warn if HTTP 302 redirects outside the current site - mitigate quantum attack

RESOLVED INCOMPLETE

Status

()

RESOLVED INCOMPLETE
5 years ago
3 years ago

People

(Reporter: hauser, Unassigned, NeedInfo)

Tracking

(Depends on: 1 bug)

25 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018

Steps to reproduce:

http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/

accessibility.blockautorefresh apparently does it for any redirect. But as long as it is the intended site reloading itself, this is not important from a security perspective.


Actual results:

redirecting to a fake google.com lets a man-in-the-middle read an identifying cookie of a (via TOR?) surfing user.


Expected results:

Ghostery and NoScript AddIn may partially solve the problem, but this may well be important enough to make it part of the firefox base offering?

This should be complemented by the possibility to restrict my cookies to only being released into https connections as per bug 543755
> accessibility.blockautorefresh

If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.
Depends on: 803590

Updated

4 years ago
See Also: → bug 1150311

Comment 2

4 years ago
(In reply to O. Atsushi (Torisugari) from comment #1)
> If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.

If I do that, I get “The page isn't redirecting properly” and no information bar to allow the redirection. Example: http://mzl.la/1BAQNzf
Hi Ralf,

Are you still encountering this issue? If so, can you retry testing it in a current version of Firefox to see if it's fixed? Thanks.
Flags: needinfo?(hauser)
Closing due to lack of response from the reporter. If you feel this is a pertinent issue, please provide the requested information and reopen. Thanks!
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.