Inquiry: downloading Firefox ESR and hash changes on VPN?
Hoang (US), Victor T
Hello all,
When I download Firefox ESR from the Mozilla website while on my company’s VPN, it causes the hash for Firefox executable to change.
What brought this to my attention was that there were folks in the Information Security division, stating that the version of Firefox 78.10.0 ESR I was releasing to the enterprise had a SHA256 hash that didn’t match what was provided in the mozilla website, and what was found in certutil on windows. It caused some concerns for them so I decided to investigate. I figured out that when I was downloading it on my computer while on my company’s VPN, it would change the SHA256 hash (causing it to not match what is documented online). However, if I download it on my own personal device, the hash matches the documentation. Each proceeding download would have a different hash than the last, (e.g. I downloaded Firefox ESR 64 bit from the same link multiple times and it would be the same executable, just with a different hash each time) which I thought was very interesting.
Has anyone experienced this? Any explanations/concerns I should have about this?
Thanks,
Victor
Mike Kaply
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/eeba685c4e984899b91d336b99cdff5a%40boeing.com.
Hoang (US), Victor T
Thanks Mike, appreciate the info. This explains a lot.
I was grabbing it from https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr
Doh!
From: Mike Kaply <mka...@mozilla.com>
Sent: Tuesday, April 27, 2021 8:43 AM
To: Hoang (US), Victor T <victor....@boeing.com>
Cc: enter...@mozilla.org
Subject: [EXTERNAL] Re: [Mozilla Enterprise] Inquiry: downloading Firefox ESR and hash changes on VPN?
|
Klaus Hartnegg
downloaded.
But I cannot reproduce this problem.
These two files are identical
https://download.mozilla.org/?product=firefox-esr-latest-ssl&os=win&lang=de
https://archive.mozilla.org/pub/firefox/releases/78.10.0esr/win32/de/Firefox%20Setup%2078.10.0esr.exe
and they have the checksum
686a2d19dc2a0247a0cebfffcc1484bec14021660ffc97259b662e1c10835cee
which is what is listed in sha256sum
for win32/de/Firefox Setup 78.10.0esr.exe
I would be very concerned if they had a different checksum, and would
refuse to install them.
Mike Kaply
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/021b0f44-355d-d5ed-4381-4bf4b3dedcd4%40gmx.de.
Klaus Hartnegg
> The download.mozilla.org <http://download.mozilla.org> link (bouncer)
> points to the archive.mozilla.org <http://archive.mozilla.org> file
>
> You get a different checksum if you download from here:
>
> https://www.mozilla.org/en-US/firefox/all/
https://download.mozilla.org/?product=firefox-esr-latest-ssl&os=win&lang=de
Still cannot see a version with other checksum.
Maybe it happens only with 64bit or msi versions?
Mike Kaply
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/82d4adaa-2baa-6b32-43e1-81923c995103%40gmx.de.