Ubuntu
firefox package

Use HTTPS instead of HTTP

Bug #1019877 reported by Fred
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
Medium
firefox (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

about:config
Search: http://

browser.safebrowsing.reportErrorURL;http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportGenericURL;http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareErrorURL;http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareURL;http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportPhishURL;http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%

devtools.gcli.jquerySrc;http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
devtools.gcli.lodashSrc;http://cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.min.js
devtools.gcli.underscoreSrc;http://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.6.0/underscore-min.js

On 'app.update.url.manual;http://www.firefox.com' suffix a slash at the end to make it FQDN.

See original description
Revision history for this message
shawnlandden (shawnlandden) wrote :

upstream added https (SPDY) google search by default in firefox 13. Is that what you are asking for?

Revision history for this message
Fred (eldmannen+launchpad) wrote :

No, all those http:// should be https:// not only for Google search.

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

This isn't something that we're going to change in Ubuntu (particularly the ones which use Google services, as changing those would require an agreement with Google first). If you want any of these to change, then you need to report this upstream instead.

Note, the app.update.url* preferences aren't used anywhere in Ubuntu, and neither is toolkit.telemetry.infoURL by default.

Chris Coulson (chrisccoulson)
Changed in firefox (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Please open an upstream bug with mozilla for this issue, along with justification why those need to be changed. Once you've done that, please link the upstream bug to this one.

Thanks.

Changed in firefox (Ubuntu):
status: New → Incomplete
Revision history for this message
In , Eldmannen+mozilla (eldmannen+mozilla) wrote :

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120615112143

Steps to reproduce:

about:config
Search: http://

Actual results:

app.releaseNotesURL;http://www.mozilla.com/%LOCALE%/%APP%/%VERSION%/releasenotes/
app.support.baseURL;http://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
app.update.url.details;http://www.mozilla.com/%LOCALE%/%APP%/releases/
app.update.url.manual;http://www.firefox.com
app.vendorURL;http://www.mozilla.com/%LOCALE%/%APP%/
breakpad.reportURL;http://crash-stats.mozilla.com/report/index/
browser.contentHandlers.types.0.uri;http://fusion.google.com/add?feedurl=%s
browser.contentHandlers.types.1.uri;http://add.my.yahoo.com/rss?url=%s
browser.geolocation.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/geolocation/
browser.safebrowsing.malware.reportURL;http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=
browser.safebrowsing.provider.0.gethashURL;http://safebrowsing.clients.google.com/safebrowsing/gethash?client={moz:client}&appver={moz:version}&pver=2.2
browser.safebrowsing.provider.0.reportErrorURL;http://{moz:locale}.phish-error.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportGenericURL;http://{moz:locale}.phish-generic.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportMalwareErrorURL;http://{moz:locale}.malware-error.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportMalwareURL;http://{moz:locale}.malware-report.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportPhishURL;http://{moz:locale}.phish-report.mozilla.com/?hl={moz:locale}
browser.safebrowsing.provider.0.reportURL;http://safebrowsing.clients.google.com/safebrowsing/report?
browser.safebrowsing.provider.0.updateURL;http://safebrowsing.clients.google.com/safebrowsing/downloads?client={moz:client}&appver={moz:version}&pver=2.2
browser.safebrowsing.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/phishing-protection/
extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
extensions.input.happyURL;http://input.mozilla.com/happy
extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
extensions.input.sadURL;http://input.mozilla.com/sad
gecko.handlerService.schemes.mailto.0.uriTemplate;http://compose.mail.yahoo.com/?To=%s
gecko.handlerService.schemes.webcal.0.uriTemplate;http://30boxes.com/external/widget?refer=ff&url=%s
toolkit.telemetry.infoURL;http://www.mozilla.com/legal/privacy/firefox.html#telemetry

On 'app.update.url.manual;http://www.firefox.com' suffix a slash at the end to make it FQDN.

Expected results:

The secure HTTPS protocol should have been used, not the insecure HTTP protocol.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
importance: Unknown → Medium
status: Unknown → New
Revision history for this message
In , d-d-2 (dandromb) wrote :

Can anyone with good authority on this subject address why updates, and various web-based security functions, are delivered with HTTP, and not HTTPS?

Marc Deslauriers (mdeslaur)
Changed in firefox (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
In , Bsmith-mozilla (bsmith-mozilla) wrote :

(In reply to Eldmannen from comment #0)
> app.releaseNotesURL;http://www.mozilla.com/%LOCALE%/%APP%/%VERSION%/
> releasenotes/
> app.support.baseURL;http://support.mozilla.org/1/firefox/%VERSION%/%OS%/
> %LOCALE%/
> app.update.url.details;http://www.mozilla.com/%LOCALE%/%APP%/releases/
> app.update.url.manual;http://www.firefox.com
> app.vendorURL;http://www.mozilla.com/%LOCALE%/%APP%/
> browser.geolocation.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/
> geolocation/
> toolkit.telemetry.infoURL;http://www.mozilla.com/legal/privacy/firefox.
> html#telemetry

Now bug 840687.

> breakpad.reportURL;http://crash-stats.mozilla.com/report/index/

Bug 840682.

> browser.safebrowsing.malware.reportURL;http://safebrowsing.clients.google.
> com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=
> browser.safebrowsing.provider.0.gethashURL;http://safebrowsing.clients.
> google.com/safebrowsing/gethash?client={moz:client}&appver={moz:
> version}&pver=2.2
> browser.safebrowsing.provider.0.reportErrorURL;http://{moz:locale}.phish-
> error.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportGenericURL;http://{moz:locale}.phish-
> generic.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportMalwareErrorURL;http://{moz:locale}.
> malware-error.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportMalwareURL;http://{moz:locale}.malware-
> report.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportPhishURL;http://{moz:locale}.phish-
> report.mozilla.com/?hl={moz:locale}
> browser.safebrowsing.provider.0.reportURL;http://safebrowsing.clients.google.
> com/safebrowsing/report?
> browser.safebrowsing.provider.0.updateURL;http://safebrowsing.clients.google.
> com/safebrowsing/downloads?client={moz:client}&appver={moz:version}&pver=2.2
> browser.safebrowsing.warning.infoURL;http://www.mozilla.com/%LOCALE%/firefox/
> phishing-protection/
>
> On 'app.update.url.manual;http://www.firefox.com' suffix a slash at the end
> to make it FQDN.

Bug 783047.

> extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
> extensions.input.happyURL;http://input.mozilla.com/happy
> extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
> extensions.input.sadURL;http://input.mozilla.com/sad

Bug 840678.

> browser.contentHandlers.types.0.uri;http://fusion.google.com/add?feedurl=%s

Bug 840710.

> browser.contentHandlers.types.1.uri;http://add.my.yahoo.com/rss?url=%s
> gecko.handlerService.schemes.mailto.0.uriTemplate;http://compose.mail.yahoo.
> com/?To=%s

Bug 840705.

> gecko.handlerService.schemes.webcal.0.uriTemplate;http://30boxes.com/
> external/widget?refer=ff&url=%s

Bug 840699.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: New → Confirmed
Revision history for this message
In , Sjw (sjw) wrote :

Thunderbird is also affected.

Fred (eldmannen+launchpad)
description: updated
Revision history for this message
In , Eldmannen+mozilla (eldmannen+mozilla) wrote :

Many of these have now been fixed.

A few remains.

browser.safebrowsing.reportErrorURL;http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportGenericURL;http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareErrorURL;http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareURL;http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportPhishURL;http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%

devtools.gcli.jquerySrc;http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
devtools.gcli.lodashSrc;http://cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.min.js
devtools.gcli.underscoreSrc;http://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.6.0/underscore-min.js

Revision history for this message
In , Eldmannen+mozilla (eldmannen+mozilla) wrote :

loop.CSP;default-src 'self' about: file: chrome:; img-src 'self' data: http://www.gravatar.com/ about: file: chrome:; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net

gravatar over http instead of https. The site can be reached over https.

Revision history for this message
In , Eldmannen+mozilla (eldmannen+mozilla) wrote :

9 left.

browser.safebrowsing.reportErrorURL;http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportGenericURL;http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareErrorURL;http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportMalwareURL;http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%
browser.safebrowsing.reportPhishURL;http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%
extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
extensions.input.happyURL;http://input.mozilla.com/happy
extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
extensions.input.sadURL;http://input.mozilla.com/sad

Revision history for this message
In , Eldmannen+mozilla (eldmannen+mozilla) wrote :

input.mozilla.com supports HTTPS and in fact connecting over HTTP redirects to HTTPS.
So the URLs in the browser should be over HTTPS.

Revision history for this message
In , Dolske (dolske) wrote :

(In reply to Eldmannen from comment #6)
> 9 left.
>
> browser.safebrowsing.*

These are fixed by bug 1109475.

> extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
> extensions.input.happyURL;http://input.mozilla.com/happy
> extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
> extensions.input.sadURL;http://input.mozilla.com/sad

These are not in mozilla-central, and I'm not sure where the relevant code lives... Greg, is this Heartbeat stuff?

Revision history for this message
In , Willkg (willkg) wrote :

(In reply to Justin Dolske [:Dolske] from comment #8)
> (In reply to Eldmannen from comment #6)
> > 9 left.
> >
> > browser.safebrowsing.*
>
> These are fixed by bug 1109475.
>
> > extensions.input.brokenURL;http://input.mozilla.com/feedback#broken
> > extensions.input.happyURL;http://input.mozilla.com/happy
> > extensions.input.ideaURL;http://input.mozilla.com/feedback#idea
> > extensions.input.sadURL;http://input.mozilla.com/sad
>
> These are not in mozilla-central, and I'm not sure where the relevant code
> lives... Greg, is this Heartbeat stuff?

These are not heartbeat urls. These are feedback urls for the old Input and I'm pretty sure they were fixed ages ago. You can see the instances of "input.mozilla.org" (the correct domain) and "input.mozilla.com" (the old domain) here:

https://dxr.mozilla.org/mozilla-central/search?q=input.mozilla&redirect=true

Revision history for this message
In , Past-w (past-w) wrote :

All URLs seem to be converted now, with the sole exception of captivedetect.canonicalURL, which by definition cannot use https. Closing.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Confirmed → Invalid
Revision history for this message
Paul White (paulw2u) wrote :

Upstream report showing "RESOLVED WORKSFORME" on 2017-06-22
https://bugzilla.mozilla.org/show_bug.cgi?id=771788#c10
says all URLs now converted. Confirmed here using Firefox 65.0

Changed in firefox (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
In , Eldmannen+mozilla (eldmannen+mozilla) wrote :

It is a difficult to reproduce this nowadays since about:config have regressed in functionality and no longer searches the value, only the key.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.