User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4 Steps to reproduce: Downloaded Firefox and noticed the issue (further described below). Actual results: On the SSL secured Mozilla homepage (https://www.mozilla.org/) I clicked the Firefox download button. I have tested this on Mac OS X 10.7 (Lion), Debian 6.0.6, and Windows 7, and can confirm the issue is not linked to just a single OS-specific download. On the main Mozilla site users can elect to securely browse by making sure their URL begins with https instead of http. This is good for ensuring the content you see is truly from Mozilla and not being modified by a man in the middle attack. However when downloading Firefox, the URL that the download page automatically directs your browser to is an unsecured http link, even in the case of browsing the https/SSL secured mozilla.org site. The main URL of the download is http://download.cdn.mozilla.net. Attached is a screenshot pointing this out more clearly. Expected results: Ideally, the URL the browser is directed to in order to download Firefox should be https/SSL if the user was browsing the SSL secured Mozilla site. It'd be a good idea even if the user was browsing the unsecured http site. Having the Firefox download unsecured by default means that a user's connection could be intercepted any number of ways, and then the user could very easily and unknowingly be downloading a modified version of Firefox. Depending on the intents of the hacker modifying Firefox, they could do anything from simply recording input all the way to executing arbitrary code and having the current user's level of control over the computer. Furthermore, I have monitored a Firefox update (prompted by going to "About Firefox" and clicking "Check for Updates") downloading from 63.116.244.179 on port 80. So updates, presumably automatic ones as well, are also unsecured. To finalize, Firefox downloads (presumably, other Mozilla products may have this same issue) should be over a SSL secured (https) connection if the user has manually opted to use the greater security SSL-enabled Mozilla site. It would be ideal if even users from the plain http site were directed to a SSL secured download for greater security. Thank you for taking the time to read my report. =]