[tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Dec 9 17:16:00 UTC 2010
#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
Reporter: dkg | Owner: pde
Type: defect | Status: accepted
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
----------------------------------+-----------------------------------------
Changes (by pde):
* priority: normal => major
Comment:
So what can we do about this. Here are some ideas:
1. Ask mozilla to raise the warning prompt for images and other subsidiary
requests.
2. Take the replace [^/:@] with [^/]. I think that defeats dkg's attack.
Ironically it would leave all the rules that DON'T start with a pattern
vulnerable. We would need to add a pattern to the front of every (www\.)?
rule to catch a username/password :(.
3. Use Mozilla's built in URI parsing to strip out username/password
fields before we do URI rewriting (then add them back in, if we think
they're ever legit?).
4. Per rransom's suggestion, move to something like agl's proposed
chromium syntax. https://mail1.eff.org/pipermail/https-
everywhere/2010-November/000545.html. There are several downsides to
that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list