download.mozilla.org is not being served over HTTPS
Closed this issue · 2 comments
Hi, not sure if this is the right place to post this, but I'll try nevertheless.
I noticed that the updates.xml served by aus5 only contains http links to the mar files served on download.mozilla.org
I noticed this because I'm in an environment where a lot of "insecure" aka non https traffic is being blocked for "security".
I know that there's no real threat here, but the url might as well be HTTPS or is there something I'm missing?
There has been ongoing discussion about this in https://bugzilla.mozilla.org/show_bug.cgi?id=1444399 for awhile, but as a quick answer: there are no (known) security issues serving the MARs over HTTP because they have their own signatures that Firefox verifies.
It's noteworthy that when a user downloads an installer from a page such as https://www.mozilla.org/en-CA/firefox/download/thanks/, it is served over HTTPS (eg: https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-CA).
I'm going to close this because it's not a direct Balrog issue, and we're already discussing a possible move to HTTPS in the aforementioned bug. Thank you for reporting though! And if you have any follow-up questions or concerns, feel free to ask them here.
Thanks for your answer @mozbhearsum
I already suspected a discussion like that, thanks for pointing me to the issue, now I have something that I can use to reason with people that control the "content blocking" rules.
👍