[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic



#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
 Reporter:  dkg                   |       Owner:  pde     
     Type:  defect                |      Status:  accepted
 Priority:  major                 |   Milestone:          
Component:  EFF-HTTPS Everywhere  |     Version:          
 Keywords:                        |      Parent:          
----------------------------------+-----------------------------------------
Changes (by pde):

  * priority:  normal => major


Comment:

 So what can we do about this.  Here are some ideas:

 1. Ask mozilla to raise the warning prompt for images and other subsidiary
 requests.

 2. Take the replace [^/:@] with [^/].  I think that defeats dkg's attack.
 Ironically it would leave all the rules that DON'T start with a pattern
 vulnerable.  We would need to add a pattern to the front of every (www\.)?
 rule to catch a username/password :(.

 3. Use Mozilla's built in URI parsing to strip out username/password
 fields before we do URI rewriting (then add them back in, if we think
 they're ever legit?).

 4. Per rransom's suggestion, move to something like agl's proposed
 chromium syntax.  https://mail1.eff.org/pipermail/https-
 everywhere/2010-November/000545.html.  There are several downsides to
 that.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs