Redirecting http://hg.mozilla.org/ to https://

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Redirecting http://hg.mozilla.org/ to https://

Gregory Szorc-3
It may be surprising, but hg.mozilla.org is still accepting plain text connections via http://hg.mozilla.org/ and isn't redirecting them to https://hg.mozilla.org/.

On February 1 likely around 0800 PST, all requests to http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect to https://hg.mozilla.org/.

If anything breaks as a result of this change, the general opinion is it deserves to break because it isn't using secure communications and is possibly a security vulnerability. Therefore, unless this change causes widespread carnage, it is unlikely to be rolled back.

Please note that a lot of 3rd parties query random content on hg.mozilla.org. For example, Curl's widespread mk-ca-bundle.pl script for bootstrapping the trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So it is likely this change may break random things outside of Mozilla. Again, anything not using https://hg.mozilla.org/ should probably be treated as a security vulnerability and fixed ASAP.

For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and will continue to do so for the foreseeable future.

This change is tracked in bug 450645. Please subscribe to stay in the loop regarding future changes, such as removing support for TLS 1.0 and not accepting plain text http://hg.mozilla.org/ connections at all.

Please send comments to bug 450645 or reply to [hidden email].

_______________________________________________
dev-builds mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-builds
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirecting http://hg.mozilla.org/ to https://

Eric Rescorla
Yes. Kill it with fire!

-Ekr


On Fri, Jan 27, 2017 at 7:17 AM, Gregory Szorc <[hidden email]> wrote:
It may be surprising, but hg.mozilla.org is still accepting plain text connections via http://hg.mozilla.org/ and isn't redirecting them to https://hg.mozilla.org/.

On February 1 likely around 0800 PST, all requests to http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect to https://hg.mozilla.org/.

If anything breaks as a result of this change, the general opinion is it deserves to break because it isn't using secure communications and is possibly a security vulnerability. Therefore, unless this change causes widespread carnage, it is unlikely to be rolled back.

Please note that a lot of 3rd parties query random content on hg.mozilla.org. For example, Curl's widespread mk-ca-bundle.pl script for bootstrapping the trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So it is likely this change may break random things outside of Mozilla. Again, anything not using https://hg.mozilla.org/ should probably be treated as a security vulnerability and fixed ASAP.

For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and will continue to do so for the foreseeable future.

This change is tracked in bug 450645. Please subscribe to stay in the loop regarding future changes, such as removing support for TLS 1.0 and not accepting plain text http://hg.mozilla.org/ connections at all.

Please send comments to bug 450645 or reply to [hidden email].

_______________________________________________
firefox-dev mailing list
[hidden email]
https://mail.mozilla.org/listinfo/firefox-dev



_______________________________________________
dev-builds mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-builds
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirecting http://hg.mozilla.org/ to https://

Ehsan Akhgari
In reply to this post by Gregory Szorc-3
I have two extra suggestions for added security benefits:

1. In order to ensure that clients that support CSP will never attempt
to contact the HTTP version of the site for fetching any subresources
that may still point to http:, please make sure to serve the
|Content-Security-Policy: upgrade-insecure-requests| header from HTTP.
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests>

2. In order to ensure that clients that support HSTS will never attempt
to contact the HTTP version of the site at all (once they have visited
the https site once), please make sure to serve the
|Strict-Transport-Security: max-age=NNN| header from the HTTPS version
of the site.  This will also improve performance for those clients as a
side benefit by eliminating one roundtrip to the server to get the 301
redirect.
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>

Thanks,
Ehsan

On 2017-01-26 5:17 PM, Gregory Szorc wrote:

> It may be surprising, but hg.mozilla.org <http://hg.mozilla.org> is
> still accepting plain text connections via http://hg.mozilla.org/ and
> isn't redirecting them to https://hg.mozilla.org/.
>
> On February 1 likely around 0800 PST, all requests to
> http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect
> to https://hg.mozilla.org/.
>
> If anything breaks as a result of this change, the general opinion is it
> deserves to break because it isn't using secure communications and is
> possibly a security vulnerability. Therefore, unless this change causes
> widespread carnage, it is unlikely to be rolled back.
>
> Please note that a lot of 3rd parties query random content on
> hg.mozilla.org <http://hg.mozilla.org>. For example, Curl's widespread
> mk-ca-bundle.pl <http://mk-ca-bundle.pl> script for bootstrapping the
> trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So
> it is likely this change may break random things outside of Mozilla.
> Again, anything not using https://hg.mozilla.org/ should probably be
> treated as a security vulnerability and fixed ASAP.
>
> For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
> /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org
> <http://hg.mozilla.org> still supports [marginally secure compared to
> TLS 1.1+] TLS 1.0 connections and will continue to do so for the
> foreseeable future.
>
> This change is tracked in bug 450645. Please subscribe to stay in the
> loop regarding future changes, such as removing support for TLS 1.0 and
> not accepting plain text http://hg.mozilla.org/ connections at all.
>
> Please send comments to bug 450645 or reply to
> [hidden email]
> <mailto:[hidden email]>.
>
> [1]
> https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c150eeac790
> [2] https://github.com/Homebrew/homebrew-core/issues/3541
>
>
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev
>

_______________________________________________
dev-builds mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-builds
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirecting http://hg.mozilla.org/ to https://

Gregory Szorc-3
In reply to this post by Gregory Szorc-3
http://hg.mozilla.org now HTTP 301s to https://hg.mozilla.org/. Please report any problems against bug 450645 and/or make noise in #vcs on irc.mozilla.org.

On Thu, Jan 26, 2017 at 2:17 PM, Gregory Szorc <[hidden email]> wrote:
It may be surprising, but hg.mozilla.org is still accepting plain text connections via http://hg.mozilla.org/ and isn't redirecting them to https://hg.mozilla.org/.

On February 1 likely around 0800 PST, all requests to http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect to https://hg.mozilla.org/.

If anything breaks as a result of this change, the general opinion is it deserves to break because it isn't using secure communications and is possibly a security vulnerability. Therefore, unless this change causes widespread carnage, it is unlikely to be rolled back.

Please note that a lot of 3rd parties query random content on hg.mozilla.org. For example, Curl's widespread mk-ca-bundle.pl script for bootstrapping the trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So it is likely this change may break random things outside of Mozilla. Again, anything not using https://hg.mozilla.org/ should probably be treated as a security vulnerability and fixed ASAP.

For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and will continue to do so for the foreseeable future.

This change is tracked in bug 450645. Please subscribe to stay in the loop regarding future changes, such as removing support for TLS 1.0 and not accepting plain text http://hg.mozilla.org/ connections at all.

Please send comments to bug 450645 or reply to [hidden email].


_______________________________________________
dev-builds mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-builds
Loading...