The officially official Devuan Forum!

You are not logged in.

#1 2023-09-17 09:58:35

Altoid
Member
Registered: 2017-05-07
Posts: 1,503  

Devuan repository with insecure connection? Can't be ...

Hello:

Just a heads up, not sure I understand exactly what is happening.

Updated FF 102.15.1esr-1~deb10u1 over 102.15.0esr-1~deb10u1.

Then, having seen a post on SLiM I went to check on the last package information. Wanted to read the change log for my all time favourite log-in manager.

Clicked on the package file and got this warning from FF:

File not downloaded. Potential security risk.
The file uses an insecure connection. It may be corrupted blah, blah, blah ...

What's going on?

Note: does not happen with the latest Pale Moon 32.4.0.1

Thanks in advance.

Best,

A.

Last edited by Altoid (2023-09-17 19:14:07)

Offline

#2 2023-09-17 10:59:57

pcalvert
Member
Registered: 2017-05-15
Posts: 199  

Re: Devuan repository with insecure connection? Can't be ...

Altoid wrote:

What's going on?

The download link uses "http" instead of "https".

Go ahead and download it, but be sure to check the package before installing it.

Like so:

sha256sum -c file-name.deb

Then compare the output with the published value listed on the web page for that package. The values should match.


Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

Offline

#3 2023-09-17 11:40:04

Altoid
Member
Registered: 2017-05-07
Posts: 1,503  

Re: Devuan repository with insecure connection? Can't be ...

Hello:

Thanks for the prompt reply.

pcalvert wrote:

... link uses "http" instead of "https".

Yes, I had read something here about that some time ago.

pcalvert wrote:

... be sure to check the package ...

Always do that to make sure any package is downloaded intact.
But as my installations/updates/upgrades all go through apt, I'd never seen this before.

I have inherent trust in Devuan repositories, what I do not trust is my sometimes flaky ADSL.  8^/

What called my attention is that this seems to be a FF thing as Pale Moon does not issue a warning.

Best,

A.

Offline

#4 2023-09-17 12:11:56

rolfie
Member
Registered: 2017-11-25
Posts: 1,114  

Re: Devuan repository with insecure connection? Can't be ...

Check FF options: if the "only https" option is selected that would explain the FF message.

Online

#5 2023-09-17 12:40:28

Altoid
Member
Registered: 2017-05-07
Posts: 1,503  

Re: Devuan repository with insecure connection? Can't be ...

Hello:

rolfie wrote:

Check FF options: if the "only https" option is selected ...

No, it is not selected.
I never set it up that way.

about:preferences#privacy
Don’t enable HTTPS-Only Mode        -> false

Thanks for your input.

Best,

A.

Offline

#6 2023-09-17 13:14:58

rolfie
Member
Registered: 2017-11-25
Posts: 1,114  

Re: Devuan repository with insecure connection? Can't be ...

Read that entry carefully: I think it means HTTPS-Only mode IS enabled.

Online

#7 2023-09-17 13:33:04

Altoid
Member
Registered: 2017-05-07
Posts: 1,503  

Re: Devuan repository with insecure connection? Can't be ...

Hello:

rolfie wrote:

Read that entry carefully: I think it means ...

Indeed ...
Makes me wonder why it would be worded in that rather confusing manner.
Wouldn't it have been much better (especially for idiots like mysef) to do it like this:

about:preferences#privacy
Enable HTTPS-Only Mode        -> false

ie: no double negatives

But that is in the about:preferences page.

The UI I does not have True or False (boolean) options.
It just has a circle, like box to tick but round.

Like this:

O   Don’t enable HTTPS-Only Mode  

So ...

If I don't tick the circle, it does/should not set the option Don’t enable HTTPS-Only Mode
If I do tick the circle, it does/should set the option Don’t enable HTTPS-Only Mode

Seems there's something amiss (?).

Thanks for your input.

Best,

A.

Last edited by Altoid (2023-09-17 13:43:44)

Offline

#8 2023-09-17 14:03:04

boughtonp
Member
From: UK
Registered: 2023-01-19
Posts: 212  
Website

Re: Devuan repository with insecure connection? Can't be ...

A quick search reveals the main setting is (should be) a three option radio group, looking something like this:
https://assets-prod.sumo.prod.webservic … a011a8.png

The documentation also shows how to configure the per-site setting, which has an explicit On/Off drop-down:
//support.mozilla.org/en-US/kb/https-only-prefs#firefox:linux:fx102

Last edited by boughtonp (2023-09-17 14:03:23)


3.1415P265E589T932E846R64338

Offline

#9 2023-09-17 15:02:39

Altoid
Member
Registered: 2017-05-07
Posts: 1,503  

Re: Devuan repository with insecure connection? Can't be ...

Hello:

boughtonp wrote:

... main setting is (should be) a three option radio group, looking ...

Yes.
That is exactly what I have and how I have it set.
As I understand it (with no per-site exceptions enabled) when you check that option ie: the one I have set, FF should not be enabling HTTPS-Only Mode.

But apparently it does.

So, my guess (?) is that something is amiss but then I may not have had enough espresso yet.
Thanks for your input.

Best,

A.

Offline

#10 2023-09-17 16:10:01

boughtonp
Member
From: UK
Registered: 2023-01-19
Posts: 212  
Website

Re: Devuan repository with insecure connection? Can't be ...

about:preferences is a user-friendly front-end, for the real settings, check about:config and/or the prefs.js file in the profile directory (which gets updated when you exit the browser).

Also check whether there's any "safebrowsing" crap that's blocking it?


3.1415P265E589T932E846R64338

Offline

#11 2023-09-17 19:05:33

Altoid
Member
Registered: 2017-05-07
Posts: 1,503  

Re: Devuan repository with insecure connection? Can't be ...

Hello:

boughtonp wrote:

about:preferences is a user-friendly front-end ...

Yes and the settings there should be properly reflected in about:config.
It is actively discouraged by FF to go there, soon we won't be able to tweak anything.

Independently of the fact that not eveyone fiddles around with about:config, dom.security.https_only_mode is set to false.

I have FF 91.9.1 esr installed on my 1000HE and it works properly. ie: with the option Don’t enable HTTPS-Only set as I have done for the longest while.

boughtonp wrote:

... check whether there's any "safebrowsing" crap ...

No.
Besides, I cannot recall this happening with the previous version. ie: 102.15.0esr-1~deb10u1

EDIT:

It seems that it is an issue with FF.

And from the looks of it, it won't be looked at by Mozilla or fixed any time soon.
At least, the thread seems to suggest that the solution is that you emply a work-around.

ie: with FF everything has to be via HTTPS and if you don't like that, file exceptions.

Yet another reason to ditch FF.

Thanks for your input.

Best,

A.

Last edited by Altoid (2023-09-17 19:16:59)

Offline

Board footer