Closed
Bug 1244553
Opened 9 years ago
Closed 9 years ago
Get arround HSTS, with nagivation arrows
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: erazerbrecht, Unassigned, NeedInfo)
Details
(Whiteboard: [necko-backlog])
Attachments
(1 file)
|
345.39 KB,
image/png
|
Details |
HSTS FF BUG.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2589.0 Safari/537.36
Steps to reproduce:
I did a MITM attack.
Than I used SSLStrip for removing HTTPS.
I also used a fake DNS proxy for changing hostnames.
The tool I used was MITMf on Kali Linux 2.0
Normally sites with correct implementation HSTS shouldn't be vulnerable
NOTE: I first visited the site with HTTPS before doing my attack!
Actual results:
Like expected I received a time-out.
But when I navigate back. And then I navigate 'next/forward' I can visit the site in HTTP.
Now I'm able to sniff the traffic of the user!
Printscreen 1, shows first attemp (time-out)
Printscreen 2, shows second attemp (navigation back and forward)
Expected results:
When going and back and forward the user shouldn't still be able to visit the site.
This works corect on IE11, Chrome Canary and Edge.
So it's only FF that looks vulnerable.
NOTE:
I just saw it wasn't the last version
I can already be fixed!
But I don't have much time now.
I think it's a quite a big bug. So sorry if this already got fixed!
|
Reporter | |
Updated•9 years ago
|
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
|
||
Comment 1•9 years ago
|
||
This needs investigation with wireshark or our own networking tools. It's impossible to tell from the screenshots
[possibility 0: your site did not correctly set HSTS (can't tell from the screen shots)]
possibility 1: the site content is being loaded from the cache, and then the page is live. Does clicking a link load an insecure link or not? Would have been easier to tell if your insecure MITM'd version served different content!
possibility 2: the attempt to navigate hit an error (because HSTS) early enough in the process that we had switched the URL bar but then failed before clearing the content. You're still on the original secure HSTS page and it's just the URL bar that's incorrect. This could be tested through document.location, or loading a relative link, or other ways.
Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: HTTP
Flags: needinfo?(rlb)
Product: Firefox → Core
|
|
||
Updated•9 years ago
|
Flags: needinfo?(erazerbrecht)
|
||
Comment 2•9 years ago
|
||
I agree that we need more detail here. The timeout is *not* an indication of HSTS being applied. That would show up as an error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE.
I suspect that the browser is not getting HSTS information here. It's not impossible that there's a bug in HSTS parsing. Perhaps you could send the content of the HSTS header that the server is sending?
Flags: needinfo?(rlb)
|
||
Updated•9 years ago
|
Whiteboard: [necko-backlog]
|
||
Comment 3•9 years ago
|
||
Resolving as incomplete. Reporter, if you can provide more information as requested, please re-open.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
|
|
||
Updated•9 years ago
|
Group: network-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•