You see, yesterday, a cryptically titled post, "IFrames and URL Stringency", appeared on their official blog. I am quoting one of the key paragraphs here:
"The URL obfuscation is a big stringency in the online world. Actually, it tests the browser efficiency to dissect the behavior of crafted URL. That has to be done. The browsers have shown falsified behavior in determining the source and destination of URL's when it is obfuscated or fused with meta characters. This is dangerous from a user perspective because a victim can go to undesired destination. Well, lot of changes have been noticed in browser development with respect to that but in certain conditions , browsers still fail to find the authentic nature of URL's being rendered in the browser."
The nearly incomprehensible post reminds me of the writings of Gene Ray - but thankfully, it eventually references Mozilla bug 570658. From this bug, it quickly becomes evident that the problem is a wonderful non-issue - and this should be apparent to any layperson willing to actually try and understand the alleged flaw.
In essence, several years ago, Firefox opted to display a warning when the top-level document is navigated to URLs that happen to contain embedded HTTP authentication credentials. They did this to combat the surge of phishing attacks against non-technical audiences, using misleading URLs such as:
http://www.paypal.com@www.evil.com/
While the decision to cripple HTTP authentication is somewhat contentious, the step clearly has some merit: the more RFCs you need to read to understand the contents of the address bar, the less likely you are to get it right.
Aditya's complaint in the aforementioned bug is very simple, and boils down to the observation that Firefox employs this warning only for the top-level document - but does not apply this logic to subresources such as IFRAMEs. If you think about it for five seconds or so, it's painfully evident why: there is simply no need to do so. The URLs of these subresources are never displayed in the address bar, and therefore, there is no opportunity to confuse the user in any way. There is no reasonable attack scenario where this would matter. It's common sense, too: you don't need to be able to tell a buffer overflow from a format string vulnerability to understand why.
That's where the story should end. It did not:
It's nice that some of these stories eventually included a rebuttal from Mozilla. They should never have seen the light of day in the first place, though.Are some of the editors really so dependent on PR wires that it becomes prohibitively difficult for them to verify stories on their own - or even ping a trusted researcher over IM, for that matter? I always wondered; now, I sadly think I have the answer.
He tried to do this with reverse engineering, and pretty much got laughed out of the scene immediately. Here's a post that he made to OpenRCE that he deleted shortly thereafter: http://www.woodmann.com/forum/showthread.php?11116-Traversing-Offset-Semantics-Walking-Along-the-Curb
ReplyDeleteUm, did you even read the article from The Register? It makes pretty clear that there is no threat posed.
ReplyDeleteBut hey, why let the facts get in the way of a good rant?
Sheesh.
The Register says that Mozilla developers have "eased concerns"; the fact that the article exists in the first place, and that Mozilla devs had to make a statement (which is offered side by side with the claim of the researcher, without any qualification) is silly.
ReplyDeleteThere's simply no story here. At all.
I just read your post and was reminded of the time I was asked to evaluate Armorize for my employer at the time. From the results I got, it appeared that the application (offered as a service) was a glorified interface to grep.
ReplyDelete