Ubuntu
firefox package

HTTPS is not used for Google searches

Bug #978444 reported by Fred on 2012-04-10

This bug affects 5 people

	Status	Importance	Assigned to
Mozilla Firefox	Invalid	Medium	mozilla-bugs #778552
firefox (Ubuntu)	Fix Released	Wishlist	Unassigned
ubufox (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

about:home and about:startpage does not use HTTPS which results in the communication being insecure and allows usage tracking and surveillance by a attacker as well as man-in-the-middle attacks.

Tags:

Revision history for this message

Fred (eldmannen+launchpad) wrote on 2012-04-10:

Nor does it use HTTPS on Wikipedia or YouTube when searching from the search bar.
Twitter communication however is secure.

tags:	added: google https
tags:	added: search

Jamie Strandboge (jdstrand) on 2012-04-20

security vulnerability:	yes → no
visibility:	private → public
Changed in firefox (Ubuntu):
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Serge (sspapilin) wrote on 2012-07-20:

Now Firefox enabled this feature (see http://www.mozilla.org/en-US/firefox/14.0.1/releasenotes/ ), but on my system Firefox still uses plain HTTP.

Firefox binary, downloaded from http://www.mozilla.org/en-US/products/download.html?product=firefox-14.0.1&os=linux&lang=en-US , works as intended, so it's the bug of distribution.

Strangely, OMGubuntu ( see http://www.omgubuntu.co.uk/2012/07/firefox-14-released-with-new-security-features ) published a screen-shot with HTTPS Google search, so it must be working for him.

As for me, disabling all add-ons, removing profile and entire ~/.mozilla folder, purging and reinstalling Firefox didn't help.

I guess that now the bug should not be on wishlist, but something more important, as upstream implemented the feature.

Revision history for this message

Serge (sspapilin) wrote on 2012-07-29:

Now all searches use https, bug has been fixed.

Changed in firefox (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Fred (eldmannen+launchpad) wrote on 2012-07-29:

This has not been fixed.
Go to about:startpage or about:home and search from there. Notice how the search still doesn't use HTTPS:

Changed in firefox (Ubuntu):
status:	Fix Released → Triaged

Revision history for this message

In Mozilla Bugzilla #778552, Eldmannen+mozilla (eldmannen+mozilla) wrote on 2012-07-29:

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0
Build ID: 20120726125915

Steps to reproduce:

Searched from about:home and about:startpage

Actual results:

Got sent to Google over insecure HTTP.

Expected results:

Been sent to Google over secure HTTPS.

Revision history for this message

In Mozilla Bugzilla #778552, Bugzilla-tf (bugzilla-tf) wrote on 2012-07-29:

I tested using Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 and it seems to use https as expected (confirmed by wireshark).

What's make you believe that http is used ?
Is that a Mozilla.org build or do you got the binary build from somewhere else ?

Bug Watch Updater (bug-watch-updater) on 2012-07-29

Changed in firefox:
importance:	Unknown → Medium
status:	Unknown → New

Revision history for this message

In Mozilla Bugzilla #778552, Eldmannen+mozilla (eldmannen+mozilla) wrote on 2012-07-29:

If you select 'View Page Source' on about:startpage, you see that http:// is hard-coded.
<form method="get" action="http://www.google.com/search" name="search">

On about:home, press Ctrl+Shift+K then click on search, and you see it goes to Google over http://.

I am using the build from Ubuntu repository (12.10 alpha).

Revision history for this message

In Mozilla Bugzilla #778552, Bugzilla-tf (bugzilla-tf) wrote on 2012-07-29:

from the build in comment#1 and a search from about:home
[19:58:19.760] GET https://www.google.com/search?q=test&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&source=hp&channel=np [HTTP/1.1 302 Found 655ms]

Please try a build from mozilla instead of the Ubuntu one. It's possible that Ubuntu is using a different search and you probably have to report this issue to Ubuntu

Revision history for this message

In Mozilla Bugzilla #778552, Eldmannen+mozilla (eldmannen+mozilla) wrote on 2012-07-29:

Okay, I just tested with Nightly trunk build.
firefox-17.0a1.en-US.linux-x86_64.tar.bz2 | 29-Jul-2012 04:30 | 29M

about:startpage won't work because:
[20:34:28.215] SyntaxError: JSON.parse: unexpected character @ chrome://browser/content/abouthome/aboutHome.js:145

about:home seem to actually use HTTPS as it should.
[20:40:05.930] SyntaxError: syntax error @ about:home:20
Throws that but still works though.

Revision history for this message

In Mozilla Bugzilla #778552, Bugzilla-tf (bugzilla-tf) wrote on 2012-07-29:

#10

https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1009961 suggests that they are using their own about pages

There is no about:startpage in my Firefox14.0.1 windows build.
The current startpage is about:newtab

Is Ubuntu still adding their own extension that adds their changes ?
Anyway, please report this to ubuntu as it seems that your issue is caused by Ubuntu specific changes.

Revision history for this message

In Mozilla Bugzilla #778552, Eldmannen+mozilla (eldmannen+mozilla) wrote on 2012-07-30:

#11

Firefox on Ubuntu comes with an extension called 'Ubuntu Firefox Modifications' aka 'ubufox'.

http://packages.ubuntu.com/search?keywords=xul-ext-ubufox&searchon=names&suite=all&section=all

Bug Watch Updater (bug-watch-updater) on 2012-07-30

Changed in firefox:
status:	New → Invalid

Revision history for this message

In Mozilla Bugzilla #778552, Bugzilla-tf (bugzilla-tf) wrote on 2012-08-28:

#13

*** Bug 786007 has been marked as a duplicate of this bug. ***

Revision history for this message

Fred (eldmannen+launchpad) wrote on 2012-08-28:

#12

https://bugzilla.mozilla.org/show_bug.cgi?id=786007

It is a Ubuntu-specific bug.

Revision history for this message

Mike L (mikerl) wrote on 2012-08-28:

#14

I can confirm that it is specific to Ubuntu. Tested it over IRC with other Linux distros and the builds from Mozilla's website, but they all defaulted to HTTPS. Only the builds from the Mozilla Team PPAs refused to default to HTTPS.

Jamie Strandboge (jdstrand) on 2012-09-21

Changed in ubufox (Ubuntu):
status:	New → Invalid

Revision history for this message

Fred (eldmannen+launchpad) wrote on 2012-09-22:

#15

http://start.ubuntu.com/12.04/

Revision history for this message

Enda (enda-k2) wrote on 2012-11-22:

#16

How do I change the about:home Google search to using https?

Revision history for this message

Drey (drey) wrote on 2013-01-24:

#17

It's a regression from Mozilla builds, please fix this bug. Just a few keystrokes in google.xml file.

Revision history for this message

Mike L (mikerl) wrote on 2013-04-14:

#18

It seems to be fixed in Firefox 20.

Changed in firefox (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

mozilla-bugs #778552
[RESOLVED WORKSFORME] Edit
mozilla-bugs #786007
[RESOLVED DUPLICATE] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntufirefox package

HTTPS is not used for Google searches

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
firefox package