --- → Future
Comment 6•15 years ago
|
||
> I think our solution here may be to add a note next to the install button when
> JS is disabled warning about this case.
Hash fixes this problem except for JS-disabled case and I'm marking this wontfix for them.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•