Skip to content

Reject filter list downloads over unencrypted HTTP

Background

Currently, it is possible to add filter lists with a http:// URL, which are vulnerable to man in-the-middle attacks and other security threats.

What to change

Immediately mark the filter download as failed, without sending a request, if the URL uses the http: protocol.

Integration notes

Unencrypted HTTP downloads are no longer supported and will give an error.

The /subscriptions page lists some subscriptions with http:// URLs. We may want to change these to https:// after informing the filter list authors and helping them migrate if required.

The UI may want to validate subscription URLs (cc: @ThomasGreiner).

Hints for testers

On the options page, add a subscription with an http:// URL to a remote host. The sync should fail with an error saying "invalid URL" or something to this effect. Add a subscription with an https:// URL and see that it syncs successfully and the filters in the subscription work.

Add subscriptions with http://127.0.0.1 and http://localhost URLs (unencrypted HTTP but to localhost) and see that they still work.

/cc @skipintro @ThomasGreiner @kzar @hfiguiere

Edited by Manish Jethani