Belarusian GSM operator A1 blocks Mozilla Firefox download link

asdasd1124124124 · January 7, 2023, 11:12pm

Nothing important here but an interesting fact.

Two days ago belarusian GSM operator A1 started to block Mozilla Firefox download link. I mean not a Mozilla site or download page but link to binary file (archive of binary files).
After I connected to a VPN I be able to download an update and also direct link to binary file works.
And yes, people who use Mozilla Firefox not from system repository like a Ubuntu repository can not download an update for two or more days now.
If I were a paranoid I would say that main goal of that is to detain Mozilla Firefox update to use a vulnerability.

tango · January 10, 2023, 10:14pm

That’s interesting—the error code MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE could be a sign of a TLS MITM attack. If possible, I would like you to get a copy of (1) the certificate chain and (2) an HTTP response from the server.

Use this command to get the certificate chain:

openssl s_client -connect download.mozilla.org:443 -showcerts

This is the certificate chain that I see:

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Mozilla Corporation, CN = download.mozilla.org
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Mozilla Corporation, CN = download.mozilla.org
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
MIIHDDCCBfSgAwIBAgIQBwgJoGf7v/qUtwhgkhOdGjANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAzMDIwMDAwMDBa
Fw0yMzAzMDkyMzU5NTlaMHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENv
cnBvcmF0aW9uMR0wGwYDVQQDExRkb3dubG9hZC5tb3ppbGxhLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALLo0TUmq39gBb2sYlImkTqqoKv1As8N
xDnK6VlOUteDjmfmBXiubu6zyVuBArYAwDqI5U7sl2Sm3XnG23WX6RQAA+U02zWV
JT6KDvkGFzCW7+iBzeSb0J9K/miWcjNX13HpWFSfRqfrkbwTbXa4vg8GHTA5sZCV
c/ZIY38mBSbGYQWYMccWjxAgS1gHmDXwkQgtJxU7VX0DWZE/S28YvEwz82KGLKEw
P7JFKzQ1IZJxbrPmCKSQWjHq7DxT20GtdopcMoocecB4GlrM5GfGU5IOZa+53sus
wWWO04FcgEj6bGTLPXCKfbbWFUXLFY4R8oPRBBZ/fVh6OU0ejSRfDUMCAwEAAaOC
A7owggO2MB8GA1UdIwQYMBaAFLdrouqoqoSMeeq02g+YssWVdrn0MB0GA1UdDgQW
BBSxxM8dHE/tEwunIoCJFWPTaWlF0DBlBgNVHREEXjBcghRkb3dubG9hZC5tb3pp
bGxhLm9yZ4IfYm91bmNlci1ib3VuY2VyLnByb2QubW96YXdzLm5ldIIjYm91bmNl
ci1ib3VuY2VyLWVsYi5wcm9kLm1vemF3cy5uZXQwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0fBIGHMIGEMECgPqA8
hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYy
MDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGln
aUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EM
AQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB/
BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
LmNvbTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAJBgNVHRMEAjAAMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTK
hYY069yCigAAAX9MEnxFAAAEAwBGMEQCIFjaj2gv/GodM2PixH/7xCDFqWGvQGe7
QodqAF3sdpifAiB35R53zPr6oKh0W13rza2Llck6uqOjzAfM0NuLfnxnDgB2ADXP
GRu/sWxXvw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABf0wSfCAAAAQDAEcwRQIh
ALQul2lytE9SeXkRQ98FqzzW+MuQrdNdxALQdPcnqoSRAiADPxR2UTfd1If+vDDe
RtyQ6DOinLQdWCB1ecx71B2G0QB3ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zw
Aw55NqWaAAABf0wSfDoAAAQDAEgwRgIhAOHrJ+ANDMLhyqodTwrAGp72hqzz+jIo
Ctz6hQt5K2ZLAiEAuCuJlhXKHXnkFgRXnQR7o5LEffrGUWLeyd5AeOMxfOAwDQYJ
KoZIhvcNAQELBQADggEBAKtRBmkN3rhbAQv2b8E841Em4jbFMzdUf1+euxwTfH1B
x9qTTm9D8UlSUcCW8DQYjUzsQc0fVJBGzmLroI+HTiOA67QAHBBTiG7tUg7F5PlH
bpvFEx/YinKFEHaM0mVpCcMSPipTfAzKOdLJXuDVjWQF9aNE8VKzEYyRUrvU/cT6
UAWkCEJBpHqnDAxHJfxEr0lebEeL8Ap+pHkA8o6prTX/MazfuVL3AgZVp9CWUzjL
ASR8RwbURxIoYpVvlGMqCSKHB3dKP+seR+9FVhSMLK6pSSM0mV84PKHaUV9rIUdV
DBqqW/kmHnZ/ywWM90I/7hRLof40QwwFfxTaKEaj7q4=
-----END CERTIFICATE-----
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----

Use this command to ignore the certificate error and download a URL from the server:

curl -i -o test.output --insecure 'https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US'

For me, the curl command returns a redirect:

HTTP/1.1 302 Found
Cache-Control: max-age=60
Content-Type: text/html; charset=utf-8
Date: Tue, 10 Jan 2023 22:12:24 GMT
Location: https://download-installer.cdn.mozilla.net/pub/firefox/releases/108.0.2/linux-x86_64/en-US/firefox-108.0.2.tar.bz2
Content-Length: 137
Connection: keep-alive

<a href="https://download-installer.cdn.mozilla.net/pub/firefox/releases/108.0.2/linux-x86_64/en-US/firefox-108.0.2.tar.bz2">Found</a>.

Speaking of which, do you also get a certificate error when accessing https://download-installer.cdn.mozilla.net/ ?

tango · January 10, 2023, 10:18pm

download.mozilla.org isn’t tested by OONI, but if you have the OONI Probe mobile app, you can try this OONI Run link:

https://run.ooni.io/nettest?tn=web_connectivity&ta=%7B%22urls%22%3A%5B%22https%3A%2F%2Fdownload.mozilla.org%2F%3Fproduct%3Dfirefox-latest-ssl%26os%3Dlinux64%26lang%3Den-US%22%2C%22https%3A%2F%2Fdownload-installer.cdn.mozilla.net%2Fpub%2Ffirefox%2Freleases%2F108.0.2%2Flinux-x86_64%2Fen-US%2F%22%5D%7D&mv=1.2.0