Inquiry: downloading Firefox ESR and hash changes on VPN?

3 views
Skip to first unread message

Hoang (US), Victor T

unread,
Apr 26, 2021, 6:37:57 PMApr 26
to enter...@mozilla.org

Hello all,

 

When I download Firefox ESR from the Mozilla website while on my company’s VPN, it causes the hash for Firefox executable to change.

 

What brought this to my attention was that there were folks in the Information Security division, stating that the version of Firefox 78.10.0 ESR I was releasing to the enterprise had a SHA256 hash that didn’t match what was provided in the mozilla website, and what was found in certutil on windows. It caused some concerns for them so I decided to investigate. I figured out that when I was downloading it on my computer while on my company’s VPN, it would change the SHA256 hash (causing it to not match what is documented online). However, if I download it on my own personal device, the hash matches the documentation. Each proceeding download would have a different hash than the last, (e.g. I downloaded Firefox ESR 64 bit from the same link multiple times and it would be the same executable, just with a different hash each time) which I thought was very interesting.

 

Has anyone experienced this? Any explanations/concerns I should have about this?

 

Thanks,

Victor

Mike Kaply

unread,
Apr 27, 2021, 11:43:41 AMApr 27
to Hoang (US), Victor T, enter...@mozilla.org
See this bug for more info:


Basically the checksum is only valid for builds downloaded directly from the FTP.

Other download locations have attribution which affects the checksum.

Mike

--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/eeba685c4e984899b91d336b99cdff5a%40boeing.com.

Hoang (US), Victor T

unread,
Apr 27, 2021, 1:43:48 PMApr 27
to Mike Kaply, enter...@mozilla.org

Thanks Mike, appreciate the info. This explains a lot.

 

I was grabbing it from https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr

 

Doh!

 

From: Mike Kaply <mka...@mozilla.com>
Sent: Tuesday, April 27, 2021 8:43 AM
To: Hoang (US), Victor T <victor....@boeing.com>
Cc: enter...@mozilla.org
Subject: [EXTERNAL] Re: [Mozilla Enterprise] Inquiry: downloading Firefox ESR and hash changes on VPN?

 

EXT email: be mindful of links/attachments.


 

Klaus Hartnegg

unread,
Apr 27, 2021, 5:12:12 PMApr 27
to enter...@mozilla.org
Files should never ever be modified depeding on from where they are
downloaded.

But I cannot reproduce this problem.

These two files are identical
https://download.mozilla.org/?product=firefox-esr-latest-ssl&os=win&lang=de
https://archive.mozilla.org/pub/firefox/releases/78.10.0esr/win32/de/Firefox%20Setup%2078.10.0esr.exe

and they have the checksum
686a2d19dc2a0247a0cebfffcc1484bec14021660ffc97259b662e1c10835cee
which is what is listed in sha256sum
for win32/de/Firefox Setup 78.10.0esr.exe

I would be very concerned if they had a different checksum, and would
refuse to install them.

Mike Kaply

unread,
Apr 27, 2021, 5:15:08 PMApr 27
to Klaus Hartnegg, enter...@mozilla.org
The download.mozilla.org link (bouncer) points to the archive.mozilla.org file (actually, the one on our S3) so it would be the same build.

You get a different checksum if you download from here:


Mike

--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.

Klaus Hartnegg

unread,
Apr 27, 2021, 5:27:52 PMApr 27
to enter...@mozilla.org
Am 27.04.2021 um 23:14 schrieb Mike Kaply:
> The download.mozilla.org <http://download.mozilla.org> link (bouncer)
> points to the archive.mozilla.org <http://archive.mozilla.org> file
> (actually, the one on our S3) so it would be the same build.
>
> You get a different checksum if you download from here:
>
> https://www.mozilla.org/en-US/firefox/all/
No. This is where I got the download link
https://download.mozilla.org/?product=firefox-esr-latest-ssl&os=win&lang=de

Still cannot see a version with other checksum.

Maybe it happens only with 64bit or msi versions?

Mike Kaply

unread,
Apr 27, 2021, 5:32:16 PMApr 27
to Klaus Hartnegg, Mozilla.org
It might be only if attribution data was set when linking to the page.

But as you've found, in most cases it matches.

Mike

--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
Reply all
Reply to author
Forward
0 new messages