We have several sites where people manually download builds. These sites can be reached through insecure http and I doubt users check signatures on their downloaded bits. An insecure connection might be OK for automatic downloads by the stub downloader or .MAR updates where our own tools verify the signatures, but those should be on out of the way places; it's dangerous for human-initiated downloads. The following sites should redirect from http:// to https:// http://ftp.mozilla.org/pub/ http://archive.mozilla.org/pub/ http://releases.mozilla.org/pub/ I currently get the same cloudfront IP address for all three. HSTS would be a bonus, but I'm most concerned about manual downloads from people putting one of those names bare in a browser toolbar and getting the default insecure version.

This doesn't need to be confidential, people have complained about this in public before. I'm surprised not to have found a bug on this already in fact; maybe it's there with a non-obvious summary.

April can you help route this to the right folks and suggest a solution?

I feel like I've asked :ulfr about this before and been told that a change was coming at some point in the future but that it wasn't soon. :ulfr, am I completely misremembering here? Note that this also includes: http://download.cdn.mozilla.net/pub/ http://download-installer.cdn.mozilla.net/pub/ http://releases.mozilla.com/pub/ Why do we have so many aliases for the same thing? I have no idea.