Closed Bug 1858892 Opened 2 years ago Closed 1 year ago

Avoid auto-upgrading DNS names that resolve to local/nat/rfc 1918 addresses to https

Categories

(Core :: DOM: Security, enhancement, P5)

Product:
Core
Component:
DOM: Security
Platform:
Desktop
All
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: Gijs, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

Visiting fritz.box with HTTPS-First enabled
203.71 KB, video/mp4
Details

things like fritz.box and router.tplink.com or similar (and local "smart home" devices with names etc.) will get upgraded by the logic from bug 1812192. Ideally we shouldn't.

Can we resolve hosts and fallback faster if the address is local?
I have a feeling that solving this with a shared opt-out list (bug 1816449) is meaningful and interesting but probably not great for the long tail.

(In reply to Frederik Braun [:freddy] from comment #1)

Can we resolve hosts and fallback faster if the address is local?
I have a feeling that solving this with a shared opt-out list (bug 1816449) is meaningful and interesting but probably not great for the long tail.

I actually wonder if the "easier" fix may for the http/https connection code that gets the DNS result to "de-upgrade" the request if the loadinfo shows it was auto-upgraded to https if the DNS result was local. How does that sound?

Flags: needinfo?(fbraun)

Not sure if we can go back and switch channel types (HTTPS<->HTTP) by the time we have finally resolved the address. Poking around, I found where we set the mPeerAddr in HTTPTransactionParent and wonder how that would be plumbed together.

Do you think you can help, Kershaw?

Flags: needinfo?(fbraun) → needinfo?(kershaw)

(In reply to Frederik Braun [:freddy] from comment #3)

Not sure if we can go back and switch channel types (HTTPS<->HTTP) by the time we have finally resolved the address. Poking around, I found where we set the mPeerAddr in HTTPTransactionParent and wonder how that would be plumbed together.

Do you think you can help, Kershaw?

In general, I'd like to avoid HTTP downgrade as much as possible.
Can we check the dnsSuffixList before doing HTTPS upgrade?
See bug 1582472, this suffix list is used to prevent local name resolutions using TRR.

Flags: needinfo?(kershaw)

I am unsure if this is even a issue, at least for HTTPS-First and schemeless HTTPS-First. For most local sites a HTTPS version won't be available, so we will instantly downgrade again. I have tested this with my router (fritz.box) and HTTPS-First enabled, and I almost instantly get to that site (see screen recording).

Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
See Also: → 1896083
Type: defect → enhancement
See Also: → 1895265

We can't easily downgrade the connection after DNS as that would require us to re-compute a lot of security header information and our heuristics should prevent this from being a persistent problem.

I'm leaning to wontfixing this, given that this has not come up as a significant issue for folks in the wild.

Severity: S3 → S4
Priority: P3 → P5
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: