Closed
Bug 687164
Opened 13 years ago
Closed 13 years ago
Make the SHA1SUMS file available over HTTPS
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bugzillaPost120030in, Unassigned)
Details
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is a valid URL, but https://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is not. It should be a relatively quick fix to make https://<someting>.mozilla.org/<something>/SHA1SUMS a valid link to the SHA1 checksums. Users shouldn't download untrusted executables over untrusted networks and run them, because of the risk of MITM attacks. See, e.g. "Insecurities within automatic update systems" by P. Ruissen, R. Vloothuis. So why can't I find checksums on a secure page? There are SSL certs for www.mozilla.org (and this site) already in place. In theory, very skilled users can use the SHA1SUMS.asc file and gpg to protect themselves, but it's a PITA, and there are no instructions. Remember, most users find the second step in 'Download and Install' to be complicated. I filed a similar bug against Chrome/Chromium and they fixed it. (https://code.google.com/p/chromium/issues/detail?id=53116) They have changed things so that by default at least, users download Chrome over https. I imagine that doing so for Firefox would require a large infrastructure change, compared to the way Firefox is delivered today (over donated, geographically dispersed bandwidth), so that is NOT the bug/issue I'm reporting under this bug ID, though there should be a bug for tracking that bug/issue, if there isn't already. Note: The Mozilla Manifesto's Principle 4 reads: "Individuals' security on the Internet is fundamental and cannot be treated as optional." (Might as well do the same with the MD5SUMS file. MD5 is broken, but more widely/readily available and generally better than nothing.) Closest related bug I found is bug 684767.
|
||
Updated•13 years ago
|
Assignee: server-ops → nobody
Group: mozilla-confidential → mozilla-corporation-confidential
Component: Server Operations: Web Content Push → Release Engineering
QA Contact: mrz → release
|
||
Comment 1•13 years ago
|
||
Dan, do you think this is worthwhile to do?
|
|
||
Comment 2•13 years ago
|
||
You can use https://ftp.m.o for this: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
||
Comment 3•13 years ago
|
||
This file is already available securely from (e.g.) https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/6.0.2/SHA1SUMS but if we want to do a rewrite rule to make that always happen that would lessen the confusion.
|
|
||
Updated•13 years ago
|
Group: mozilla-corporation-confidential
|
Reporter | |
Comment 4•13 years ago
|
||
Daniel, good idea. You're thinking to make http://releases.mozilla.org/<AnyThing>/SHA1SUMS a 301 redirect to https://ftp.mozilla.org/${SameThing}/SHA1SUMS (and same for MD5)? Really, I'd like to see the bulk of downloads be secure, and given users are unlikely to compute checksums even if it's easy, I've opened bug 687783 : "By default, users should be downloading our products over https."
|
Assignee | |
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•