Closed Bug 1291802 Opened 8 years ago Closed 8 years ago

PAC FindProxyForUrl function can be used to obtain full HTTPS URLs in combination with WPAD

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
48 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1255474

People

(Reporter: mozilla, Assigned: xeonchen)

Details

(Whiteboard: [necko-next]) 

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160729072959

Steps to reproduce:

Per http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ calling FindProxyForUrl in a malicious PAC, which can be delivered via WPAD on a network to which a malicious operator is connected, can be used to exfiltrate full HTTPS URLs that would otherwise be protected by encryption.

Following Microsoft's approach with Edge and IE11, Firefox should truncate URLs to the host portion only before passing them to FindProxyForURL, at least in the case of HTTPS.
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Severity: normal → enhancement
Component: Untriaged → Networking
Product: Firefox → Core
Thanks. I've changed the severity away from 'enhancement' as this is a security risk, which I don't think warrants the lowest level of importance. There doesn't seem to be a way for me to flag the issue as security-related other than an option when I reported it, which would have marked this as private, which it isn't at this stage given it has already been reported in the tech press.
Severity: enhancement → normal
To be clear, the security issue is that this exposes data that should be protected by encryption, i.e. the path/query/fragment portions of HTTPS URLs.
I will marked this as necko-next.
Gary, can you take a look?
Flags: needinfo?(xeonchen)
Whiteboard: [necko-next]
(In reply to Dragana Damjanovic [:dragana] from comment #4)
> I will marked this as necko-next.
> Gary, can you take a look?

Sure, I'll check this later.
Assignee: nobody → xeonchen
Flags: needinfo?(xeonchen)
I think this is a duplicated bug of bug 1255474, which has security flag.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
It's a bit pointless for the active bug on this to be hidden from public view since this is a known issue with Firefox and already publicised. Is it possible to make the other bug visible so people can see what's going on with it?
(In reply to mozilla from comment #7)
> It's a bit pointless for the active bug on this to be hidden from public
> view since this is a known issue with Firefox and already publicised. Is it
> possible to make the other bug visible so people can see what's going on
> with it?

I believe this is in progress :)
You need to log in before you can comment on or make changes to this bug.