JamesTheAwesomeDude / cerdicator

Enhanced TLS indicator with an emphasis on information about the Root Certificate Authority from which the connection's authenticity is derived
https://addons.mozilla.org/en-US/firefox/addon/cerdicator/
1 stars 3 forks source link

[FF#1499592] Leaks at least 1 outbound request to any attacker #5

Open JamesTheAwesomeDude opened 4 years ago

JamesTheAwesomeDude commented 4 years ago

Consider an attacker who is aware of this Add-on.

They might:

remember that in The Internet, you have other, aggressive intelligences finding ways your software diverges from what you thought you wrote… everything doesn't go "as planned"; you've got to be airtight or its utility is only marginal

JamesTheAwesomeDude commented 4 years ago

Disturbingly, webRequest.onBeforeSendHeaders, which "is triggered before sending any HTTP data", does not provide access to the TLS certificate status... what it's curretly using, webRequest.onHeadersReceived, is "Fired when the HTTP response headers for a request are received", so it can't protect against the entire outbound request going to the attacker.

TODO: try webRequest.onSendHeaders? [EDIT: no-can-do—this API “is informational only” i.e. you can't use it to stop a bad request.]

JamesTheAwesomeDude commented 4 years ago

onBeforeSendHeaders also doesn't have access to securityInfo … and the next one in line, onSendHeaders`, “is informational only” —i.e. you can't use it to stop a bad request.

Alas. So, it looks like we can't make a properly-failsafe constrainer with just the APIs given us. The best we can do (for now) is "throwing the breaker" after 1 full bad connection has already been made.

Perhaps, once the rest of the functionality's implemented, Mozilla would hear out our requests for better access.

JamesTheAwesomeDude commented 3 years ago

https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server#comment13466_8148

It's a fair assumption that (root and delegated) CAs will supply bogus certificates to their national intelligence agencies…
– Tom Hawtin, Former engineer in Java SE security for Oracle Corporation

JamesTheAwesomeDude commented 3 years ago

https://bugzilla.mozilla.org/show_bug.cgi?id=1499592

JamesTheAwesomeDude commented 3 years ago

a mitigation, for an attacker who isn't aware of this add-on: hook onBeforeRequest to do a "preflight check"