[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]

On Mon, February 23, 2009 21:40, coderman wrote:
>> Noscript has some options (Options, Advanced, HTTPS) that may help.
>> Disclaimer: I've not used these options and I don't know if it's secure.
This feature works, I haven't dumped the traffic to prove it but I've
found some (insecure) site with https login and http cookies which break
down when adding them to the https only cookies list, so, at least, the
feature does what it tells to do ;-)

> from https://www.torproject.org/torbutton/faq.html
> "Which Firefox extensions should I avoid using? ... NoScript: using
> NoScript can actually disable protections that Torbutton itself
> provides via Javascript, yet still allow malicious exit nodes to
> compromise your anonymity via the default whitelist..."
this is true if you enable javascript on http sites while using tor, as a
rogue exit node can inject the hell into your response. However, it has
been a while since NoScript added the "https only whitelist": when this
option is on it will restrict your whitelist to secure connections only.
See my older posts for more information on this stuff.

> as an aside, i found a plugin that could do everything above, but only
> if the sites themselves send you a ForceHTTPS cookie securely:
> https://crypto.stanford.edu/forcehttps/
> the design paper does a good job of explaining why this is all more
> complicated than you might think...
After pdp had the infamous incident with gmail, he wrote a similar firefox
extension to send all cookies over https only (quite drastic). It should
be on the gnucitizen site, so let's add it to the list of the extensions
also ;-)

Marco Bonetti
BT3 EeePC enhancing module: http://sid77.slackware.it/bt3/
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My webstuff: http://sidbox.homelinux.org/

My GnuPG key id: 0x86A91047