mk-ca-bundle: use secure connection to hg.mozilla.org #1012
Conversation
Previously, connections to hg.mozilla.org were insecure and could be subject to a MitM attack. With this change, someone has to MitM you with a certificate signed by a trusted CA, which is a bit harder.
|
It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option? |
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc). - New option -k to allow URLs other than HTTPS and enable HTTP fallback. Prior to this change the default URL retrieval mode was to fall back to HTTP if HTTPS didn't work. Reported-by: Gregory Szorc Bug: curl#1012
Definitely, see master...jay:mk-ca-bundle_https-only_by_default |
|
@jay : a big 👍 on that! |
|
I decided to go ahead and merge @jay's patch here since I think it was a good approach to this and makes mk-ca-bundle.pl better! Thanks both of you! |
|
I forgot about this. I actually worked on the vbs too, I'll find it tomorrow (or today depending on where you're at) and merge it in. |
|
Lovely. I've been pondering about removing the vbs version before as it hasn't gotten the same attention as the perl version, but if you're up to bringing it back to life I'm fine with that too! |
- Change initial message box to mention delay when downloading/parsing. Since there is no progress meter it was somewhat unexpected that after choosing a filename nothing appears to happen, when actually the cert data is in the process of being downloaded and parsed. - Warn if OpenSSL is not present. - Use a UTF-8 stream to make the ca-bundle data. - Save the UTF-8 ca-bundle stream as binary so that no BOM is added. --- This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to ANSI due to corrupt UTF-8 output, now fixed. This change completes making the default certificate bundle output of mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which should make it easier to review any difference between their output. Ref: #1012
|
I just wanted to give a heads up that http://hg.mozilla.org/ will HTTP 301 to https://hg.mozilla.org/ starting around 2017-02-01 0800 PST. I know mk-ca-bundle.pl is used in random places throughout the Internets. So if you hear about it breaking on Wednesday, that's probably why. https://groups.google.com/d/msg/mozilla.dev.version-control/7A6WwhraKm4/QxRs2dw5BAAJ for the full announcement. |
|
Ah right, thanks @indygreg. This will make the mk-ca-bundle.pl start to fail unconditionally unless curl is installed and working on the machine running the script. But I consider the switch a good thing nonetheless and such failures will help users to fix their stuff and get secure transfers going. |
Ref #1012 Figured-out-by: Tatsuhiro Tsujikawa
Previously, connections to hg.mozilla.org were insecure and could be
subject to a MitM attack. With this change, someone has to MitM you
with a certificate signed by a trusted CA, which is a bit harder.