[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed



#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
------------------------------------------------------+---------------------
 Reporter:  Drugoy                                    |          Owner:  pde
     Type:  defect                                    |         Status:  new
 Priority:  major                                     |      Milestone:     
Component:  EFF-HTTPS Everywhere                      |        Version:     
 Keywords:  address spoofing, critical vulnerability  |         Parent:     
   Points:                                            |   Actualpoints:     
------------------------------------------------------+---------------------

Comment(by mikeperry):

 pde: One reason you might not be able to snag apple.com cookies is that
 the cookie origin checks are independent from the document.write origin
 checks. However, the ability to spoof a login page from a false https
 origin is bad enough to warrant investigation, I think. The default user
 behavior for a convincing login is to enter their password, after all.

 As far as how to solve this: to avoid wading through both NoScript and the
 corresponding XPCOM objects in C++, I motion that we first ask Giorgio if
 he has any clues as to what is going on. if Giorgio times out, I think we
 should ask Mozilla why normal redirects can't do this attack. Or perhaps
 in the reverse order..

 In either case, it seems a suspicious enough violation of same-origin
 policy to make me feel like we need not be first in line to spend deep IQ
 on this problem.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs