able to force addition of a certificate exception for HSTS sites by manually hacking the error page using devtools

RESOLVED INVALID

Status

()

RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: flashstudio.com.ua, Unassigned)

Tracking

36 Branch
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36

Steps to reproduce:

0.Open some sniffer (like Burp Suite) and use it like proxy to observe security protected content
1.Open some site with this protection, for example facebook http://content.screencast.com/users/tripstation/folders/Jing/media/9433d51f-e6cb-437d-bef4-b257de226f9f/00001996.png (how you can see, you can't add exception of this site)
2.Open some another site, but without Strict Transport Security. http://content.screencast.com/users/tripstation/folders/Jing/media/619e862a-a3fc-4d23-9ac5-1c49ec79647f/00001995.png
3.Observer button http tag for Add Exception... button. And copy from there id ("exceptionDialogButton") http://content.screencast.com/users/tripstation/folders/Jing/media/0bb2d5cf-be10-49fb-8bce-b38df789283f/00001997.png
4.Come back to facebook.com page. And look at button tag of et me out here button and change id current id to exceptionDialogButton   http://content.screencast.com/users/tripstation/folders/Jing/media/1aa0089c-e48b-4691-a964-c83c63ada50f/00001998.png
5.Click this button, and you can see exception dialog. After you can save certificate locally, and import it to FireFox. So now you can observe ssl traffic well.


Actual results:

I can pass HTTP Strict Transport Security control and observe ssl traffic


Expected results:

User shouldn't have possibilities to add site with protection to Exception List
This boils down to "able to force Firefox to save an exception for an HSTS site if you use devtools to hack the error page".

Given that it's unlikely that you'd be able to trick someone into following the steps required (editing an ID on the error page using devtools), I don't think this is a security bug.

I suppose we could prevent the addition of an exception at a lower level for HSTS sites, but that might be a bit tricky. I'm not sure it's worth bothering, so I'd probably suggest WONTFIX here.
Group: core-security
Component: Untriaged → Security
Summary: Pass HTTP Strict Transport Security control by html injection and add exception or save certificate locally → able to force addition of a certificate exception for HSTS sites by manually hacking the error page using devtools
(Reporter)

Comment 2

4 years ago
So, i can share this info with people?
This is essentially the same as bug 1092243. Note that even if an override is present, the underlying implementation ignores overrides for HSTS hosts and terminates the connection: https://hg.mozilla.org/mozilla-central/annotate/70a113676b21/security/manager/ssl/src/SSLServerCertVerification.cpp#l486 (of course, if Artem found a way in which that doesn't work, this would be a security bug).
Right, so if you import a root certificate and trust it to issue site certificates, Firefox will accept those as valid certificates (if they otherwise successfully validate).
(Reporter)

Comment 6

4 years ago
So, if everything alright, and there are no bugs, i can share this with community? I saw many question how to use devtools (like Burp) with HSTS sites.
Yes, I believe this works as intended - feel free to share with the community. I'm marking this RESOLVED INVALID, which is an unfortunate way of saying this is the intended behavior. Thank you for taking the time to file this bug, though.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.