Make the SHA1SUMS file available over HTTPS

RESOLVED WORKSFORME

Status

Release Engineering
General
RESOLVED WORKSFORME
6 years ago
4 years ago

People

(Reporter: Matthew Elvey, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is a valid URL, but 
https://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is not.  

It should be a relatively quick fix to make 
https://<someting>.mozilla.org/<something>/SHA1SUMS a valid link to the SHA1 checksums.

Users shouldn't download untrusted executables over untrusted networks and run them, because of the risk of MITM attacks.
See, e.g. "Insecurities within automatic update systems" by  P. Ruissen,  R. Vloothuis.

So why can't I find checksums on a secure page?   There are SSL certs for www.mozilla.org (and this site) already in place.  In theory, very skilled users can use the SHA1SUMS.asc file and gpg to protect themselves, but it's a PITA, and there are no instructions.  Remember, most users find the second step in 'Download and Install' to be complicated.

I filed a similar bug against Chrome/Chromium and they fixed it. (https://code.google.com/p/chromium/issues/detail?id=53116)  They have changed things so that by default at least, users download Chrome over https.  I imagine that doing so for Firefox would require a large infrastructure change, compared to the way Firefox is delivered today (over donated, geographically dispersed bandwidth), so that is NOT the bug/issue I'm reporting under this bug ID, though there should be a bug for tracking that bug/issue, if there isn't already.  Note: The Mozilla Manifesto's Principle 4 reads: "Individuals' security on the Internet is fundamental and cannot be treated as optional."

(Might as well do the same with the MD5SUMS file.  MD5 is broken, but more widely/readily available and generally better than nothing.)

Closest related bug I found is bug 684767.
Assignee: server-ops → nobody
Group: mozilla-confidential → mozilla-corporation-confidential
Component: Server Operations: Web Content Push → Release Engineering
QA Contact: mrz → release
Dan, do you think this is worthwhile to do?
You can use https://ftp.m.o for this: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
This file is already available securely from (e.g.) https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/6.0.2/SHA1SUMS

but if we want to do a rewrite rule to make that always happen that would lessen the confusion.
Group: mozilla-corporation-confidential
(Reporter)

Comment 4

6 years ago
Daniel, good idea.  You're thinking to make
http://releases.mozilla.org/<AnyThing>/SHA1SUMS a 301 redirect to https://ftp.mozilla.org/${SameThing}/SHA1SUMS (and same for MD5)?

Really, I'd like to see the bulk of downloads be secure, and given users are unlikely to compute checksums even if it's easy, I've opened bug 687783 : "By default, users should be downloading our products over https."
(Assignee)

Updated

4 years ago
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.