Closed Bug 683782 Opened 14 years ago Closed 14 years ago

Redirects from Mozilla.com to Mozilla.org must maintain original protocol

Categories

(www.mozilla.org :: General, defect)

Product:
www.mozilla.org
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Assigned: nmaul)

References

Details

(Whiteboard: [infrasec:tls][ws:high])

Issue Requests to https://www.mozilla.com/foo redirect to http://www.mozilla.org/foo. Note that HTTPS is now HTTP. This redirect will put the user into an insecure state without any notification (aside from a minor change in the URL) Steps to reproduce 1. Go to https://www.mozilla.com 2. Observe you are redirected to http://www.mozilla.org Recommended Remediation Maintain the protocol when redirecting from mozilla.com to mozilla.org. In other words, if the request was originally HTTPS then redirect to HTTPS without any intermediary HTTP redirects.
Whiteboard: [infrasec:tls][ws:high]
I believe this is now resolved- in my testing, HTTP and HTTPS requests are now being preserved across the redirect. Please let me know if you receive any new reports of this not working. A little background: the servers in this cluster actually have no good way of determining if the request came in over HTTP or HTTPS. Zeus decodes it and forwards *all* traffic to port 80 (unlike some other clusters, which send HTTPS requests to port 81). So, there's no obvious way to make the servers do the right thing directly. I have found the Zeus setting which allows for rewriting of the Location: field in a response. This means the servers will always return http:// links, but Zeus will intelligently rewrite this to be https:// if the request is on an HTTPS virtual server.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
(In reply to Jake Maul [:jakem] from comment #2) > I believe this is now resolved- in my testing, HTTP and HTTPS requests are > now being preserved across the redirect. Please let me know if you receive > any new reports of this not working. > > A little background: the servers in this cluster actually have no good way > of determining if the request came in over HTTP or HTTPS. Zeus decodes it > and forwards *all* traffic to port 80 (unlike some other clusters, which > send HTTPS requests to port 81). So, there's no obvious way to make the > servers do the right thing directly. > > I have found the Zeus setting which allows for rewriting of the Location: > field in a response. This means the servers will always return http:// > links, but Zeus will intelligently rewrite this to be https:// if the > request is on an HTTPS virtual server. Jake, Thanks for jumping on this so quickly (you guys have other fires right now!). We really appreciate it. If you can make tomorrow's retrospective and share thoughts on this and other items that would be awesome. You rock! (big thanks to Michael C. for catching!) ~cb
verified fixed https://www.mozilla.com ----> https://www.mozilla.org/firefox curl -I https://www.mozilla.com HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: pm-web02 Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Date: Thu, 01 Sep 2011 14:43:43 GMT Location: https://www.mozilla.org/firefox/ Keep-Alive: timeout=20, max=999 Transfer-Encoding: chunked Connection: Keep-Alive X-Cache-Info: cached
Status: RESOLVED → VERIFIED
$ curl -I https://mozilla.com HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: pm-web01 Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Date: Thu, 01 Sep 2011 23:03:54 GMT Location: http://www.mozilla.com/ Transfer-Encoding: chunked Connection: Keep-Alive X-Cache-Info: caching
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
This seems like a separate issue. Note that it's redirecting to www.mozilla.com... not .org. This would be an old / pre-existing issue, methinks. All the same, I'll investigate. If nothing else this could redirect directly to www.mozilla.org/firefox, instead of making 2 jumps.
Since the original (and, IMO, biggest) concern has been rectified, I am dropping the priority on this. Re: comment 5 and comment 6... I can confirm that this is *not* new behavior, but a long-standing issue. In any case, I believe it to be fixed now, and goes straight to www.mozilla.org/firefox now... one less redirect. In addition to this, I've discovered another long-standing issue: https://mozilla.org/ returns an invalid certificate. The cert returned is for *.mozilla.org, and does not have a SAN field for mozilla.org. If anyone is concerned about this, please open a separate bug for it.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Severity: critical → major
Thanks. The invalid cert issue exists already on bug 579927.
Status: RESOLVED → VERIFIED
re-opening curl -I https://www.mozilla.com/ HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: pm-web02 Content-Type: text/html; charset=iso-8859-1 Date: Mon, 28 Nov 2011 23:58:42 GMT Location: http://www.mozilla.org/firefox/ Transfer-Encoding: chunked Connection: Keep-Alive X-Cache-Info: caching
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Flags: in-testsuite? → in-testsuite+
This is intermittent for me, but I think I found the problem: [root@natasha ~]# curl -v https://www.mozilla.com/ > /dev/null * About to connect() to www.mozilla.com port 443 * Trying 2620:101:8001:5::2:5... connected * Connected to www.mozilla.com (2620:101:8001:5::2:5) port 443 > GET / HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > Host: www.mozilla.com > Accept: */* < HTTP/1.1 301 Moved Permanently < Server: Apache < X-Backend-Server: pm-web02 < Content-Type: text/html; charset=iso-8859-1 < Date: Tue, 29 Nov 2011 00:27:01 GMT < Location: http://www.mozilla.org/firefox/ < Content-Length: 239 < Connection: Keep-Alive < X-Cache-Info: cached I think it's breaking only over IPv6. Note the first couple of lines. This should be fixed now. Please reopen again if you can get it to fail, and include what host curl is connecting to (shown with -v)... it can be multiple things, and they're be handled separately. New output: [root@natasha ~]# curl -v -g -k -H 'Host: www.mozilla.com' "https://[2620:101:8001:5::2:5]/" > /dev/null * About to connect() to 2620:101:8001:5::2:5 port 443 * Trying 2620:101:8001:5::2:5... connected * Connected to 2620:101:8001:5::2:5 (2620:101:8001:5::2:5) port 443 > GET / HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > Accept: */* > Host: www.mozilla.com < HTTP/1.1 301 Moved Permanently < Server: Apache < X-Backend-Server: pm-web04 < Content-Type: text/html; charset=iso-8859-1 < Date: Tue, 29 Nov 2011 00:55:53 GMT < Location: https://www.mozilla.org/firefox/ < Content-Length: 239 < Connection: Keep-Alive < X-Cache-Info: cached
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
verified fixed curl -I https://www.mozilla.com/ HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: pm-web04 Content-Type: text/html; charset=iso-8859-1 Date: Tue, 29 Nov 2011 01:04:36 GMT Location: https://www.mozilla.org/firefox/ Transfer-Encoding: chunked Connection: Keep-Alive X-Cache-Info: cached
Status: RESOLVED → VERIFIED
Component: www.mozilla.org/firefox → www.mozilla.org
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.