[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #5676 [EFF-HTTPS Everywhere]: HTTPS rewriting is bypassed if DNS root is explicitly specified



#5676: HTTPS rewriting is bypassed if DNS root is explicitly specified
----------------------------------+-----------------------------------------
 Reporter:  NYKevin               |          Owner:  pde
     Type:  defect                |         Status:  new
 Priority:  normal                |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------
 If you go to a URL such as http://www.google.com./ HTTPS-Everywhere will
 *not* switch to HTTPS.  This is a legal DNS value, technically but not
 practically distinct from http://www.google.com/ and as such, it should be
 handled similarly.

 On the other hand, it is sometimes useful to have an "escape hatch" to
 disable HTTPS rewriting for just one pageload (e.g. Google's doodles don't
 show under HTTPS in my experience).  However, that hatch ought to have
 better affordances if it's to continue existing at all.  As it is, this is
 potentially a social engineering vulnerability (although I'm not sure how
 practical such a hypothetical attack might be; it would probably need to
 be targeted at a particular individual).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5676>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs