https://therecord.media/firefox-follows-chrome-and-prepares-to-block-insecure-downloads/
Mozilla developers are putting the finishing touches on a new feature that will block insecure file downloads in Firefox.
Called mixed content downloaded blocking, the feature works by blocking files downloads initiated from an encrypted HTTPS page but which actually take place via an unencrypted HTTP channel.
The idea behind this feature is to prevent Firefox users from getting misled by the URL bar and think they're downloading a file securely via HTTPS when, in reality, the file could be tampered with by third parties while in transit.
This discussion has been archived.
No new comments can be posted.
Firefox Follows Chrome and Prepares to Block Insecure Downloads
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 2) by Runaway1956 on Tuesday August 24 2021, @12:10AM
wget https://www.wehaxu.net/exploits/phishers/suspiciousfile [wehaxu.net]
(Score: 2, Insightful) by Anonymous Coward on Tuesday August 24 2021, @12:43AM (4 children)
If I want to distribute a file, will I be allowed to purchase a license associate with my real name so that Firefox will unblock it? I hope so.
(Score: 2) by Tork on Tuesday August 24 2021, @12:48AM (3 children)
🏳️🌈 Proud Ally 🏳️🌈
(Score: 1, Touché) by Anonymous Coward on Tuesday August 24 2021, @01:15AM (2 children)
What, are YOU not? Most sites are HTTPS-only these days.
Constantly playing stupid for contrariness sake is a risky game; in time the mask may become the face.
(Score: 2) by Tork on Tuesday August 24 2021, @02:22AM (1 child)
🏳️🌈 Proud Ally 🏳️🌈
(Score: 3, Funny) by coolgopher on Tuesday August 24 2021, @04:11AM
As long as they're not blocking explicit HTTPS->HTTP link clicks it should be fine. I'd say "surely they wouldn't be stupid enough to do otherwise", but it is Mozilla we're talking about...
(Score: 3, Insightful) by MIRV888 on Tuesday August 24 2021, @12:46AM (1 child)
Your science words are hard and probably made up.
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @07:11PM
In other words: fake news.
(Score: 5, Interesting) by hendrikboom on Tuesday August 24 2021, @01:45AM (17 children)
:My website is http only.
So if someone links to a file here from an https: site, it will be impossible to download it.
The main site for Devuan Linux is accessible to https:
So it someone links from it to download a package, they will be in trouble.
Packages are downloaded with http: The extra cost of http: is considered to be a waste because the installer does a checksum and checks a digital signature for every package. Fakes will be detected.
(Score: 2) by c0lo on Tuesday August 24 2021, @02:21AM (10 children)
Are you downloading the packages from devuan repos using Firefox? Why?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @02:48AM (1 child)
I've used a browser to download packages from snapshot.debian.org to roll back an updated package. If no/few deps, it is path of least resistance to just download it, and dpkg -i .
But, yeah, I've only done this a couple times in the last 25 years, and wget/curl would work fine.
I don't think this particular change is bad. It addresses a real attack vector, and there are easy workarounds. But, after all the paternalistic nonsense coming out of the major browsers over the last decade, I have an (irrational) negative feeling reading this news.
(Score: -1, Redundant) by Anonymous Coward on Tuesday August 24 2021, @02:56AM
++
(Score: 4, Informative) by hendrikboom on Tuesday August 24 2021, @03:19AM (7 children)
Because I had to download packages to make wifi work on a different computer, to be passed on by sneakernet so I wouldn't have to do it again.
And my firefox doesn't have that restriction yet.
(Score: 3, Informative) by c0lo on Tuesday August 24 2021, @06:00AM (4 children)
wget/curl when your firefox is gonna have this restriction.
Worked before, it will continue to work in the future.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @02:56PM (3 children)
Try doing a file download in powershell without searching for an answer.
(Score: 1, Funny) by Anonymous Coward on Tuesday August 24 2021, @05:09PM (1 child)
Does Linux come with Powershell now?
(Score: 2) by DeVilla on Sunday August 29 2021, @01:03AM
I believe in this example, the Linux host was the one in need of a wifi package to correct the network problem.
To answer you question, I believe power shell is available for Linux, but I don't know of a distribution that ships with it. I wouldn't be surprised if available in Ubuntu in a repo or some "software store" app.
(Score: 0) by Anonymous Coward on Friday August 27 2021, @09:31AM
Invoke-WebRequest http://example.com/ [example.com]
(Score: 2) by DeVilla on Sunday August 29 2021, @01:06AM (1 child)
Be patient. It will.
(Score: 2) by hendrikboom on Monday August 30 2021, @09:31PM
I did say "yet".
(Score: 2) by darkfeline on Tuesday August 24 2021, @07:55AM (5 children)
It's unfortunate that you (and Devuan) don't value your users' privacy. By only offering http, you force users to access your content in a manner that can be eavesdropped. Even Tor exposes the data to exit nodes.
I hope Devuan doesn't provide any packages which may cause trouble for people known to be downloading them, like, say, Tor. If only they provided https so that the specific content a user accessed is private.
Ah well, a small price to pay to save you the few cents in CPU cycles and few minutes setting up LetsEncrypt.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @09:31AM
>Even Tor exposes the data to exit nodes.
Not if you use a Tor .onion site. It's explained well enough on their site.
Anyway, I don't know about other distros, but with Debian you can use Tor .onions and there are ZERO LEAKS:
See this:
https://onion.debian.org/ [debian.org]
Now scroll to the very bottom and it will show .onion URLs which do NOT leak to exit nodes.
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @11:36AM (3 children)
It would be quite easy to tell which Debian package you downloaded by observing the number of bytes transferred, would it not?
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @05:49PM (2 children)
Yes, and even if that were ambiguous most people will be downloading not just one package but rather a package and at least some of its dependencies, which taken together can be expected to accurately identify what packages you are requesting with very high confidence.
HTTPS does nothing to conceal which servers you are talking to and does nothing to conceal traffic patterns.
(Score: 0) by Anonymous Coward on Wednesday August 25 2021, @11:03AM (1 child)
>HTTPS does nothing to conceal which servers you are talking to and does nothing to conceal traffic patterns.
This is via .onion, not via plain HTTPS.
(Score: 0) by Anonymous Coward on Friday August 27 2021, @09:39AM
The stated threat model was not just exit nodes monitoring your connection. Without TOR at all, even HTTPS doesn't offer the security they claim. But even if that were the threat model, even exit nodes can still eavesdrop on your HTTPS package downloads and know what packages their users are downloading.