PAC FindProxyForUrl function can be used to obtain full HTTPS URLs in combination with WPAD

RESOLVED DUPLICATE of bug 1255474

Status

()

Core
Networking
RESOLVED DUPLICATE of bug 1255474
a year ago
a year ago

People

(Reporter: mozilla, Assigned: xeonchen)

Tracking

48 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-next])

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160729072959

Steps to reproduce:

Per http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ calling FindProxyForUrl in a malicious PAC, which can be delivered via WPAD on a network to which a malicious operator is connected, can be used to exfiltrate full HTTPS URLs that would otherwise be protected by encryption.

Following Microsoft's approach with Edge and IE11, Firefox should truncate URLs to the host portion only before passing them to FindProxyForURL, at least in the case of HTTPS.
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Severity: normal → enhancement
Component: Untriaged → Networking
Product: Firefox → Core
(Reporter)

Comment 2

a year ago
Thanks. I've changed the severity away from 'enhancement' as this is a security risk, which I don't think warrants the lowest level of importance. There doesn't seem to be a way for me to flag the issue as security-related other than an option when I reported it, which would have marked this as private, which it isn't at this stage given it has already been reported in the tech press.
Severity: enhancement → normal
(Reporter)

Comment 3

a year ago
To be clear, the security issue is that this exposes data that should be protected by encryption, i.e. the path/query/fragment portions of HTTPS URLs.
I will marked this as necko-next.
Gary, can you take a look?
Flags: needinfo?(xeonchen)
Whiteboard: [necko-next]
(In reply to Dragana Damjanovic [:dragana] from comment #4)
> I will marked this as necko-next.
> Gary, can you take a look?

Sure, I'll check this later.
Assignee: nobody → xeonchen
Flags: needinfo?(xeonchen)
I think this is a duplicated bug of bug 1255474, which has security flag.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1255474
(Reporter)

Comment 7

a year ago
It's a bit pointless for the active bug on this to be hidden from public view since this is a known issue with Firefox and already publicised. Is it possible to make the other bug visible so people can see what's going on with it?
(In reply to mozilla from comment #7)
> It's a bit pointless for the active bug on this to be hidden from public
> view since this is a known issue with Firefox and already publicised. Is it
> possible to make the other bug visible so people can see what's going on
> with it?

I believe this is in progress :)
The bugfix was merged here: http://hg.mozilla.org/mozilla-central/log?rev=303393%3Adf6b25262c65
You need to log in before you can comment on or make changes to this bug.