Last Comment Bug 687164 - Make the SHA1SUMS file available over HTTPS
: Make the SHA1SUMS file available over HTTPS
Status: RESOLVED WORKSFORME
:
Product: Release Engineering
Classification: Other
Component: Other (show other bugs)
: other
: All All
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-16 14:46 PDT by Matthew Elvey
Modified: 2013-08-12 21:54 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description User image Matthew Elvey 2011-09-16 14:46:34 PDT
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is a valid URL, but 
https://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is not.  

It should be a relatively quick fix to make 
https://<someting>.mozilla.org/<something>/SHA1SUMS a valid link to the SHA1 checksums.

Users shouldn't download untrusted executables over untrusted networks and run them, because of the risk of MITM attacks.
See, e.g. "Insecurities within automatic update systems" by  P. Ruissen,  R. Vloothuis.

So why can't I find checksums on a secure page?   There are SSL certs for www.mozilla.org (and this site) already in place.  In theory, very skilled users can use the SHA1SUMS.asc file and gpg to protect themselves, but it's a PITA, and there are no instructions.  Remember, most users find the second step in 'Download and Install' to be complicated.

I filed a similar bug against Chrome/Chromium and they fixed it. (https://code.google.com/p/chromium/issues/detail?id=53116)  They have changed things so that by default at least, users download Chrome over https.  I imagine that doing so for Firefox would require a large infrastructure change, compared to the way Firefox is delivered today (over donated, geographically dispersed bandwidth), so that is NOT the bug/issue I'm reporting under this bug ID, though there should be a bug for tracking that bug/issue, if there isn't already.  Note: The Mozilla Manifesto's Principle 4 reads: "Individuals' security on the Internet is fundamental and cannot be treated as optional."

(Might as well do the same with the MD5SUMS file.  MD5 is broken, but more widely/readily available and generally better than nothing.)

Closest related bug I found is bug 684767.
Comment 1 User image Ben Hearsum (:bhearsum) 2011-09-19 06:45:21 PDT
Dan, do you think this is worthwhile to do?
Comment 2 User image Ben Hearsum (:bhearsum) 2011-09-19 10:27:21 PDT
You can use https://ftp.m.o for this: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS
Comment 3 User image Daniel Veditz [:dveditz] 2011-09-19 10:28:22 PDT
This file is already available securely from (e.g.) https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/6.0.2/SHA1SUMS

but if we want to do a rewrite rule to make that always happen that would lessen the confusion.
Comment 4 User image Matthew Elvey 2011-09-19 23:50:25 PDT
Daniel, good idea.  You're thinking to make
http://releases.mozilla.org/<AnyThing>/SHA1SUMS a 301 redirect to https://ftp.mozilla.org/${SameThing}/SHA1SUMS (and same for MD5)?

Really, I'd like to see the bulk of downloads be secure, and given users are unlikely to compute checksums even if it's easy, I've opened bug 687783 : "By default, users should be downloading our products over https."

Note You need to log in before you can comment on or make changes to this bug.