Open Bug 1146911 Opened 10 years ago Updated 2 years ago

Malicious files are successfully downloaded through a download area using SSL enabled protocol.

Categories

(Firefox :: Downloads Panel, defect)

Product:
Firefox
Component:
Downloads Panel
Version:
38 Branch
Type:
defect

Tracking

()

People

(Reporter: VarCat, Unassigned)

References

Details

Attachments

(1 file)

Screen Shot 2015-03-24 at 9.55.43 AM.png
(deleted), image/png
Details
FF 38 Build id: 20150323004010 OS: Win 7 x64, Ubuntu 14.04 x86, Mac Os X 10.7.5 STR: 1. Go to http://www.eicar.org/85-0-Download.html 2. Download eicar.com from "Download area using the secure, SSL enabled protocol https" section (eg: https://secure.eicar.org/eicar.com) Issue: The file is successfully downloaded without being blocked.
Monica, do you know if the integrity check is bypassed for SSL downloads?
Flags: needinfo?(mmc)
Flags: needinfo?(mmc)
No, it is not skipped for SSL downloads. Francois is asking Google to put that download on their blocklist. Note that Chrome seems to be showing the POTENTIALLY_UNWANTED warning which we don't yet implement, but could now that the quarantine is implemented (see https://bugzilla.mozilla.org/show_bug.cgi?id=1019933).
Flags: needinfo?(francois)
Also related is that we don't currently do remote metadata lookups for Mac and Linux: https://bugzilla.mozilla.org/show_bug.cgi?id=1111741
True, seems like comment 0 tried it out on Windows though.
Flags: needinfo?(francois)
Depends on: 1019933
No longer depends on: 1019933
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: