Closed Bug 1426618 Opened 3 years ago Closed 3 years ago

Add an option to block corporated MiTM attack such as Cloudflare

Categories

(Core :: Security: PSM, enhancement)

57 Branch
enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: u608644, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171206182557

Steps to reproduce:

Open any HTTPS website which use Cloudflare


Actual results:

The green padlock appear on the location bar. It shows "Secure connection".


Expected results:

The browser must warn the user because of MiTM attack.
"Technical Details"(click padlock > ">" > "More information") is showing below message, but it's hardly correct.

"It is therefore unlikely that anyone read this page"

There's a discussion on Firefox Klar github.
https://github.com/mozilla-mobile/focus-android/issues/1743
And
https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/
Severity: normal → enhancement
Component: Untriaged → Security: PSM
Product: Firefox → Core
This wouldn't be appropriate for the general population of Firefox users. Those who wish to block cloudflare can use the add-on.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
(In reply to David Keeler [:keeler] (use needinfo) from comment #1)
> This wouldn't be appropriate for the general population of Firefox users.

Are you saying detecting and notifying MITM attack is not browser's responsibility?
If you don't care about connection security, why did you decided to mark HTTP:// as insecure in FF 59?
Flags: needinfo?(dkeeler)
Cloudflare is essentially a cdn. Characterizing it as a MITM is disingenuous.
Flags: needinfo?(dkeeler)
Hey David Keeler, why did you hide my comment? You still didn't answer my questions.
An endpoint-sanctioned CDN cannot reasonably be considered a MITM attack, condescension towards our engineers and their decision-making process is not an acceptable use of Bugzilla, and this bug will stay closed as is.

If you disagree with this decision feel free to email me directly. 

Thank you.
Group: core-security
Restrict Comments: true
Group: core-security
You need to log in before you can comment on or make changes to this bug.