[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #30343 [Applications/Tor Browser]: TBB Gives HTTPS Green Lock for misconfigured SSL/TLS

To: undisclosed-recipients: ;
Subject: [tor-bugs] #30343 [Applications/Tor Browser]: TBB Gives HTTPS Green Lock for misconfigured SSL/TLS
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 30 Apr 2019 13:51:07 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 30 Apr 2019 09:51:23 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#30343: TBB Gives HTTPS Green Lock for misconfigured SSL/TLS
--------------------+------------------------------------------
 Reporter:  bo0od   |          Owner:  tbb-team
     Type:  defect  |         Status:  new
 Priority:  High    |      Component:  Applications/Tor Browser
  Version:          |       Severity:  Major
 Keywords:          |  Actual Points:
Parent ID:  #30335  |         Points:
 Reviewer:          |        Sponsor:
--------------------+------------------------------------------
 I have just reported a flaw with passing a misconfigured ssl/tls
 certificate which is allowing MITM. I reported that against https-
 everywhere but they answered it that https-everywhere doesnt access ssl
 info. So maybe it is a browser level issue?

 otherwise really what is the use of green lock and https-everywhere plugin
 if a website pretend to be having ssl/tls connection while in fact its
 just fake one and MITM is possible through it ?

 SSL test:

 https://www.ssllabs.com/ssltest/analyze.html?d=zu.ac.ae

 HTTPS-Everywhere Github Ticket:

 https://github.com/EFForg/https-everywhere/issues/17851#event-2309447045

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30343>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #29613 [Core Tor/Tor]: Make relays into exits when ExitRelay is auto and IPv6Exit is 1
Next by Author: Re: [tor-bugs] #29387 [Internal Services/Tor Sysadmin Team]: Publish our puppet repository
Previous by thread: Re: [tor-bugs] #30342 [Core Tor/Tor]: 9 dephects on prob_distr.c (April 2019)
Next by thread: Re: [tor-bugs] #15125 [Obfuscation/meek]: meek-client-torbrowser does not use signals well
Index(es):
- Author
- Thread