[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #1673 [EFF-HTTPS Everywhere]: Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules

To: undisclosed-recipients:;
Subject: [tor-bugs] #1673 [EFF-HTTPS Everywhere]: Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 07 Jul 2010 23:08:46 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-bugs-outgoing@xxxxxxxx
Delivered-to: tor-bugs@xxxxxxxxxxxxxx
Delivery-date: Wed, 07 Jul 2010 19:08:53 -0400
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: owner-tor-bugs@xxxxxxxxxxxxxx

#1673: Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring
rewrite rules
----------------------------------+-----------------------------------------
 Reporter:  schoen                |       Owner:  pde
     Type:  defect                |      Status:  new
 Priority:  major                 |   Milestone:     
Component:  EFF-HTTPS Everywhere  |     Version:     
 Keywords:                        |      Parent:     
----------------------------------+-----------------------------------------
 Firefox supports a feature called HTTP Prefetch, where an HTML page can
 "hint" that a user is likely to access a particular page in the near
 future.  Firefox can (and by default does) load the relevant URL even
 before the user clicks on this.

 Google search results (in some circumstances) contain HTML code that
 requests a prefetch of the top search result.  (Google is not necessarily
 the only site that triggers this problem!)  Firefox will, by default, then
 load this page, ignoring any potentially applicable HTTPS Everywhere
 rewrite rules.  For instance, if the top search result is a Wikipedia
 page, Firefox will load that page in plaintext in the background, even
 though HTTPS Everywhere has a rule that should force the Wikipedia page
 access to be rewritten.  (Actually clicking on the link results in HTTPS
 Everywhere rewriting it, but the browser has already loaded the
 unencrypted version!)

 See
 https://mail1.eff.org/pipermail/https-everywhere/2010-July/000025.html
 for more discussion of this problem.

 See also
 https://developer.mozilla.org/en/link_prefetching_faq
 for discussion of HTTP Prefetch.  (You can turn it off entirely, but I
 don't know whether that's the right solution.)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1673>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

Follow-Ups:
- [tor-bugs] Re: #1673 [EFF-HTTPS Everywhere]: Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules
  - From: Tor Bug Tracker & Wiki
- [tor-bugs] Re: #1673 [EFF-HTTPS Everywhere]: Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #1672 [EFF-HTTPS Everywhere]: Firefox search box typeahead completion leaks plaintext queries
Next by Author: [tor-bugs] #1674 [EFF-HTTPS Everywhere]: every from rule should contain a slash after the host part
Previous by thread: [tor-bugs] Re: #1672 [EFF-HTTPS Everywhere]: Firefox search box typeahead completion leaks plaintext queries
Next by thread: [tor-bugs] Re: #1673 [EFF-HTTPS Everywhere]: Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules
Index(es):
- Author
- Thread