[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
Reporter: dkg | Owner: pde
Type: defect | Status: accepted
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
----------------------------------+-----------------------------------------
Changes (by pde):
* priority: normal => major
Comment:
So what can we do about this. Here are some ideas:
1. Ask mozilla to raise the warning prompt for images and other subsidiary
requests.
2. Take the replace [^/:@] with [^/]. I think that defeats dkg's attack.
Ironically it would leave all the rules that DON'T start with a pattern
vulnerable. We would need to add a pattern to the front of every (www\.)?
rule to catch a username/password :(.
3. Use Mozilla's built in URI parsing to strip out username/password
fields before we do URI rewriting (then add them back in, if we think
they're ever legit?).
4. Per rransom's suggestion, move to something like agl's proposed
chromium syntax. https://mail1.eff.org/pipermail/https-
everywhere/2010-November/000545.html. There are several downsides to
that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs