[tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Nov 18 18:46:28 UTC 2010
#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
Reporter: dkg | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
----------------------------------+-----------------------------------------
Torproject.xml currently has the following
{{{
<rule from="^http://([^/:@]*)\.torproject\.org/"
to="https://$1.torproject.org/"/>
}}}
but an attacker trying to get you to send (for example) cookies in the
clear can just include a username part in (for example) an img src to coax
the browser into making a cleartext connection:
{{{
<html>
<head>
<title>a test</title>
</head>
<body>
<!-- this first one gets loaded in the clear -->
<img src="http://www@www.torproject.org/images/icon-default.jpg" />
<!-- https-everywhere intercepts this one and sends it out over https -->
<img src="http://www.torproject.org/images/icon-default.jpg" />
</body>
</html>
}}}
this seems especially bad for sites with cookies to project which don't
have the secure flag set properly.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list