Closed Bug 1221607 Opened 10 years ago Closed 10 years ago

Security: Firefox HSTS bypass via FTP protocol

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
41 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: 3APA3A, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 SeaMonkey/2.38 Build ID: 20150923195647 Steps to reproduce: 1. Open mail.google.com 2. Spoof mail.google.com IP addres to 95.79.31.239 (e.g. via hosts) 3. Try to open mail.google.com you can see SSL certificate warning with HSTS, it can not be bypassed by user 4. Open ftp://mail.google.com:2121/test.html (port 2121 is not required, default port can be used for attack) Actual results: Content of the page is parsed as HTML and is shown to user http://clip.corp.mail.ru/clip/m0/1446655570-clip-18kb-NBGtJoyUZuaz.png leading to possible Spoofing / Phishing/ SSL Strip attack Expected results: One of: 1. Prevent HSTS domains from being accessed over any insecure protocols, including FTP 2. Do not render content obtained over insecure protocols for HSTS domains within browser, only allow download it (like with Content-Disposition: attachment in http://).
Group: firefox-core-security → core-security
Component: Untriaged → Security: PSM
Product: Firefox → Core
HSTS is an HTTP header that applies to HTTP channels. https://tools.ietf.org/html/rfc6797 You could try spoofing using ftp:, but the point of an sslstrip attack is usually to gather cookies and there are no cookies sent over ftp. This is one of the reasons browsers these days hide the "http://" part in the address bar (note Safari hides https:// also), so that unusual use of schemes like ftp:// will stick out better.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Component: Security: PSM → DOM: Security
Resolution: --- → INVALID
"but the point of an sslstrip attack is usually to gather cookies and there are no cookies sent over ftp" yes and no, because HSTS doesn't intended to protect cookies, at least without includeSubdomains, you can request http://blablabla.example.com to bypass HSTS for example.com if includeSubdomains is not set. Cookies are protected with "secure" flag regardless of HSTS. Main purpose of HSTS is to protected user against interface spoofing.
HSTS purpose is not to protect cookies, it's purpose is to protect against SSL strip. In classic SSL strip attack all HTTP requests are catched by attacker and are proxied to https, and https:// links in response are replaced with http:// links. The purpose is not to get a cookie from client, but to spoof an interface and get user's authentication information or unencrypted data he sends to server. In this FTP attack all FTP requests are are catched by attacker and proxied to https, and response is proxied back to client via FTP. Client does not send cookies, but cookies can be stored and added by proxy.
You need to log in before you can comment on or make changes to this bug.