146147 – Download in South Africa is insecure, causing authentication problems

Bug 146147 - Download in South Africa is insecure, causing authentication problems

Summary: Download in South Africa is insecure, causing authentication problems

Status:	RESOLVED NOTOURBUG

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Installation (show other bugs)
Version: (earliest affected)	7.1.8.1 release
Hardware:	All All

Importance:	low trivial
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-09 13:57 UTC by Paddy Landau
Modified:	2021-12-15 16:23 UTC (History)
CC List:	3 users (show)

See Also:	145859
Crash report or crash signature:

Attachments
Screenshot showing Initial download link (325.13 KB, image/png) 2021-12-09 13:57 UTC, Paddy Landau	Details
Screenshot showing resolved insecure link (55.44 KB, image/png) 2021-12-09 13:58 UTC, Paddy Landau	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paddy Landau 2021-12-09 13:57:04 UTC

Description:
When downloading LibreOffice from the website [1] in UK, the download is fine.

But when downloading in South Africa, the download link is insecure, which causes problems:

• Chrome refuses to download
• Edge permits the download after a warning
• It's necessary to check the SHA256 in case the download is compromised

This has been the case for a while, not just recently.


[1] https://www.libreoffice.org/download/download/

Steps to Reproduce:
1. Go to libreoffice.org > Download in South Africa

2. Download LibreOffice (I used Windows 64-bit, stable version)

Actual Results:
The displayed link when hovering over the Download button is secure [2] screenshot 1), but the resolved link to download is insecure [3] (screenshot 2).

[2] https://www.libreoffice.org/donate/dl/win-x86_64/7.1.8/en-GB/LibreOffice_7.1.8_Win_x64.msi

[3] http://tdf.saix.net/libreoffice/stable/7.1.8/win/x86_64/LibreOffice_7.1.8_Win_x64.msi

Expected Results:
The resolved link should be secure via https.


Reproducible: Always


User Profile Reset: No



Additional Info:
Screenshot 1 shows the initial Download link.

Screenshot 2 shows the resolved link as actually downloaded from Edge.

Comment 1 Paddy Landau 2021-12-09 13:57:58 UTC

Created attachment 176835 [details]
Screenshot showing Initial download link

Screenshot showing the initial download link (at the bottom of the screen)

Comment 2 Paddy Landau 2021-12-09 13:58:35 UTC

Created attachment 176836 [details]
Screenshot showing resolved insecure link

Screenshot showing the resolved insecure link

Comment 3 Timur 2021-12-15 15:35:58 UTC

Ifyou need Https,you can manually change the mirror. 
I'll mark NotOurBug because this is not Bugzilla issue. 
Only could be Redmine, but I wouldn't say even that, some mirrors are http.

https://download.documentfoundation.org/libreoffice/stable/7.2.4/win/x86/LibreOffice_7.2.4_Win_x86.msi.mirrorlist

Comment 4 Paddy Landau 2021-12-15 16:23:39 UTC

(In reply to Timur from comment #3)
> Ifyou need Https,you can manually change the mirror. 
> I'll mark NotOurBug because this is not Bugzilla issue. 
> Only could be Redmine, but I wouldn't say even that, some mirrors are http.
> 
> https://download.documentfoundation.org/libreoffice/stable/7.2.4/win/x86/
> LibreOffice_7.2.4_Win_x86.msi.mirrorlist

@Timur — Thank you for your reply, and for the link to the mirror list.

Very few people are sufficiently technically astute to understand how to do this. It took me a while to figure out what was going on.

It is also a little worrying that the mirror in my report, saix.net, isn't even listed in the mirror list.

This reflects poorly on LibreOffice, because this is supposed to be a LibreOffice-approved list, and in today's world, nothing should be http for obvious reasons.

If this isn't directly a LibreOffice issue, whom should I report this to?