[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3748 [TorBrowserButton]: Isolate HTTP Auth to top-level domain
#3748: Isolate HTTP Auth to top-level domain
------------------------------+---------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Comment(by gk):
> Georg - I noticed you strip off the WWW-Authenticate header from 3rd
party responses. Does that serve any security purpose, or does it exist
just to prevent 3rd parties from being able to open auth prompts?
I does serve a security purpose. If one would not do this 3rd party sites
would be able to track users without notice, i.e. without creating an auth
prompt at all, until one isolates HTTP auth to the urlbar. The status quo
is by far not perfect but was the only solution I was capable of
implementing within a short timeframe.
> I am thinking that we might want the auth prompts to show up. They would
be evidence of a tracking attack using this mechanism. If the adversary
doesn't get the Authenticate header they want and then sets WWW-
Authenticate, the browser would effectively be alerting the user that the
site is trying to track them.
We were pondering that question and, yes, it is quite appealing to show
the auth prompts. And basically you get that feature for free already if
you do not strip off the 3rd party response headers but the 3rd party
request headers (meaning: "Authorization: ..."). The thing is getting e.g.
a 401 back from the server while there are already proper authentication
tokens in the cache makes Firefox "think" that there might something wrong
here and an auth prompt shows up. The big problem is to explain to the
normal user what is going on. If they just surf the web and suddenly get
an auth prompt I bet almost nobody knows what to do here. One solution
that comes to my mind would be to somehow hook int these dialogs and show
e.g. a red warning text. While hooking into dialogs is not a problem I
fear that it is hard to get just those we want.
> It might also help users diagnose issues in the event that this feature
breaks some other site that requires 3rd party auth.
While I cannot imagine that one really needs this kind of authentication I
can imagine that some people have already implemented it. And therefore,
yes, that may help debugging as well. Hence, if we solve the above problem
with transporting the issue to John Doe iff there is a 3rd party tracking
risk than I am in favor of getting an auth prompt at any rate.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs