It may be surprising, but hg.mozilla.org is still accepting plain text connections via http://hg.mozilla.org/ and isn't redirecting them to https://hg.mozilla.org/.
On February 1 likely around 0800 PST, all requests to http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect to https://hg.mozilla.org/ . If anything breaks as a result of this change, the general opinion is it deserves to break because it isn't using secure communications and is possibly a security vulnerability. Therefore, unless this change causes widespread carnage, it is unlikely to be rolled back. Please note that a lot of 3rd parties query random content on hg.mozilla.org. For example, Curl's widespread mk-ca-bundle.pl script for bootstrapping the trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So it is likely this change may break random things outside of Mozilla. Again, anything not using https://hg.mozilla.org/ should probably be treated as a security vulnerability and fixed ASAP. For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org still supports [marginally secure compared to TLS 1.1+] TLS 1.0 connections and will continue to do so for the foreseeable future. This change is tracked in bug 450645. Please subscribe to stay in the loop regarding future changes, such as removing support for TLS 1.0 and not accepting plain text http://hg.mozilla.org/ connections at all. Please send comments to bug 450645 or reply to dev-version-cont...@lists.mozilla.org. [1] https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c150eeac790 [2] https://github.com/Homebrew/homebrew-core/issues/3541 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
