Closed Bug 628428 Opened 10 years ago Closed 5 years ago

billboardURL should use https: (and other update.xml urls?)

Categories

(Toolkit :: Application Update, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: dveditz, Unassigned)

Details

We securely fetch the update.xml snippets, but those snippets contain several URLs we may load and display to the user. One of those urls is the billboardURL, currently presented to the user to encourage major update installation (but potentially in the future for other more marketing-like reasons).

Since this URL is currently http: there is a risk of spoofing content inside a browser dialog which could direct the user to take an unsafe action. Anecdotally some users have been confused when opening their browser at a wifi hotspot and getting the local wifi login screen inside our upgrade dialog. Traditionally these urls have been loaded from www.mozilla.com and that site is reachable using the https: scheme. It should work fine and simply be a snippet update to accomplish, but there may be a server load concern. If there is we could easily throttle major update pushes to keep the load at an acceptable level.
(Firefox 3.6 currently uses a different XML value similarly, detailsURL I think).

Firefox 4 introduces a couple more attributes for URLs potentially opened post update: openURL, alertURL, and notificationURL. These similarly could be made SSL to protect against spoofing although some other browser load could be hijacked and made to look like a message from us (which we've seen, with the fake "You need to update Adobe" page). Since it's not in our update dialog it's not quite as pressing.
Talked with mrz about serving this up from the aus server. That way we can easily perform the same cert checks that are performed against the cert for the snippets
We haven't used the billboard in a very long time and we are planning to remove it entirely.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.