Closed
Bug 162582
Opened 22 years ago
Closed 22 years ago
need to hide some URLs from about:cache
Categories
(Core :: Networking: Cache, defect, P2)
Core
Networking: Cache
Tracking
()
VERIFIED
WONTFIX
mozilla1.3alpha
People
(Reporter: darin.moz, Assigned: gordon)
References
()
Details
this bug results from the cache security review...
there are probably some URL strings that we should hide from about:cache. for
example, global history hides certain URL strings because they may contain
sensitive data. global history is obviously a much more visible way of looking
at visited URLs, but an attacker with physical access to a user's machine could
just as easily load about:cache to see all visited URLs, including those hidden
from global history.
also along these lines, we might want to hide password data encoded in URL
strings used as cache keys.
Reporter | ||
Comment 1•22 years ago
|
||
see bug 102043 for details on the URLs global history hides.
I think this bug should be public. It relies on physical access to the machine,
so it's not really exploitable. Also, anyone who's reasonably savvy and has
physical access can just get a copy of the cache files themselves and totally
bypass our access control (unless we decide to encrypt the cache using the
wallet master password, or something like that). So keeping this bug secret
isn't really protecting anyone from anything.
Whiteboard: [sg:publish]
Reporter | ||
Comment 3•22 years ago
|
||
roc: we were blocked at one point by some major sites because we would expose
certain URLs via global history (in particular URLs that result in a redirect).
that bug was fairly bogus and was really a problem with the sites. they should
not be storing sensitive data in URLs! but, since we can't "fix the world"
we've had to deal with this sort of stuff.
so, while i totally agree with your assessment, i think we should be careful
before we open this up.
cc'ing arun for his take since he was involved with the global history issue
from the evangelism side. arun: do you think we'd get the same sort of reaction
from exposing these URLs via about:cache?
Comment 4•22 years ago
|
||
It requires physical access to the machine --OR-- taking advantage of a second
security flaw that allows local file reading. And we just happen to have one of
those at the moment.
Comment 5•22 years ago
|
||
Darin, could you please set a target milestone for a fix? Let's get this fixed
before we make it public, to avoid any more evangelism hassles.
Whiteboard: [sg:publish]
Reporter | ||
Comment 6•22 years ago
|
||
i'd really like to know how important it is to fix this before we try to fix it.
it is very useful to be able to see cache information for redirects and the
like, so fixing this would hurt usability for developer types. it would start
appearing as though we don't cache redirects when we clearly do.
should about:cache be an add-on instead of a built-in feature?
i'd almost like to WONTFIX this bug, unless evangelism can argue that it will be
regarded as a problem.
Dare I say hidden pref? Since we are not sure what the reaction would be from
certain website maintainers, and know that our developers would like to see
them, how about hiding them by default but showing them if this pref is set?
Comment 8•22 years ago
|
||
Hidden pref sounds fine to me. We could even keep it off by default, with the
option of turning it on if some stone-throwing site were to call us on it.
Reporter | ||
Comment 9•22 years ago
|
||
ok, a hidden pref sounds fine to me, but we might need help from the cache
service for this... or maybe we can just invent a meta data tag ("hidden: true").
gordon: what are your thoughts on this?
Reporter | ||
Comment 10•22 years ago
|
||
mitch: please let me know if mozilla 1.3 alpha is not soon enough. do we want
this fixed on the 1.0 branch?
Assignee | ||
Comment 11•22 years ago
|
||
I'd rather add a flag to nsCacheEntry. It looks like we still have 15 bits left
in mFlags. It might take less space than a metadata tag, depending on the
percentage of entries thus flagged.
I can take this bug.
Assignee: darin → gordon
Status: ASSIGNED → NEW
Priority: -- → P2
Comment 12•22 years ago
|
||
OK, it's hard for me to predict the existence of stone-throwing sites, but I
still think we should do the fix (also cc'ing bclary for a second opinion). It
is fair to note that "about:cache" and other "about:" URLs have traditionally
been an NS/Mozilla thing which major sites don't know about/don't care about.
As Darin mentioned, the fact that our history contained redirect URLs that were
"sensitive" became an escalation between a well-known site and Mozilla
browser(s). dveditz mentions that we're prone to an attack by some secondary
flaw allowing third parties to access local files. Darin, if you recall, it was
in fact the worry about an attack that exposes global history (for sensitive
302'd data) to third parties that caused the initial flare up way back when!
Can someone explain why we *should NOT* do a fix that prevents sensitive URLs
from being in about:cache? What can this fix hurt (other than time loss by a
developer)? Isn't "about:cache" typically used as a diagnostic by developers
anyway? If they wanted to see senstive URLs, they can toggle the pref. to see
them. My vote: let's have a pref, but keep it ON by default, so sensitive URLs
are NOT shown in about:cache by default. Developers who want to see what's
going on in cache at all levels can turn it off and then tinker away.
Reporter | ||
Comment 13•22 years ago
|
||
agreed.
Comment 14•22 years ago
|
||
How are we meant to know what is 'sensitive'? (I presume we're talking https,
since http requests are subject to interception/logging by a proxy server/etc)
"we might want to hide password data encoded in URL strings used as cache key."
is the closest anyone has come to a spec for this. Are you refering to <input
type="password"> stuff?
Are you planing to do with via some sort of 'sensitive-param: Foo' cache
attribute which the form submission code sets, and about:cache reads, replacing
the value for any params listed with XXXXX? That feels ugly to me. The fact that
we're talking about adding a hidden pref to turn this off doesn't fill me with
joy either :)
Can't we introduce people who care about this to the HTTP POST method? Thats
(partly) what its there for:
Authors of services which use the HTTP protocol SHOULD NOT use GET
based forms for the submission of sensitive data, because this will
cause this data to be encoded in the Request-URI. Many existing
servers, proxies, and user agents will log the request URI in some
place where it might be visible to third parties. Servers can use
POST-based form submission instead
(RFC2616, 15.1.3/3, under "Encoding Sensitive Information in URI's")
POST doesn't have any backwards compatabilty concerns, and it fixes this
'problem' in all clients, too.
Re comment #4, anyone who can read about:cache + the local file system can get
at the cache index file anyway, and read data that way - the cache path is given
in about:cache, and thats a subdirectory of the salted profile path for almost
everyone (see bug 162585). It is a fair bit more work, though, and not
necessarily possible for any exploits (since you couldn't use DOM stuff on the
binary index file, I suspect)
The site that gave us hard time last time knew about POST, but they had built on
GET and changing it would be a massive investment they did not want to take at
that point. Evangelising POST in an early enough phase could help, but we rarely
have that luxury.
Comment 16•22 years ago
|
||
in the case of the site we were previous block from, it was also as a result of
a 302 redirect.. so I don't know how/if we cache redirects, but we should hide
those (as we hide them from global history)
Reporter | ||
Comment 17•22 years ago
|
||
alec: yeah, those are the URLs in question here. (we cache _all_ redirects for
the purposes of offline browsing.)
Comment 18•22 years ago
|
||
Tree closes for 1.3alpha next Tuesday - can we get a patch by then?
Comment 19•22 years ago
|
||
Wontfix - we're going to propose removing about:cache from standard builds, in
another bug
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
Comment 20•21 years ago
|
||
adding benc@netscape.com to CC list
You need to log in
before you can comment on or make changes to this bug.
Description
•