Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday August 23, @11:59PM   Printer-friendly [Skip to comment(s)]

https://therecord.media/firefox-follows-chrome-and-prepares-to-block-insecure-downloads/

Mozilla developers are putting the finishing touches on a new feature that will block insecure file downloads in Firefox.

Called mixed content downloaded blocking, the feature works by blocking files downloads initiated from an encrypted HTTPS page but which actually take place via an unencrypted HTTP channel.

The idea behind this feature is to prevent Firefox users from getting misled by the URL bar and think they're downloading a file securely via HTTPS when, in reality, the file could be tampered with by third parties while in transit.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Runaway1956 on Tuesday August 24, @12:10AM

    by Runaway1956 (2926) Subscriber Badge on Tuesday August 24, @12:10AM (#1170074) Homepage Journal
    --
    Let's go Brandon!
  • (Score: 2, Insightful) by Anonymous Coward on Tuesday August 24, @12:43AM (4 children)

    by Anonymous Coward on Tuesday August 24, @12:43AM (#1170082)

    If I want to distribute a file, will I be allowed to purchase a license associate with my real name so that Firefox will unblock it? I hope so.

    • (Score: 2) by Tork on Tuesday August 24, @12:48AM (3 children)

      by Tork (3914) on Tuesday August 24, @12:48AM (#1170086)
      Are you forced to distribute it from an HTTPS site?
      --
      Slashdolt Logic: "24 year old jokes about sharks and lasers are +5, Funny." 💩
      • (Score: 1, Touché) by Anonymous Coward on Tuesday August 24, @01:15AM (2 children)

        by Anonymous Coward on Tuesday August 24, @01:15AM (#1170096)

        Are you forced to distribute it from an HTTPS site?

        What, are YOU not? Most sites are HTTPS-only these days.

        Constantly playing stupid for contrariness sake is a risky game; in time the mask may become the face.

        • (Score: 2) by Tork on Tuesday August 24, @02:22AM (1 child)

          by Tork (3914) on Tuesday August 24, @02:22AM (#1170116)
          Yeah yeah, you gotta master your fears before they master you and other cosmetic attempts to beef up your wisdom. If you're using a hosting service you're probably already good. If you're spinning up your own server then you're not required to use HTTPS... or if you are you've already solved your own problem. You're either over-reacting or there's another case I'm oblivious to and I don't mind eating a lil humble pie if I can learn somethin'.
          --
          Slashdolt Logic: "24 year old jokes about sharks and lasers are +5, Funny." 💩
          • (Score: 3, Funny) by coolgopher on Tuesday August 24, @04:11AM

            by coolgopher (1157) Subscriber Badge on Tuesday August 24, @04:11AM (#1170150)

            As long as they're not blocking explicit HTTPS->HTTP link clicks it should be fine. I'd say "surely they wouldn't be stupid enough to do otherwise", but it is Mozilla we're talking about...

  • (Score: 3, Insightful) by MIRV888 on Tuesday August 24, @12:46AM (1 child)

    by MIRV888 (11376) on Tuesday August 24, @12:46AM (#1170085)

    Your science words are hard and probably made up.

    • (Score: 0) by Anonymous Coward on Tuesday August 24, @07:11PM

      by Anonymous Coward on Tuesday August 24, @07:11PM (#1170467)

      In other words: fake news.

  • (Score: 5, Interesting) by hendrikboom on Tuesday August 24, @01:45AM (17 children)

    by hendrikboom (1125) on Tuesday August 24, @01:45AM (#1170105) Homepage Journal

    :My website is http only.
    So if someone links to a file here from an https: site, it will be impossible to download it.

    The main site for Devuan Linux is accessible to https:
    So it someone links from it to download a package, they will be in trouble.

    Packages are downloaded with http: The extra cost of http: is considered to be a waste because the installer does a checksum and checks a digital signature for every package. Fakes will be detected.

    • (Score: 2) by c0lo on Tuesday August 24, @02:21AM (10 children)

      by c0lo (156) Subscriber Badge on Tuesday August 24, @02:21AM (#1170115) Journal

      Packages are downloaded with http:

      Are you downloading the packages from devuan repos using Firefox? Why?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
      • (Score: 0) by Anonymous Coward on Tuesday August 24, @02:48AM (1 child)

        by Anonymous Coward on Tuesday August 24, @02:48AM (#1170122)

        I've used a browser to download packages from snapshot.debian.org to roll back an updated package. If no/few deps, it is path of least resistance to just download it, and dpkg -i .

        But, yeah, I've only done this a couple times in the last 25 years, and wget/curl would work fine.

        I don't think this particular change is bad. It addresses a real attack vector, and there are easy workarounds. But, after all the paternalistic nonsense coming out of the major browsers over the last decade, I have an (irrational) negative feeling reading this news.

        • (Score: -1, Redundant) by Anonymous Coward on Tuesday August 24, @02:56AM

          by Anonymous Coward on Tuesday August 24, @02:56AM (#1170125)

          But, yeah, I've only done this a couple times in the last 25 years, and wget/curl would work fine.

          ++

      • (Score: 4, Informative) by hendrikboom on Tuesday August 24, @03:19AM (7 children)

        by hendrikboom (1125) on Tuesday August 24, @03:19AM (#1170139) Homepage Journal

        Because I had to download packages to make wifi work on a different computer, to be passed on by sneakernet so I wouldn't have to do it again.
        And my firefox doesn't have that restriction yet.

        • (Score: 3, Informative) by c0lo on Tuesday August 24, @06:00AM (4 children)

          by c0lo (156) Subscriber Badge on Tuesday August 24, @06:00AM (#1170168) Journal

          wget/curl when your firefox is gonna have this restriction.
          Worked before, it will continue to work in the future.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0
          • (Score: 0) by Anonymous Coward on Tuesday August 24, @02:56PM (3 children)

            by Anonymous Coward on Tuesday August 24, @02:56PM (#1170342)

            Try doing a file download in powershell without searching for an answer.

            • (Score: 1, Funny) by Anonymous Coward on Tuesday August 24, @05:09PM (1 child)

              by Anonymous Coward on Tuesday August 24, @05:09PM (#1170396)

              Does Linux come with Powershell now?

              • (Score: 2) by DeVilla on Sunday August 29, @01:03AM

                by DeVilla (5354) on Sunday August 29, @01:03AM (#1171910)

                I believe in this example, the Linux host was the one in need of a wifi package to correct the network problem.

                To answer you question, I believe power shell is available for Linux, but I don't know of a distribution that ships with it. I wouldn't be surprised if available in Ubuntu in a repo or some "software store" app.

            • (Score: 0) by Anonymous Coward on Friday August 27, @09:31AM

              by Anonymous Coward on Friday August 27, @09:31AM (#1171371)

              Invoke-WebRequest http://example.com/ [example.com]

        • (Score: 2) by DeVilla on Sunday August 29, @01:06AM (1 child)

          by DeVilla (5354) on Sunday August 29, @01:06AM (#1171912)

          And my firefox doesn't have that restriction yet.

          Be patient. It will.

    • (Score: 2) by darkfeline on Tuesday August 24, @07:55AM (5 children)

      by darkfeline (1030) on Tuesday August 24, @07:55AM (#1170203) Homepage

      It's unfortunate that you (and Devuan) don't value your users' privacy. By only offering http, you force users to access your content in a manner that can be eavesdropped. Even Tor exposes the data to exit nodes.

      I hope Devuan doesn't provide any packages which may cause trouble for people known to be downloading them, like, say, Tor. If only they provided https so that the specific content a user accessed is private.

      Ah well, a small price to pay to save you the few cents in CPU cycles and few minutes setting up LetsEncrypt.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 0) by Anonymous Coward on Tuesday August 24, @09:31AM

        by Anonymous Coward on Tuesday August 24, @09:31AM (#1170231)

        >Even Tor exposes the data to exit nodes.

        Not if you use a Tor .onion site. It's explained well enough on their site.

        Anyway, I don't know about other distros, but with Debian you can use Tor .onions and there are ZERO LEAKS:

        See this:

        https://onion.debian.org/ [debian.org]

        Now scroll to the very bottom and it will show .onion URLs which do NOT leak to exit nodes.

      • (Score: 0) by Anonymous Coward on Tuesday August 24, @11:36AM (3 children)

        by Anonymous Coward on Tuesday August 24, @11:36AM (#1170264)

        It would be quite easy to tell which Debian package you downloaded by observing the number of bytes transferred, would it not?

        • (Score: 0) by Anonymous Coward on Tuesday August 24, @05:49PM (2 children)

          by Anonymous Coward on Tuesday August 24, @05:49PM (#1170438)

          It would be quite easy to tell which Debian package you downloaded by observing the number of bytes transferred, would it not?

          Yes, and even if that were ambiguous most people will be downloading not just one package but rather a package and at least some of its dependencies, which taken together can be expected to accurately identify what packages you are requesting with very high confidence.

          HTTPS does nothing to conceal which servers you are talking to and does nothing to conceal traffic patterns.

          • (Score: 0) by Anonymous Coward on Wednesday August 25, @11:03AM (1 child)

            by Anonymous Coward on Wednesday August 25, @11:03AM (#1170767)

            >HTTPS does nothing to conceal which servers you are talking to and does nothing to conceal traffic patterns.

            This is via .onion, not via plain HTTPS.

            • (Score: 0) by Anonymous Coward on Friday August 27, @09:39AM

              by Anonymous Coward on Friday August 27, @09:39AM (#1171373)

              By only offering http, you force users to access your content in a manner that can be eavesdropped. Even Tor exposes the data to exit nodes.

              The stated threat model was not just exit nodes monitoring your connection. Without TOR at all, even HTTPS doesn't offer the security they claim. But even if that were the threat model, even exit nodes can still eavesdrop on your HTTPS package downloads and know what packages their users are downloading.

(1)