Make the SHA1SUMS file available over HTTPS



Release Engineering
6 years ago
4 years ago


(Reporter: Matthew Elvey, Unassigned)


Firefox Tracking Flags

(Not tracked)




6 years ago is a valid URL, but is not.  

It should be a relatively quick fix to make 
https://<someting><something>/SHA1SUMS a valid link to the SHA1 checksums.

Users shouldn't download untrusted executables over untrusted networks and run them, because of the risk of MITM attacks.
See, e.g. "Insecurities within automatic update systems" by  P. Ruissen,  R. Vloothuis.

So why can't I find checksums on a secure page?   There are SSL certs for (and this site) already in place.  In theory, very skilled users can use the SHA1SUMS.asc file and gpg to protect themselves, but it's a PITA, and there are no instructions.  Remember, most users find the second step in 'Download and Install' to be complicated.

I filed a similar bug against Chrome/Chromium and they fixed it. (  They have changed things so that by default at least, users download Chrome over https.  I imagine that doing so for Firefox would require a large infrastructure change, compared to the way Firefox is delivered today (over donated, geographically dispersed bandwidth), so that is NOT the bug/issue I'm reporting under this bug ID, though there should be a bug for tracking that bug/issue, if there isn't already.  Note: The Mozilla Manifesto's Principle 4 reads: "Individuals' security on the Internet is fundamental and cannot be treated as optional."

(Might as well do the same with the MD5SUMS file.  MD5 is broken, but more widely/readily available and generally better than nothing.)

Closest related bug I found is bug 684767.
Assignee: server-ops → nobody
Group: mozilla-confidential → mozilla-corporation-confidential
Component: Server Operations: Web Content Push → Release Engineering
QA Contact: mrz → release
Dan, do you think this is worthwhile to do?
You can use https://ftp.m.o for this:
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
This file is already available securely from (e.g.)

but if we want to do a rewrite rule to make that always happen that would lessen the confusion.
Group: mozilla-corporation-confidential

Comment 4

6 years ago
Daniel, good idea.  You're thinking to make<AnyThing>/SHA1SUMS a 301 redirect to${SameThing}/SHA1SUMS (and same for MD5)?

Really, I'd like to see the bulk of downloads be secure, and given users are unlikely to compute checksums even if it's easy, I've opened bug 687783 : "By default, users should be downloading our products over https."


4 years ago
Product: → Release Engineering
You need to log in before you can comment on or make changes to this bug.