Jan 31, 2017, 1:27:55 PM1/31/17
to Gregory Szorc, dev-version-control, release-engineering, dev-platform, Firefox Dev, dev-builds, mozill...@lists.mozilla.org
I have two extra suggestions for added security benefits:
1. In order to ensure that clients that support CSP will never attempt
to contact the HTTP version of the site for fetching any subresources
that may still point to http:, please make sure to serve the
|Content-Security-Policy: upgrade-insecure-requests| header from HTTP.
2. In order to ensure that clients that support HSTS will never attempt
to contact the HTTP version of the site at all (once they have visited
the https site once), please make sure to serve the
|Strict-Transport-Security: max-age=NNN| header from the HTTPS version
of the site. This will also improve performance for those clients as a
side benefit by eliminating one roundtrip to the server to get the 301
On 2017-01-26 5:17 PM, Gregory Szorc wrote:
> It may be surprising, but hg.mozilla.org
> still accepting plain text connections via http://hg.mozilla.org/
> isn't redirecting them to https://hg.mozilla.org/
> On February 1 likely around 0800 PST, all requests to
will issue an HTTP 301 Moved Permanently redirect
> to https://hg.mozilla.org/
> If anything breaks as a result of this change, the general opinion is it
> deserves to break because it isn't using secure communications and is
> possibly a security vulnerability. Therefore, unless this change causes
> widespread carnage, it is unlikely to be rolled back.
> Please note that a lot of 3rd parties query random content on
>. For example, Curl's widespread
> script for bootstrapping the
> trusted CA bundle queried http://hg.mozilla.org/
until recently . So
> it is likely this change may break random things outside of Mozilla.
> Again, anything not using https://hg.mozilla.org/
should probably be
> treated as a security vulnerability and fixed ASAP.
> For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
> /usr/bin/python on all versions of OS X - see ), hg.mozilla.org
> still supports [marginally secure compared to
> TLS 1.1+] TLS 1.0 connections and will continue to do so for the
> foreseeable future.
> This change is tracked in bug 450645. Please subscribe to stay in the
> loop regarding future changes, such as removing support for TLS 1.0 and
> not accepting plain text http://hg.mozilla.org/
connections at all.
> Please send comments to bug 450645 or reply to