Closed
Bug 951685
Opened 11 years ago
Closed 9 years ago
warn if HTTP 302 redirects outside the current site - mitigate quantum attack
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: hauser, Unassigned, NeedInfo)
References
(Depends on 1 open bug)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018
Steps to reproduce:
http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/
accessibility.blockautorefresh apparently does it for any redirect. But as long as it is the intended site reloading itself, this is not important from a security perspective.
Actual results:
redirecting to a fake google.com lets a man-in-the-middle read an identifying cookie of a (via TOR?) surfing user.
Expected results:
Ghostery and NoScript AddIn may partially solve the problem, but this may well be important enough to make it part of the firefox base offering?
This should be complemented by the possibility to restrict my cookies to only being released into https connections as per bug 543755
Comment 1•11 years ago
|
||
> accessibility.blockautorefresh
If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.
Depends on: 803590
Comment 2•10 years ago
|
||
(In reply to O. Atsushi (Torisugari) from comment #1)
> If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.
If I do that, I get “The page isn't redirecting properly” and no information bar to allow the redirection. Example: http://mzl.la/1BAQNzf
Hi Ralf,
Are you still encountering this issue? If so, can you retry testing it in a current version of Firefox to see if it's fixed? Thanks.
Flags: needinfo?(hauser)
Closing due to lack of response from the reporter. If you feel this is a pertinent issue, please provide the requested information and reopen. Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•