HTTPS-Only Mode background HTTP requests reveal sensitive info
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox82 | --- | fixed |
People
(Reporter: remtanmajitenshi, Assigned: ckerschb)
References
(Blocks 1 open bug, Regressed 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
Bug 1642387 added background HTTP requests to avoid long timeouts when server doesn't response. But those HTTP requests contain path to page, which can be sensitive, making HTTPS-Only Mode less reliable in privacy aspect. Attacker can passively look at those cases even if user doesn't press "Accept the risk and continue", or probably actively filter HTTPS response from server to look at sensitive path in those background requests.
Steps to reproduce:
- Enable dom.security.https_only_mode in Nightly
- Enable capturing in wireshark
- Try to open http://moonlander.seb.ly/sensitive_path
- Look at wireshark log
Can't those background HTTP requests be targeted to bare domain without path? On top of it, maybe those background requests should be controlled via pref in about:config? Or current state is considered normal for this feature? "Encrypt All Sites Eligible" mode in HTTPS Everywhere extension by EFF seems to not do any HTTP requests before user's action.
Also, I can't test and I'm not sure, but is ESNI case affected by this or not? Because if it is affected, then Firefox should behave differently when it detects ESNI support by domain at DNS lookup stage, not doing any background HTTP request even to bare domain without path, to not leak domain in this case.
Assignee | ||
Comment 1•4 years ago
|
||
Yes, that is a fair point and I think in the majority (if not all) cases sending the request to the bare domain should work. Personally I would like to avoid additional preferences but I understand that in some cases people rather prefer to experience the timeout than leaking information. I'll discuss that with folks in the internal meeting.
Assignee | ||
Comment 2•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Comment 4•4 years ago
|
||
bugherder |
Description
•