Add an option to block corporated MiTM attack such as Cloudflare

RESOLVED WONTFIX

Status

()

enhancement
RESOLVED WONTFIX
a year ago
a year ago

People

(Reporter: u608644, Unassigned)

Tracking

57 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171206182557

Steps to reproduce:

Open any HTTPS website which use Cloudflare


Actual results:

The green padlock appear on the location bar. It shows "Secure connection".


Expected results:

The browser must warn the user because of MiTM attack.
"Technical Details"(click padlock > ">" > "More information") is showing below message, but it's hardly correct.

"It is therefore unlikely that anyone read this page"

There's a discussion on Firefox Klar github.
https://github.com/mozilla-mobile/focus-android/issues/1743
And
https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

Updated

a year ago
Severity: normal → enhancement
Component: Untriaged → Security: PSM
Product: Firefox → Core
This wouldn't be appropriate for the general population of Firefox users. Those who wish to block cloudflare can use the add-on.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
(Reporter)

Comment 2

a year ago
(In reply to David Keeler [:keeler] (use needinfo) from comment #1)
> This wouldn't be appropriate for the general population of Firefox users.

Are you saying detecting and notifying MITM attack is not browser's responsibility?
If you don't care about connection security, why did you decided to mark HTTP:// as insecure in FF 59?
(Reporter)

Updated

a year ago
Flags: needinfo?(dkeeler)
Cloudflare is essentially a cdn. Characterizing it as a MITM is disingenuous.
Flags: needinfo?(dkeeler)
Comment hidden (advocacy)
Comment hidden (admin-reviewed)
(Reporter)

Comment 6

a year ago
Hey David Keeler, why did you hide my comment? You still didn't answer my questions.
An endpoint-sanctioned CDN cannot reasonably be considered a MITM attack, condescension towards our engineers and their decision-making process is not an acceptable use of Bugzilla, and this bug will stay closed as is.

If you disagree with this decision feel free to email me directly. 

Thank you.
Group: core-security
Restrict Comments: true
Group: core-security
You need to log in before you can comment on or make changes to this bug.