[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9196 [EFF-HTTPS Everywhere]: Postpone Firefox mixed content blocking from FF 23 -> 24 (with user notice & control)



#9196: Postpone Firefox mixed content blocking from FF 23 -> 24 (with user notice
& control)
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  lisacyao   
     Type:  defect                |         Status:  new        
 Priority:  blocker               |      Milestone:  HTTPS-E 3.3
Component:  EFF-HTTPS Everywhere  |        Version:             
 Keywords:                        |         Parent:             
   Points:                        |   Actualpoints:             
----------------------------------+-----------------------------------------

Comment(by micahlee):

 After reading some of the stuff Tanvi from Mozilla has been saying, I'm
 starting to think that temporarily disabling the mixed content blocker is
 a bad idea, even as a quick fix.

 As she said an email:

   I don't think disabling the blocker temporarily for Firefox 23 users is
 a good idea.  There are a few reasons for this:
   * Some domains include a mix of both HTTP and HTTPS pages.  For the
 HTTPS pages (ex: login, purchase flow, etc) they may set a secure cookie.
 Their HTTP pages may have a valid cert for the HTTPS version, but they
 don't intended for their users to visit the HTTPS version.  Hence, they
 may include HTTP content on these pages.  When the users do visit the
 HTTPS version of the page, their secure cookies are protected by Mixed
 Content Blocker.  If we turn the Mixed Content Blocker off globally, then
 HTTP script can steal the secure cookies.

   Note that this is only an issue for Mixed Active Content.  If the
 content is Mixed Display, the request is an HTTP request and does not
 include the secure cookies.  The content itself (ex: an image) doesn't
 have access to the DOM and hence can't steal the secure cookie.

   * If a Firefox user decides to uninstall HTTPS Everywhere (for whatever
 reason), the setting for the Mixed Content Blocker will remain off.
 Uninstalling the add-on won't set the setting back to its default.

 So I think we need another quick mitigation instead. I wonder if we can
 fix #8774 and #8776 in the next 2 weeks before we push an update, so we
 have 1 week left over before FF23 becomes stable so that HTTPS Everywhere
 users have time to upgrade our add-on before they upgrade Firefox?

 I think this would be a more acceptable quick fix, though it will be far
 from perfect.

 We still have to deal with the Mozilla MCB firing at the wrong time bug
 (https://bugzilla.mozilla.org/show_bug.cgi?id=878890) and the fact that
 many HTTPS Everywhere rules that aren't marked platform="mixedcontent"
 still cause mixed content problems. We should automate finding and marking
 these.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9196#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs