Closed Bug 647107 Opened 9 years ago Closed 9 years ago

snippet details URL is not secure, can spoof major updates

Categories

(SeaMonkey :: Release Engineering, defect, P2)

x86
All
defect

Tracking

(blocking-seamonkey2.1 MU+)

RESOLVED FIXED
Tracking Status
blocking-seamonkey2.1 --- MU+

People

(Reporter: Callek, Assigned: Callek)

References

()

Details

For SeaMonkey, we need a solution here.

Two solutions come to mind:
* Use somewhere on https://www.mozilla.org
* Transition seamonkey-project.org to be accessible over https

The second option is probably best, so I will get relevant bugs on file and work to make that happen.

+++ This bug was initially created as a clone of Bug #645551 +++

The major update UI displays the contents of the detailURL attribute in the update snippets. We've sandboxed the content to prevent scripts etc, but we appear to load it from an http:// url which is not secure. This means a MITM could easily replace that content. results could be simply a spoof ("click this link" to a non-mozilla site), or the content could redirect (or better, meta refresh) to a URL serving an exe, prompting the user to download a trojan.

Pointed out by Aaron Sigel
https://twitter.com/#!/diretraversal/status/52107274294018048

Release Engineering is probably the wrong component because I don't see any of the release-blocking flags I need. Who would change this content?

Note the entire www.mozilla.com site is available over https so there is no reason not to use it in the link.
The nice part of this is that this is a not-yet-security-problem for SeaMonkey, as we don't ship a major update yet (though I think we should do a test run of that for 2.1b3 but not hit public channels with it for the moment, just so we can test internally if things work).

This needs to be done for final, though, as this is a public issue now.
Depends on: 653974
(In reply to comment #0)
> For SeaMonkey, we need a solution here.
> 
> Two solutions come to mind:
> * Use somewhere on https://www.mozilla.org
> * Transition seamonkey-project.org to be accessible over https

After discussing with justdave, the shortest term solution is somewhere under https://www.mozilla.org

We can't do seamonkey-project.org unless KaiRo takes money out of his pocket and buys a cert (mozilla just hosts for us)

A subdomain under .mozilla.org is possible, but much more work.

David, where under https://www.mozilla.org can we use, and where would code get checked in, and what is the deployment strategy we would need to plan for?

We only need a space for the MU billboards, and it can be an obscure URL, so long as it makes sense to someone looking at the code/url what it is for, imo.
(In reply to comment #2)
> We can't do seamonkey-project.org unless KaiRo takes money out of his pocket
> and buys a cert (mozilla just hosts for us)

It's not really a money question, btw, more a question of deciding which CA, going through the process, and then having me as the owner even though I'm trying to make SeaMonkey independent of me right now...

So, yes, let's go with a mozilla.org location for now, that's probably best (and chances are that this will be the only MU SeaMonkey ever does, btw).
> David, where under https://www.mozilla.org can we use, and where would code get
> checked in, and what is the deployment strategy we would need to plan for?

A couple of thoughts:

http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/start/

http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/themes/

The start directory has the old Suite landing page and we could add new pages in there.  The themes directory is, AIUI, a SeaMonkey specific directory and could also be a good place (although the directory name isn't really relevant).
I'd be for putting something under /start there.

The /themes one can be archived now, I think 1.x has been EOLed long enough that we just can kill this page.
> I'd be for putting something under /start there.

Sounds good.

> The /themes one can be archived now, I think 1.x has been EOLed long enough
> that we just can kill this page.

Removed in r88223.  Let me know if that breaks anything.
blocking-seamonkey2.1: final+ → MU+
(In reply to comment #6)
> > I'd be for putting something under /start there.
> 
> Sounds good.

Hrm, some prelim testing...

http://www.mozilla.org/start/ redirs to mozilla.com and a firefox page.

https://www.mozilla.org/start/1.7.1 redirs to *http*://www-archive.mozilla.org/start/1.7/

David what is rewriting these, and is start/ a place we can really do this?
(In reply to comment #7)
> (In reply to comment #6)
> > > I'd be for putting something under /start there.
> > 
> > Sounds good.
> 
> Hrm, some prelim testing...
> 
> http://www.mozilla.org/start/ redirs to mozilla.com and a firefox page.
> 

Err nevermind if (ua.match(/Firefox\//)) { in the index.html part itself... and I happened to test with Firefox... ignore this.
Depends on: 668427
We're using https://www.mozilla.org so this is fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Depends on: 670074
You need to log in before you can comment on or make changes to this bug.