Closed
Bug 793821
Opened 13 years ago
Closed 7 years ago
updates.bugzilla.org is no longer available over HTTPS
Categories
(Bugzilla :: bugzilla.org, defect)
Bugzilla
bugzilla.org
Tracking
()
RESOLVED
FIXED
People
(Reporter: justdave, Assigned: justdave)
References
()
Details
(Keywords: regression)
https://updates.bugzilla.org/bugzilla-update.xml used to work, once upon a time. Mozilla's update checker apparently used it. It's apparently now only available over http... I'm guessing this is since it was spun off to a separate server from landfill.
|
||
Comment 1•13 years ago
|
||
FYI, Bugzilla::Update uses the http:// URL, not the https:// one. Which Mozilla's update checker are you talking about?
|
|
||
Comment 2•13 years ago
|
||
Frédéric,
The version checker is here (not sure if you have access).
https://intranet.mozilla.org/versioncheck/
It just checks versions on currently installed apps and compares that to official stable versions. We use it for in-house auditing to help us keep things current. I do not know who originally set this up but it is broken and I am fixing it. For now I just switched it to use the http:// URL.
I think there is a concern about man-in-the-middle attack when not using https:// URLs. I guess the question now is if it is possible to get that set up or not?
Thanks for your help.
|
||
Comment 3•12 years ago
|
||
Yes, I didn't set up https access to the new location on purpose. If we want to add this, we need a new certificate for the updates.bugzilla.org domain/server and that costs money. Since Mozilla is only one interested in using this site over https, do you really want to spend money on the certificate? And if so, who at MoCo can make the decision and purchase the certificate for us?
I'm not sure if there's any point in running this over secure link. The site tells you the versions and release dates of different Bugzilla versions as well as a link to get more information. It doesn't show direct download links but I guess one could point to a fake release page that links to non-Mozilla site for the downloads..
|
|
||
Updated•12 years ago
|
Severity: major → minor
|
Assignee | |
Comment 4•7 years ago
|
||
This no longer costs money, LetsEncrypt is free, and we already use it for the rest of Bugzilla's certificates.
I'm in the process of moving updates.bugzilla.org to a new server right now (getting out of SCL3! :) )
I will make sure it has https on the new one.
Assignee: website → justdave
Depends on: 1487942
|
|
Assignee | |
Comment 5•7 years ago
|
||
Done. updates.bugzilla.org is now available on both HTTPS and IPv6. :-)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•