Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FF#1499592] Leaks at least 1 outbound request to any attacker #5

Open
James-E-A opened this issue Aug 18, 2020 · 5 comments
Open

[FF#1499592] Leaks at least 1 outbound request to any attacker #5

James-E-A opened this issue Aug 18, 2020 · 5 comments
Labels
bug Something isn't working Firefox-specific Only affects Mozilla Firefox and its WebExtension-using derivatives waiting on upstream Fix is blocked by browser vendors
Milestone
AMO non-Experimen...

Comments

@James-E-A
Copy link
Owner

James-E-A commented Aug 18, 2020
edited
Loading

Consider an attacker who is aware of this Add-on.

They might:

  • Allow the first request, for the root document, to go unmolested, but intercept other parallel connections and hijack the page via e.g. scripts
  • Intercept the page, steal cookies, perhaps deposit persistent threats, etc. - then refresh to an unmolested connection before the user notices
  • Do something even more creative

remember that in The Internet, you have other, aggressive intelligences finding ways your software diverges from what you thought you wrote… everything doesn't go "as planned"; you've got to be airtight or its utility is only marginal
@James-E-A James-E-A added enhancement New feature or request help wanted Extra attention is needed labels Aug 18, 2020
@James-E-A James-E-A pinned this issue Aug 18, 2020
@James-E-A
Copy link
Owner Author

James-E-A commented Aug 18, 2020
edited
Loading

Disturbingly, webRequest.onBeforeSendHeaders, which "is triggered before sending any HTTP data", does not provide access to the TLS certificate status... what it's curretly using, webRequest.onHeadersReceived, is "Fired when the HTTP response headers for a request are received", so it can't protect against the entire outbound request going to the attacker.

TODO: try webRequest.onSendHeaders? [EDIT: no-can-do—this API “is informational only” i.e. you can't use it to stop a bad request.]

@James-E-A
Copy link
Owner Author

onBeforeSendHeaders also doesn't have access to securityInfo … and the next one in line, onSendHeaders`, “is informational only” —i.e. you can't use it to stop a bad request.

Alas. So, it looks like we can't make a properly-failsafe constrainer with just the APIs given us. The best we can do (for now) is "throwing the breaker" after 1 full bad connection has already been made.

Perhaps, once the rest of the functionality's implemented, Mozilla would hear out our requests for better access.

@James-E-A
Copy link
Owner Author

James-E-A commented Aug 28, 2020
edited
Loading

https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server#comment13466_8148

It's a fair assumption that (root and delegated) CAs will supply bogus certificates to their national intelligence agencies…
– Tom Hawtin, Former engineer in Java SE security for Oracle Corporation

@James-E-A James-E-A unpinned this issue Oct 5, 2020
@James-E-A
Copy link
Owner Author

https://bugzilla.mozilla.org/show_bug.cgi?id=1499592

@James-E-A James-E-A added the waiting on upstream Fix is blocked by browser vendors label Nov 20, 2020
@James-E-A James-E-A changed the title expand threat model Leaks at least 1 outbound request to any attacker Nov 20, 2020
@James-E-A James-E-A added Firefox-specific Only affects Mozilla Firefox and its WebExtension-using derivatives and removed help wanted Extra attention is needed enhancement New feature or request labels Nov 20, 2020
@James-E-A
Copy link
Owner Author

a mitigation, for an attacker who isn't aware of this add-on: hook onBeforeRequest to do a "preflight check"

@James-E-A James-E-A added the bug Something isn't working label Mar 8, 2021
@James-E-A James-E-A changed the title Leaks at least 1 outbound request to any attacker [FF#1499592] Leaks at least 1 outbound request to any attacker Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Firefox-specific Only affects Mozilla Firefox and its WebExtension-using derivatives waiting on upstream Fix is blocked by browser vendors
Projects
None yet
Milestone
AMO non-Experimental Release
Development

No branches or pull requests
1 participant
@James-E-A