http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is a valid URL, but https://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS is not. It should be a relatively quick fix to make https://<someting>.mozilla.org/<something>/SHA1SUMS a valid link to the SHA1 checksums. Users shouldn't download untrusted executables over untrusted networks and run them, because of the risk of MITM attacks. See, e.g. "Insecurities within automatic update systems" by P. Ruissen, R. Vloothuis. So why can't I find checksums on a secure page? There are SSL certs for www.mozilla.org (and this site) already in place. In theory, very skilled users can use the SHA1SUMS.asc file and gpg to protect themselves, but it's a PITA, and there are no instructions. Remember, most users find the second step in 'Download and Install' to be complicated. I filed a similar bug against Chrome/Chromium and they fixed it. (https://code.google.com/p/chromium/issues/detail?id=53116) They have changed things so that by default at least, users download Chrome over https. I imagine that doing so for Firefox would require a large infrastructure change, compared to the way Firefox is delivered today (over donated, geographically dispersed bandwidth), so that is NOT the bug/issue I'm reporting under this bug ID, though there should be a bug for tracking that bug/issue, if there isn't already. Note: The Mozilla Manifesto's Principle 4 reads: "Individuals' security on the Internet is fundamental and cannot be treated as optional." (Might as well do the same with the MD5SUMS file. MD5 is broken, but more widely/readily available and generally better than nothing.) Closest related bug I found is bug 684767.

Dan, do you think this is worthwhile to do?

You can use https://ftp.m.o for this: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.6.22/SHA1SUMS

This file is already available securely from (e.g.) https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/6.0.2/SHA1SUMS but if we want to do a rewrite rule to make that always happen that would lessen the confusion.

Daniel, good idea. You're thinking to make http://releases.mozilla.org/<AnyThing>/SHA1SUMS a 301 redirect to https://ftp.mozilla.org/${SameThing}/SHA1SUMS (and same for MD5)? Really, I'd like to see the bulk of downloads be secure, and given users are unlikely to compute checksums even if it's easy, I've opened bug 687783 : "By default, users should be downloading our products over https."