Redirecting http://hg.mozilla.org/ to https://

13 views
Skip to first unread message

Gregory Szorc

unread,
Jan 26, 2017, 5:17:20 PM1/26/17
to dev-version-control, release-engineering, dev-platform, Firefox Dev, dev-builds, mozill...@lists.mozilla.org
It may be surprising, but hg.mozilla.org is still accepting plain text
connections via http://hg.mozilla.org/ and isn't redirecting them to
https://hg.mozilla.org/.

On February 1 likely around 0800 PST, all requests to http://hg.mozilla.org/
will issue an HTTP 301 Moved Permanently redirect to https://hg.mozilla.org/
.

If anything breaks as a result of this change, the general opinion is it
deserves to break because it isn't using secure communications and is
possibly a security vulnerability. Therefore, unless this change causes
widespread carnage, it is unlikely to be rolled back.

Please note that a lot of 3rd parties query random content on hg.mozilla.org.
For example, Curl's widespread mk-ca-bundle.pl script for bootstrapping the
trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So it
is likely this change may break random things outside of Mozilla. Again,
anything not using https://hg.mozilla.org/ should probably be treated as a
security vulnerability and fixed ASAP.

For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
/usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still
supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and
will continue to do so for the foreseeable future.

This change is tracked in bug 450645. Please subscribe to stay in the loop
regarding future changes, such as removing support for TLS 1.0 and not
accepting plain text http://hg.mozilla.org/ connections at all.

Please send comments to bug 450645 or reply to
dev-versi...@lists.mozilla.org.

[1]
https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c150eeac790
[2] https://github.com/Homebrew/homebrew-core/issues/3541

Eric Rescorla

unread,
Jan 26, 2017, 6:00:55 PM1/26/17
to Gregory Szorc, dev-builds, mozill...@lists.mozilla.org, Firefox Dev, dev-platform, release-engineering, dev-version-control
Yes. Kill it with fire!

-Ekr
> Please send comments to bug 450645 or reply to dev-version-control@lists.
> mozilla.org.
>
> [1] https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c
> 150eeac790
> [2] https://github.com/Homebrew/homebrew-core/issues/3541
>
> _______________________________________________
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
>

Ehsan Akhgari

unread,
Jan 31, 2017, 1:27:55 PM1/31/17
to Gregory Szorc, dev-version-control, release-engineering, dev-platform, Firefox Dev, dev-builds, mozill...@lists.mozilla.org
I have two extra suggestions for added security benefits:

1. In order to ensure that clients that support CSP will never attempt
to contact the HTTP version of the site for fetching any subresources
that may still point to http:, please make sure to serve the
|Content-Security-Policy: upgrade-insecure-requests| header from HTTP.
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests>

2. In order to ensure that clients that support HSTS will never attempt
to contact the HTTP version of the site at all (once they have visited
the https site once), please make sure to serve the
|Strict-Transport-Security: max-age=NNN| header from the HTTPS version
of the site. This will also improve performance for those clients as a
side benefit by eliminating one roundtrip to the server to get the 301
redirect.
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>

Thanks,
Ehsan

On 2017-01-26 5:17 PM, Gregory Szorc wrote:
> It may be surprising, but hg.mozilla.org <http://hg.mozilla.org> is
> still accepting plain text connections via http://hg.mozilla.org/ and
> isn't redirecting them to https://hg.mozilla.org/.
>
> On February 1 likely around 0800 PST, all requests to
> http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect
> to https://hg.mozilla.org/.
>
> If anything breaks as a result of this change, the general opinion is it
> deserves to break because it isn't using secure communications and is
> possibly a security vulnerability. Therefore, unless this change causes
> widespread carnage, it is unlikely to be rolled back.
>
> Please note that a lot of 3rd parties query random content on
> hg.mozilla.org <http://hg.mozilla.org>. For example, Curl's widespread
> mk-ca-bundle.pl <http://mk-ca-bundle.pl> script for bootstrapping the
> trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So
> it is likely this change may break random things outside of Mozilla.
> Again, anything not using https://hg.mozilla.org/ should probably be
> treated as a security vulnerability and fixed ASAP.
>
> For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
> /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org
> <http://hg.mozilla.org> still supports [marginally secure compared to
> TLS 1.1+] TLS 1.0 connections and will continue to do so for the
> foreseeable future.
>
> This change is tracked in bug 450645. Please subscribe to stay in the
> loop regarding future changes, such as removing support for TLS 1.0 and
> not accepting plain text http://hg.mozilla.org/ connections at all.
>
> Please send comments to bug 450645 or reply to
> dev-versi...@lists.mozilla.org
> <mailto:dev-versi...@lists.mozilla.org>.
>
> [1]
> https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c150eeac790

Gregory Szorc

unread,
Feb 1, 2017, 11:03:17 AM2/1/17
to Gregory Szorc, dev-builds, mozill...@lists.mozilla.org, Firefox Dev, dev-platform, release-engineering, dev-version-control
http://hg.mozilla.org now HTTP 301s to https://hg.mozilla.org/. Please
report any problems against bug 450645 and/or make noise in #vcs on
irc.mozilla.org.

On Thu, Jan 26, 2017 at 2:17 PM, Gregory Szorc <g...@mozilla.com> wrote:

> It may be surprising, but hg.mozilla.org is still accepting plain text
> connections via http://hg.mozilla.org/ and isn't redirecting them to
> https://hg.mozilla.org/.
>
> On February 1 likely around 0800 PST, all requests to
> http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect
> to https://hg.mozilla.org/.
>
> If anything breaks as a result of this change, the general opinion is it
> deserves to break because it isn't using secure communications and is
> possibly a security vulnerability. Therefore, unless this change causes
> widespread carnage, it is unlikely to be rolled back.
>
> Please note that a lot of 3rd parties query random content on
> hg.mozilla.org. For example, Curl's widespread mk-ca-bundle.pl script for
> bootstrapping the trusted CA bundle queried http://hg.mozilla.org/ until
> recently [1]. So it is likely this change may break random things outside
> of Mozilla. Again, anything not using https://hg.mozilla.org/ should
> probably be treated as a security vulnerability and fixed ASAP.
>
> For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
> /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still
> supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and
> will continue to do so for the foreseeable future.
>
> This change is tracked in bug 450645. Please subscribe to stay in the loop
> regarding future changes, such as removing support for TLS 1.0 and not
> accepting plain text http://hg.mozilla.org/ connections at all.
>
Reply all
Reply to author
Forward
0 new messages