[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
From: "Marco Bonetti" <marco.bonetti@xxxxxxxxxxxx>
Date: Tue, 24 Feb 2009 09:21:40 +0100 (CET)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 24 Feb 2009 03:21:58 -0500
Importance: Normal
In-reply-to: <4ef5fec60902231240h2a70b486hff4c369ff7a62e1b@xxxxxxxxxxxxxx>
References: <4ef5fec60902231119s2cccd1bcwdfb3313046b2a988@xxxxxxxxxxxxxx> <49A3072D.1070504@xxxxxxxxxxxxxxxxxxxxxx> <4ef5fec60902231240h2a70b486hff4c369ff7a62e1b@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.6

On Mon, February 23, 2009 21:40, coderman wrote:
>> Noscript has some options (Options, Advanced, HTTPS) that may help.
>> Disclaimer: I've not used these options and I don't know if it's secure.
This feature works, I haven't dumped the traffic to prove it but I've
found some (insecure) site with https login and http cookies which break
down when adding them to the https only cookies list, so, at least, the
feature does what it tells to do ;-)

> from https://www.torproject.org/torbutton/faq.html
> "Which Firefox extensions should I avoid using? ... NoScript: using
> NoScript can actually disable protections that Torbutton itself
> provides via Javascript, yet still allow malicious exit nodes to
> compromise your anonymity via the default whitelist..."
this is true if you enable javascript on http sites while using tor, as a
rogue exit node can inject the hell into your response. However, it has
been a while since NoScript added the "https only whitelist": when this
option is on it will restrict your whitelist to secure connections only.
See my older posts for more information on this stuff.

> as an aside, i found a plugin that could do everything above, but only
> if the sites themselves send you a ForceHTTPS cookie securely:
> https://crypto.stanford.edu/forcehttps/
> the design paper does a good job of explaining why this is all more
> complicated than you might think...
After pdp had the infamous incident with gmail, he wrote a similar firefox
extension to send all cookies over https only (quite drastic). It should
be on the gnucitizen site, so let's add it to the list of the extensions
also ;-)

-- 
Marco Bonetti
BT3 EeePC enhancing module: http://sid77.slackware.it/bt3/
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My webstuff: http://sidbox.homelinux.org/

My GnuPG key id: 0x86A91047

References:
- Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
  - From: coderman
- Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
  - From: Arjan
- Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
  - From: coderman

Prev by Author: Re: Bittorrent
Next by Author: Re: Excluding some networks
Previous by thread: Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
Next by thread: Tor on virtual servers [was: Re: Suspended..]
Index(es):
- Author
- Thread