Firefox blocks all GitHub release downloads as deceptive
If you are using the Mozilla Firefox web browser right now to download releases hosted on the project hosting website Github, you will notice that you cannot do so directly anymore.
For instance, if you try to download the latest Atom editor builds, you get the warning message.
The browser displays a "deceptive site!" warning when you click on a download link and states that site the downloads are hosted on has been reported and blocked.
Update: The issue has been resolved.
Downloads on GitHub are powered by Amazon AWS.
This web page at "site url" has been reported as a deceptive site and has been blocked based on your security preferences.
Deceptive sites are designed to trick you into doing something dangerous, like installing software, or revealing personal information, like passwords, phone numbers or credit cards.
Entering any information on this web page may result in identity theft or other fraud.
I tested this using Firefox Stable and Firefox Nightly, and both browsers showed the "deceptive site" intermediary page for most -- but not all -- GitHub release downloads that I tried to download.
Source file downloads don't seem to be affected, but any other download, be it for Windows, Linux or Mac, appears to the flagged by the Firefox browser currently.
While it is theoretically possible that the whole of GitHub has been compromised, it seems highly unlikely. Firefox users may bypass the warning to continue with the download.
- When you get the "Deceptive Site" warning in Firefox, click on the "ignore this warning" link displayed in the bottom right corner of the warning page.
- This bypasses the warning page and starts the download of the selected file.
I tried the downloads in other browsers, thinking that it may be a problem with Google's Safe Browsing security feature. Chrome downloads these release files just fine however which means it is probably not, unless Mozilla uses a different version than Google does.
Closing Words
This is a misconfiguration most likely, and something that will probably be resolved quickly by Mozilla. It is interesting to note that this affects Mozilla's repositories on GitHub as well.
Martin, any chance you could do an article on this topic? https://metafluff.com/2017/07/21/i-am-a-tab-hoarder/
I tried to download from mentioned site ( firefox browser ) and was no problem .
https://twitter.com/GitHubHelp/status/889866861801766913 They have fixed this.
Pale Moon Browser also shares the same defect. It has been happening for a few days now (possibly a week)
———————————————
Secure Connection Failed
An error occurred during a connection to github.com.
The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
(Error code: mozilla_pkix_error_key_pinning_failure)
———————————————
Disabling HPKP resolves the issue but do so at your own discretion.
Options > Security > Enable Certificate Key Pinning (HPKP)
WaterFox doesn’t have this; and it’s a superfast browser too.
uMatrix says it is a script from http://www.ghacks.net. I blocked it, no “problem prevented this page from loading” anymore.
Well, today I couldn’t access this GHacks page in Firefox. I kept getting a “problem prevented this page from loading” message, I think from AdBlock.
When I “temporarily enable all this page”, the page finally loaded. Don’t know which server or script was the problem.
I recently had similar popup banner on ghacks, after 1 day or so it went away. Maybe just False/positive on adblocker. Fun thing I disabled adblock for ghacks.
Seems to be working for me using Firefox 54 default settings. was able to download the Atom Editor without any bannor
aws issue I bet
Useless to block most popular sites anyway. Makes no sense. GitHub is especially designed to share files and knowledge.
All downloads on Github are already blocked by NoScript on my side anyway:
“NoScript filtered a potential cross-site scripting (XSS) attempt”…
Still me: v 5.0.7.1 [XSS] Fixed bug causing false positives (thanks Georg Koppen for reporting).
Firefox v54 and Nightly are both downloading from github without issue on my end. I don’t use any of the options under “Phishing Protection”. Don’t use Google’s version of safebrowsing either. I’ve never been convinced it was worth the bandwidth, for me. But then I’ve been known to enable it for others though. ;)
The only problem I have with github recently is that damn banner “Join github today” that seems to be prone to remember that I’m not interested when I click “dismiss”.
And the problem you’re talking about may be related to safe browsing/pishing protection component – I have turned these lists off and I see no problem with accessing page.
If you’re using uBlock (or something similar like AdGuard), you can simply block the banner by right-clicking it and selecting Block Element.
Doesn’t seem to be a problem at https://github.com/pirate/sites-using-cloudflare which loads normally.
This has no releases. This affects only the releases.
@ams
I’m not upset and I enjoy Martin’s site a lot. The thing is, this is a “Google Safe Browsing” message.
So it would have happened on all the browsers I’ve mentioned above, not just FF. For journalistic completeness this should have been tested with more browsers and GSB on/off, a different headline reflecting on it.
Occasionally people report safe websites to GSB in order to grief. Whatever caused the site being flagged as bad surely is gone. I never noticed it because I don’t trust google. The wiki article sheds light on the privacy issues with GSB.
I tested this in Chrome and it did not happen. It only happened in Firefox. If it would have happened in all browsers that use Safe Browsing, I’d use a title that reflects that, but it only happened in Firefox.
I can’t understand why HK-Rapper seems upset. Has the article title already been edited, prior to my reading?
I’m saying: Martin, thanks for the article. Whatever the cause of the problem ~~ mismatched certificate, cross-site scripting, fumbled http header redirects… firefox’s handling of the situation is non-ideal. Upon encountering such a block page, I’m unsure what a user SHOULD choose to do: proceed? exit? clear browser cache and retry? restart bind9 service? attempt reaching “github” via a proxy? wait, and try again later in the day? toggle off (or on) SafeNanny and try again?
No it has not been edited.
>quote: “may be a problem with Google’s Safe Browsing”
Correct! Why the deceptive headline then if you even realize this in the foot note? I’m no Mozilla apologetic like Sören, but Firefox and Mozilla are innocent this time.
You are better than using such article names. Rather tell your visitors why any sane and privacy concerned person disables “Google Crap Browsing” in settings:
https://en.wikipedia.org/wiki/Google_Safe_Browsing
>Google Chrome, Safari, Firefox, Opera, and Vivaldi web browsers use the lists
>Safe Browsing also stores a mandatory preferences cookie on the computer[10] which the US National
>Security Agency allegedly uses to identify individual computers for purposes of exploitation.[11]
I can access the site via your link to download the latest Atom builds though. Copy to the latest one is: https://github.com/atom/atom/releases/download/v1.19.0-beta5/atom-1.19.0-beta5-delta.nupkg
Of course it’s possible that they fixed whatever was causing the problem before.