Closed Bug 725778 Opened 12 years ago Closed 1 year ago

Make the hashes (md5, sha1) for the Firefox installer easier to find for those wishing to verify the download

Categories

(www.mozilla.org :: Release notes, enhancement)

Product:
www.mozilla.org
Component:
Release notes
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: martin, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

Steps to reproduce:

Went to http://www.getfirefox.com/ and clicked Download. It took me to http://www.mozilla.org/en-US/products/download.html?product=firefox-10.0&os=linux&lang=en-US


Actual results:

Installer is not served via SSL, nor is an MD5sum displayed


Expected results:

Download should be served by SSL, or at the very least, an md5sum of the chosen installer should be displayed.

Currently it is possible for a MitM attack on the Firefox installer, whereby malicious root CAs could be injected into the installer and in theory FF could be patched to stop automatic updating, so these malicious root CAs would persist
SSL -> Bug 358384

I know MD5 sums are on the FTP server - not sure where else they appear (ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/10.0.1/)

Note also that the installer is digitally signed.
Surprisingly I didn't find a single request to make the hashes more visible, so I'll let the site owners deal with it.
Status: UNCONFIRMED → NEW
Component: Untriaged → www.mozilla.org/firefox
Ever confirmed: true
Product: Firefox → Websites
QA Contact: untriaged → www-mozilla-com
Summary: Cannot verify installer download → Make the hashes (md5, sha1) for the Firefox installer easier to find for those wishing to verify the download
Component: www.mozilla.org/firefox → www.mozilla.org
If a vulnerability exist, or a chance of exploitation, and even if only 1 person has mentioned/warned or asking to fix it, ... it should not be taken lightly in anyway ! 

Now-a-days, most site shows Hash codes (like: md5, sha1, sha256, etc) of the binary which they releases on their main website, and specially if they are going to deliver it to users via using 3rd party host(s)/web-server(s), which 'Mozilla.org' is doing for delivering firefox binary files. 

On Windows platforms, most people/users prefers HASH codes like, MD5, SHA1, SHA256, etc. GPG/PGP asc verification against/for binary file is not common and not preferable, as it requires more learning, and is more common to Unix/Linux/MacOSX. Free software like HashTab (is available for free for Windows, MacoSX) has made it very very easy to check hash codes of any files. If free software similar to HashTab but works with asc/gpg/pgp is made available in future or becomes common for Windows as well, then may be user will prefer verifying using gpg/asc codes/files.

Many noob users dont understand the difference between a "GenuineFirefox.com" and a "Mozilla.org" shown, during installation of Firefox. Many will go for & prefer to use & trust "GenuineFirefox.com" notice, rather than to see a rightly signed-binary warning/notice with "Mozilla.org". So even a signed binary Firefox file is not sufficient. A falsely signed compromised binary file is even more harmful than a non-signed compromised binary file. A false-signed compromised binary can even load rootkits easily.

And those who uses system wide proxy (like, SOCKS4, SOCKS5 proxy), (or open proxies, or Tor proxies), in such user's computer, binary installer will go thru 1 or more proxies into internet. Where unwanted users/computers/software/man-in-the-middle(mitm) can exploit, and serve & show & deliver wrong/modified stuff to users. If such proxy users, visits the main site (mozilla.org) directly without using any proxy, directly, and is able to easily view/get the hash code next to the binary download link, then they can use existing web-browser software with (even if it has) proxy settings, to get the firefox-binary even via/using proxies. And they can also/still verify the binary, because they have already obtained correct hash codes obtained by connecting to Mozilla.org directly. Hash codes should be shown/served out of a https/ssl webpages.

Since Mozilla.org website's server-side codes on the main/home page auto-detects a visiting web-browser's "user-agent" string, and thus can show appropriate download link for the correct OS/platform, language, etc based on web-browser's user-agent string, ... similarly it should show/include that binary's hash code (preferably, sha256) right under or next to the [Download Firefox] link/button.

Also suggesting to show download links (for Windows, MacoSX, Linux platforms), toward GPL based software or free software which can calculate & show hash codes of a binary file(s) very easily, and user friendly & appropriate.  For example, HashTab (Windows, Mac OSX), md5sum (Windows, Mac OSX), md5deep/md5sha1sum (linux/Unix), etc.

Its not right, that when a user clicks on 'Download' on http://www.mozilla.org/en-US/ site, and file is getting downloaded/delivered from some 3rd party websites like: http://mirrors.gigenet.com/mozilla//firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe ! and main website (Mozilla.org) did not even show the binary's hash code to that user ! ! 

Its amazing first submitter request requested to solve this on February, 2012, and no one has paid attention to it !

The way hacking/cracking & security-exploitations are rising, even noob/newbie users should be trained to use hash codes more & more, so there is lesser chance for exploitation/abuse/malwares. etc.

Please fix it. Please instruct developers to save hash codes of binary/exe/dmg files on some type of 'binary-name-version.hash.txt' file, for each binary, along with keeping the usual 'asc' file which has gpg/pgp in it, against/for each binary as well.  And modify the existing web-server script in server-side codes, which detects user-agent string of a web-browser, and modify that further to load Hash codes from hash file for the shown binary/exe/dmg etc file(s), and then display it, under the download link/button, or, somewhere next to it, where it is very very clearly visible.

~ Bry8Star.
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
It should be on the release notes?
Blocks: firefox-relnotes
Severity: normal → enhancement
Component: General → Pages & Content
OS: Linux → All
Hardware: x86_64 → All
See Also: → 1099434
It would be nice to have hashes as part of https://product-details.mozilla.org/ and show them in the release notes.
Component: Pages & Content → Release notes
Would love to see hashes linked from the download page. Still looking for the current version; I'm sure they're here somewhere. 

Edit: Current version hashes are at https://ftp.mozilla.org/pub/firefox/releases/52.0.2/
Found format via old post & substituted the new version number.

Still would like to see the link in an easy to find place.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.