Closed Bug 1660945 Opened 4 years ago Closed 4 years ago

HTTPS-Only Mode background HTTP requests reveal sensitive info

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
Firefox 81
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox82 --- fixed

People

(Reporter: remtanmajitenshi, Assigned: ckerschb)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

wireshark.png
23.06 KB, image/png
Details
Bug 1660945 - HTTPS-Only-Mode only send background request to top-level page without path and only if pref is set to true.
47 bytes, text/x-phabricator-request
Details | Review
Attached image wireshark.png

Bug 1642387 added background HTTP requests to avoid long timeouts when server doesn't response. But those HTTP requests contain path to page, which can be sensitive, making HTTPS-Only Mode less reliable in privacy aspect. Attacker can passively look at those cases even if user doesn't press "Accept the risk and continue", or probably actively filter HTTPS response from server to look at sensitive path in those background requests.

Steps to reproduce:

  1. Enable dom.security.https_only_mode in Nightly
  2. Enable capturing in wireshark
  3. Try to open http://moonlander.seb.ly/sensitive_path
  4. Look at wireshark log

Can't those background HTTP requests be targeted to bare domain without path? On top of it, maybe those background requests should be controlled via pref in about:config? Or current state is considered normal for this feature? "Encrypt All Sites Eligible" mode in HTTPS Everywhere extension by EFF seems to not do any HTTP requests before user's action.

Also, I can't test and I'm not sure, but is ESNI case affected by this or not? Because if it is affected, then Firefox should behave differently when it detects ESNI support by domain at DNS lookup stage, not doing any background HTTP request even to bare domain without path, to not leak domain in this case.

Yes, that is a fair point and I think in the majority (if not all) cases sending the request to the bare domain should work. Personally I would like to avoid additional preferences but I understand that in some cases people rather prefer to experience the timeout than leaking information. I'll discuss that with folks in the internal meeting.

Assignee: nobody → ckerschb
Blocks: https-only-mode
Severity: -- → S4
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Whiteboard: [domsecurity-active]
Depends on: 1663396
See Also: → 1663396
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/c143b57f2a76 HTTPS-Only-Mode only send background request to top-level page without path and only if pref is set to true. r=JulianWels,Gijs

https://hg.mozilla.org/mozilla-central/rev/c143b57f2a76

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox82: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
Regressions: 1683015
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: