[Feature request] HTTP Digest header verification using metalink for downloads

Anthony Bryan anthonybryan at gmail.com
Fri Apr 19 21:02:03 UTC 2013

On Fri, Apr 19, 2013 at 4:19 PM, Gervase Markham <gerv at mozilla.org> wrote:
> On 19/04/13 20:54, Dave Townsend wrote:
>> You might be thinking of link fingerprinting which is similar but not
>> exactly the same as digest verification and was a previous SoC project:
>> http://www.gerv.net/security/link-fingerprints/
>> https://bugzilla.mozilla.org/show_bug.cgi?id=292481
>> https://bugzilla.mozilla.org/show_bug.cgi?id=377245
> Although it didn't go well; it hit frostiness at the IETF and IIRC Ed
> Lee turned out to be far too smart and was poached by the JS Engine team
> to work on other things ;-)
> People keep reinventing the idea, so it must have some merit...

I tried to push for Link Fingerprints among download managers but
there was no adoption. There was also a Hash microformat that was
similar with no adoption.

this on the other hand has been thoroughly vetted & published by the
IETF as an Internet Standard in RFC 3230 (just Digest/hashes) and RFC
6249 (added mirrors, signatures, etc). RFC 5843 added newer

as previously mentioned, support is in multiple download programs and
used by a decent number of sites.


On Fri, Apr 19, 2013 at 2:48 PM, Justin Dolske <dolske at mozilla.com> wrote:
> At risk of being stop-energy... One thing I'd be wary of is to make sure
> you're caught up on the history of this feature, to see if it's really
> feasible to implement. My memory is fuzzy, but istr this pops up every few
> months, and that there are a surprising number of complex issues around it.
> I presume there are existing bugs / newsgroup threads, but you'd have to
> search for them.

I think you may be thinking of something else?

The bug for Metalink as a whole (hashes, mirrors, signatures, etc
which may not all be fitting for implementation in Firefox) is

While most programs supporting Metalink are download managers and not
as complex as Firefox, I don't think it has been all that
controversial. I think the main issue is really user interface, where
download managers don't mind exposing complexity for more technical
users. that said, this can be implemented in a streamlined & automatic
way that is less confusing to users than broken downloads.

This particular feature proposal is just for whole hashes of files
supplied by the Digest HTTP header field, not for use of mirrors or
anything else.

(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
  )) Easier, More Reliable, Self Healing Downloads

More information about the firefox-dev mailing list