CONNECT
request with a plain-text message such as this:
February 20, 2013
Firefox: HTTPS and response code 407
Today's release of Firefox 19.0 fixes an interesting bug that I reported to the vendor back in October 2012. In essence, an attacker on an untrusted network could first coerce the browser to use a rogue HTTP proxy (this can be done by leveraging the WPAD protocol); wait until the browser attempts to download a HTTPS document from an interesting site through said proxy; and then selectively respond to the appropriate
HTTP/1.0 407 Boink
Proxy-Authenticate: basic
Connection: close
Content-Type: text/html
The browser would show the user a cryptic authentication prompt - but hitting ESC or pressing cancel would inevitably result in the proxy-supplied plain-text document being rendered in the same-origin context of the requested HTTPS site. There goes the transport security - so I guess that's an oops?:-)
Subscribe to:
Post Comments (Atom)
I wonder if any other 4xx/5xx codes are still vulnerable. (This really shouldn't happen, see Section III.A of a 2009 paper http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf)
ReplyDeleteHuh, is this a regression? I thought someone disclosed this in Firefox a few years ago...
ReplyDeleteNah, but it's a corner case missed in back in the day.
DeleteMSR's Shuo Chen found this bug in the HTTP/4xx and HTTP/5xx handling of many browsers back in 2008 or so. It was a cross-browser problem in most major browsers.
ReplyDeletehttp://research.microsoft.com/apps/pubs/default.aspx?id=79323
Yup, I actually covered that research in TTW. 307 has special handling, I suppose.
DeleteIt is funny that, in Google Reader the html is rendered so you see a big "Hi mom!". The script part is missing and also are the xmp tags. In the Atom feed they appear coded as entities.
ReplyDeleteAnother interesting attack a proxy can do with the 407 response code is to silently grab Windows authentication data from clients. http://tehrhart.blogspot.com/2013/02/proxy-credential-theft.html
ReplyDelete