Yes. Kill it with fire! -Ekr
On Fri, Jan 27, 2017 at 7:17 AM, Gregory Szorc <g...@mozilla.com> wrote: > It may be surprising, but hg.mozilla.org is still accepting plain text > connections via http://hg.mozilla.org/ and isn't redirecting them to > https://hg.mozilla.org/. > > On February 1 likely around 0800 PST, all requests to > http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect > to https://hg.mozilla.org/. > > If anything breaks as a result of this change, the general opinion is it > deserves to break because it isn't using secure communications and is > possibly a security vulnerability. Therefore, unless this change causes > widespread carnage, it is unlikely to be rolled back. > > Please note that a lot of 3rd parties query random content on > hg.mozilla.org. For example, Curl's widespread mk-ca-bundle.pl script for > bootstrapping the trusted CA bundle queried http://hg.mozilla.org/ until > recently [1]. So it is likely this change may break random things outside > of Mozilla. Again, anything not using https://hg.mozilla.org/ should > probably be treated as a security vulnerability and fixed ASAP. > > For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and > /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still > supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and > will continue to do so for the foreseeable future. > > This change is tracked in bug 450645. Please subscribe to stay in the loop > regarding future changes, such as removing support for TLS 1.0 and not > accepting plain text http://hg.mozilla.org/ connections at all. > > Please send comments to bug 450645 or reply to dev-version-control@lists. > mozilla.org. > > [1] https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c > 150eeac790 > [2] https://github.com/Homebrew/homebrew-core/issues/3541 > > _______________________________________________ > firefox-dev mailing list > firefox-...@mozilla.org > https://mail.mozilla.org/listinfo/firefox-dev > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
