window.crypto.subtle functions are exposed on http (not https) web pages
Categories
(Core :: DOM: Web Crypto, defect)
Tracking
()
People
(Reporter: github.christian, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Steps to reproduce:
Functions window.crypto.subtle.importKey ( ), deriveKey ( ), decrypt ( ), encrypt ( ) are enabled on pages using the HTTP protocol.
That will say that a "Man-in-the-middle" attack can be used to discover passwords or encrypted data.
On all others browsers window.crypto.subtle functions are disabled when using HTTP protocol.
Notice: I don't have performed tests on others crypto.subtle functions, but i suppose that it's the same problem.
Actual results:
window.crypto.subtle functions are working on http pages
Expected results:
window.crypto.subtle functions must be disabled on http pages
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
Looking at bug 1333140, it seems like this is probably intentional, but it is an area where we are not matching the spec, so I'm not sure it is a security issue per se, though as you mention it means a crypto method can be used on an insecure page.
|
||
Comment 2•5 years ago
|
||
I don't believe this is a security problem per se, either. These functions are not given access to any data encrypted by the browser itself. They are [SecureContext] so insecure pages won't pretend to be doing secure crypto (which they can't because they can be MITMed).
I suspect we should just open it up and dup it to bug 1333140, which we should actually land.
That said, I assume JC or Dana should make the call on this one, but looks like Dana currently has needinfo requests blocked.
|
|
||
Comment 3•5 years ago
|
||
Oh, and this has nothing to do with PSM...
|
|
||
Updated•5 years ago
|
|
|
||
Comment 4•5 years ago
|
||
Yeah, looks like bug 1333140.
Description
•